Book Reviews

Book Reviews


Book Review: LAN Switch Security:What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen


By Stephen Northcutt

Just finished reading a great book, LAN Switch Security: What Hackers Know About Your Switches, by Eric Vyncke and Christopher Paggen. After reading it you will never think about layer 2 the same way again. We quickly learn that, from a security perspective, a switch is neither a mindless toaster nor an insignificant appliance. Layer 2 switch attacks include:

MAC flooding attacks exploit the switch bridging table. We also learn about the capacity of the bridging table. "Switches have a finite amount of memory. This varies from switch to switch, but essentially all switches have a limit to the maximum number of MAC addresses they can record in their ARP tables. Under normal circumstances this number is many times greater then the number of ports on the switch, and therefore is seldom a concern. Someone trying to overcome the Layer-2 issue may utilize this limitation to his advantage. By generated a large number of MAC addresses and force-feeding them to the switch, a buffer overflow type condition will be created. During this period the switch cannot keep up with maintaining an ARP table and forwarding packets correctly. Most switches will then fail back to a Layer-1 mode."[1] By layer 1, we mean acting like media (ethernet cable) - this is called a flood condition. If we are told a switch's bridging table can store up to 64,000 entries that is total for the entire switch. So, one malicious user in one VLAN could use software to fill the bridging table and impact the other VLANs. If you can fill the bridging table, the switch will have to "flood" all traffic. This means that an attacker with a sniffer in VLAN 2 could then see all activity from VLAN 4 (or any other VLAN). There is an attack tool called macof[2] that makes filling the table easy to do.

Spanning Tree Protocol "creates a spanning tree within a mesh network of connected layer-2 bridges (typically ethernet switches), and disables the links which are not part of that tree, leaving a single active path between any two network nodes. Multiple active paths between network nodes causes a bridge loop. Bridge loops create several problems. First, the MAC address table (also known as "switch forwarding table") used by the switch or bridge can fail, since the same MAC addresses (and hence the same network hosts) are seen on multiple ports. Second, a broadcast storm occurs. This is caused by broadcast packets being forwarded in an endless loop between switches. A broadcast storm can consume all available CPU resources and bandwidth."[3] A vulnerable point sor STP is to attack the Bridge Protocol Data Units (BPDU). STP uses path cost to build a tree without loops ( loops would mess up communication as frames would go round in circles). An attack tool called Yersinia can read and write BPDUs and can be used for a number of attacks against a network using STP.

Dynamic Host Configuration Protocol
is probably what your desktop or laptop uses to get its IP address and MAC address. DHCP Scope Exhaustion is the state where a malicious client acquires all of the available IP addresses. At SANS conferences, the class I write and teach, Management 512, Security Leadership Essentials, uses a wireless connection so the computer security managers in the class can look things up using Google (and learn power Google search techniques) as well as bookmark references that other students mention in class. We usually use a Linksys wireless access point. Sometimes, if the hotel does not supply wireless, students sit outside of my class using our access point to surf the web. If too many students do that, and they also come and go between breaks and lunch, they can exhaust the available IP addresses. Then no more students can get onto the network. We can fix it easily by powering the access point on and off. However, this is conceptually what you see with a Scope Exhaustion attack. Tools like Yersinia and also The Gobber make this very easy.

Other potential attacks against layer 2 switches include, ARP, IPv6 discovery, Power over Ethernet, HSRP, more esoteric protocols and Denial of Service.

----
Links valid as of January 10, 2008
1. http://www.giac.org/certified_professionals/practicals/gsec/0112.php
2. http://www.informit.com/articles/article.aspx?p=29750&seqNum=3&rl=1
3. http://en.wikipedia.org/wiki/Spanning_tree_protocol
4. http://linux.die.net/man/8/yersinia
5. http://www.networkpenetration.com/gobbler.html