Threats, Vulnerability Analysis and Mitigation

Switched Data Plane Attack Types
VLAN Hopping: a packet from one VLAN hopped over to another VLAN without aid of Layer 3 routing. there are 2 types of VLAN hopping attack.

  • Switch Spoofing: a device spoofs as a switch taking with connected switch port using DTP, and finally form a trunk link with all VLAN allowed on that link.
  • Solution to Switch spoofing: disable the DTP on all switch ports and always use manually switch port mode configuration.
    switch(config-if)# switchport nonegotiate
  • Double Tagging: End user device inserts 2 VLAN Tags (native VLAN for the first tag and target VLAN for the second tag) into MAC frame and Switch only strips off the first VLAN tag and the remaining VLAN tag is used by Switch to forward the packet even though the Sender resides in a different VLAN from the the target one. (Prerequisite for this attack is that hacker knows at least one allowed VLAN)
  • Solution to Double Tagging: designate a different ID other than default 1 for native VLAN (better do not use VLAN 1 for anything, disable all unused ports and put them in an unused VLAN), and only STP, VTP, DTP, UDLD are running on native VLAN. optionally, we can also enforce the tag for native VLAN on trunk port.
    switch(config-if)# switchport trunk native vlan 555
    switch(config-if)# switchport trunk vlan native tag
          //native vlan tag on one trunk link
    switch(config)# vlan dot1q tag native

Spanning Tree Protocol Spoofing Attacks: Attacker spoof the root bridge and broadcast a Topology Change BPDU to enforce STP recalculation. or connect a new switch and make it the new root bridge in STP topology.

  • STP Root Guard: prevent a switch port to become a root port which is connected to root bridge. As long as superior BPDU is received on that port, the port will be kept in the root-inconsistent STP state, and no data can be sent or received except listening BPDUs.
    switch(config-if)# spanning-tree guard root
    switch# show spanning-tree inconsistent-ports
  • STP BUDP Guard: If any BPDU detected, port will be put into errdisable state immediately
    Switch(config)# spanning-tree portfast bpduguard default
    Switch(config-if)#
    spanning-tree bpduguard enable
    Swtich# show spanning-tree bpduguard
  • Disable STP BPDU processing: Completely disable STP on Portfast port by BPDU filtering: BPDU filtering feature only take effect on PortFast ports, and it prevent port from sending or processing any BPDU packets.
    Switch(config)# spanning-tree portfast bpdufilter default
    Switch(config-if)# spanning-tree bpdufilter {enable | diable}

CAM Flooding: CAM table has a limited size, and CAM table entries expire after a certain inactivity period, which is 5 mins by default. Attacker’s device send a huge number packets through the access switch port using different bogus source MAC address, aiming at making CAM table full in a short time. Switch who is not able to accept new valid MAC address will begin unknown unicast flooding for the new incoming packets. Note that this flooding is limited to those ports which allow the same VLAN as the origination port.

MAC address Spoofing: the attacker send out packet with the MAC address of target host to overwrite the CAM table entry for target host, thus direct all the traffic destined for target host to the attacker’s device. Note that the attacker needs to send out fake MAC frames constantly to make sure the incorrect CAM table entry is not overwritten again.

DHCP Starvation Attacks: attacker broadcast a huge number of DHCP requests requesting IP address allocation from DHCP server, aiming at using up all available IP address in DHCP pool.

DHCP Server Spoofing: attack set up a rogue DHCP server to response to DHCP request after the real DHCP server has been compromised by DHCP Starvation attacks. Then the rogue DHCP server will allocate a different default gateway and directs all traffic to the different gateway and capture tehm for later analysis.

DHCP IP Address Hijacking: Normally, when a client is done with an address leased to it via DHCP, it sends a DHCPRELEASE to the server to notify the server that it can go ahead and add that IP address back into the pool of available addresses.  An attacker that has knowledge of an authorized IP addressed leased through DHCP could send a packet to the server with the DHCPRELEASE field set to that authorized IP address.  The attacker could attempt to release that IP address and then take over the IP address on the network. At a minimum, the attacker could be disrupting network communications

ARP Spoofing:  it explore the vulnerability of ARP mechanisms. The attacking device will deliberately response to a broadcasted ARP request and spoof as the requested Host.  the results of the attack might be more severe than MAC Address Spoofing, because most cisco devices hold their ARP entries for 4 hours by default while the MAC entries in CAM table will expire after 5 mins of inactivity.
ARP also has another method of identifying host IP-to-MAC associations, which is called
Gratuitous ARP (GARP). With GARP, a broadcast packet is used by hosts to announce
their IP address to the LAN to avoid duplicate IP addresses on the network. GARP can be
exploited maliciously by an attacker to spoof the identity of the device by announcing a
new IP-to-MAC association for the device on a LAN segment

IP Spoofing: an device sends and receives traffic using the IP address of another known host or known network, to access the resource which it would not be allowed to.

Security Feature to counteract the Data Pane Attacking
Port Security: mitigate MAC relevant attacking such as CAM flooding, MAC address Spoofing and DHCP starvation attacks. The principle behind this is limiting the maximum number of MAC address that can be used for one port, or manually specify the only static MAC address that can be attached to the switch port.

          • Enable Port security and designate action for violation
            switch(config-if)# switchport port-security
            switch(config-if)# switchport port-security violation {protect | restrict | shutdown}
            Protect: if limit reached, frame with unknown MAC address will be dropped until at least one existing MAC entry has been removed or upper limit has been increased. No notification is generated of the security violation.
            Restrict: same as Protect, but security notification is sent to SNMP server if configured, syslog message is logged, violation counter is incremented.
            Shutdown: default action for security violation. same as Restrict with sending SNMP trap additionally.
          • Static secure MAC address: manually designate a MAC address on that port to limit which MAC addresses are allowed.
            switch(config-if)# switchport port-security [mac-address mac address [vlan {vlan-list | {access | voice}}]]
          • Dynamic secure MAC address: dynamically learn MAC address ever connected on that switch port, stored in address table, which are removed after switch restarted.
            switch(config-if)# switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]]
            default maximum value is 1.
          • Sticky secure MAC address: the allowed MAC address on a given port can be dynamically learned or manually configured. if sticky learning enabled, the dynamically learned MAC address will be stored in running-configuration as static MAC entries which are still there when the switch restarts.
            switch(config-if)# switchport port-security mac-address sticky
          • Re-enable error-disabled security port: bring up port again by errdiable recovery global command or shutdown and no shutdown interface configuration command.
            Use “show port-security” to verify the current port security configurations.

DHCP Snooping: DHCP snooping works on a concept of trusted ports and untrusted ports. Trusted ports are generally interfaces on your switch that are connected to things under your administrative control like interfaces going to your authorized DHCP servers and switch uplinks. Untrusted ports typically lead to user access ports and things that you generally do not trust. It relies on DHCP Snooping Binding Table which includes the client MAC address, IP address, DHCP lease time, binding type, VLAN number, and interface information on each un-trusted switch port or interface. DHCP snooping also has a rate-limiting function that limits the number of DHCP mes-
sages allowed on a switch port or interface per second.

  • If the switch receives any kind of DHCP message that could only ever be sent by a DHCP server on an untrusted port, it simply drops the packet (DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY). It prevent the existence of DHCP server on untrusted ports.
  • If the switch receives a DHCP Request packet on an untrusted port and the address in the chaddr field of the packet does not match the actual source MAC address of the frame, the switch drops the packet. It is actually the DHCP Snooping MAC Verification Feature.
  • If the switch receives a DHCPRELEASE or DHCPDECLINE message on an untrusted port it examines the packet more closely. It looks at the IP address being released in the DHCP packet and looks into the DHCP snooping binding database table to see if it has a record of that IP address.  If there is a record of the IP in the database, but the interface sending the DHCPRELEASE or DHCPDECLINE message does not match up with that record, the switch will drop the packet. This mitigates the IP address Hijacking attack.
  • If the switch receives a DHCP packet on an untrusted interface where the giaddr field is a non-zero value it drops the packet. The giaddr field in a DHCP packet is used for DHCP relay.
  • If the switch receives a DHCP packet with option 82 information inserted on an untrusted interface, it drops the packet. Discussing what exactly option 82 information is is a bit outside the scope of this article, but in summary it provides additional information to supported DHCP servers so that the servers can more precisely hand out IP addresses in specific ranges
  • Enable DHCP Snooping globally or for specific VLANs
    Switch(config)# ip dhcp snooping
    Switch(config)# ip dhcp snooping vlan
    vlan-id
  • Enable the DHCP Snooping MAC verification globally (enabled by default)
    Switch(config)# ip dhcp snooping verify mac-address
  • Configure a static DHCP snooping binding entry
    Switch(config)# ip dhcp snooping binding
    mac-address vlan vlan-id ip-address interface interface expiry seconds
  • Enable the DHCP snooping rate limit feature (per second)
    Switch(config-if)# ip dhcp snooping limit rate rate
  • Configure the switchport or interface as trusted (All untrusted by default)
    Switch(config-if)# ip dhcp snooping trust
  • Verify DHCP Snooping
    Switch# show ip dhcp spoofing [binding | database]
  • Reference URL:
    http://astorinonetworks.com/2011/06/28/going-deep-with-dhcp-snooping/ 

Dynamic ARP Inspection (DAI)used to mitigate ARP spoofing attacks. DAI is a security feature that intercepts and verifies IP-to-MAC address bind-ings and discards invalid ARP packets. DAI uses the DHCP snooping database to validate bindings. Packets arriving on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.

  • Enable DAI on a specific VLAN
    Switch(config)# ip arp inspection vlan vlan-id
  • Enable additional validation DAI checks
    Switch(config)# ip arp inspection validate {[src-mac]|[dst-mac]|[ip]}
  • Configure a specific switchport or interface as Trusted
    Switch(config-if)# [no] ip arp inspection trust
  • Configure an ARP packet rate limit (packets per second)
    Switch(config-if)# ip arp inspection limit rate rate-pps
  • Create a new ARP ACL and enters ARP access list configuration mode
    Switch(config)# arp access-list acl-name
  • Apply an ARP ACL for a VLAN
    Switch(config)# ip arp inspection filter acl-name vlan vlan-id
  • Configure a specific IP/MAC pair that is permitted
    permit ip host sender-ip mac host sender-mac
  • Display the DAI status for a specific range of VLANs
    show ip arp inspection [vlan-id]
  • Display the trust state and rate limit configured for interfaces
    show ip arp inspection interfaces
  • Display the configured ARP access listsL
    show arp access-list [acl-name]

IP Source Guard (IPSG)mitigates the chances of IP spoofing. The IPSG feature works on Layer 2 ports by restricting IP traffic based on the entries that exist in the DHCP snooping binding table. IPSG can be enabled on 2 modes.

  • Source IP address filtering: When using this type of filtering, IPSG allows packets with an IP source address that is in the DHCP snooping binding database
  • Source IP and MAC address filtering: When using this type of filtering, IPSG allows packets whose IP address and MAC address match the DHCP snooping binding table.
  • Enable the use of IPSG on a specific port
    Switch(config-if)# ip verify source vlan dhcp-snooping [port-security]   //port-security is for IP-MAC filtering mode.
  • Display the IPSG configuration for switch port
    show ip verify source [interface]
  • Display the IP source bindings
    show ip source binding [ip-address] [mac-address][interface interface][vlan vlan-id]

Private VLAN (PVLAN):