Network Mitigation And Security

Published Date: 02 Nov 2017

CropTrends a medium sized enterprise has had trouble due to a security breach that has resulted in the leaking of sensitive information. An investigation to the breach was caused by a man in the middle attack on the layer 2 switching infrastructure of the network. The following report will be detailed in and explained on how man in the middle attacks work and how to defend against them and also the trunking protocols and how spoofing of layer 2 attacks due to this was the main area and surroundings of these protocols. The report will be detailed with technical background but some parts due to the report being for the director of the company who has asked for the report, since there knowledge of security is minimal but has general networking knowledge and background.

The report will also feature ways to improve the security to prevent the breach or any other breaches in the caused area and how to mitigate future attacks. So the company’s future reputation can be restored and tarnished no more.

Attacks on the Network

Man-in-the-middle attacks are pretty much what it says on the tin, with the attacker being in the middle and then two entities either side. This was given from the basketball game where you would have 2 people throwing a ball to each other while a person in the middle would try and intercept.

There are a few ways man-in-the-middle attacks can be implemented on a network. First is the attacker uses a tool such as a network sniffer until they have found what they are looking for , which then they intercept the messages/data being sent across the network at the public key exchange. This is were the attacker switches the public key to their own public key and then retransmits as if it was the original request. So then to the original callers/messengers it seems normal but then allows the man in the middle to have access to their conversation and data being transferred between the two.

Another method of man-in-the-middle would be when the attacker gains access the same way as before using the sniffer or as well to eavesdrop tools to detect activity on the network, they intercept calls and data but this time they inject a program in to the network that tricks the network and the users on the network to thing everything is normal. In fact it isn’t, due to this program makes the network and users think this but really the program makes the client think it’s the server and the server the client. So this making the attackers intercept a lot easier to track, record data being used and also allows them to gain more access due to it can record accounts and passwords so they could further attack the network and this only being the start.

Man-in-the-middle attacks used on just LAN based networks that have no internet connection a lot harder due to the tools used to detect these easier, but when there is an internet connection these tools are very efficient and can be fooled the same as the rest of the network if there is an attacker inside. Sometimes man-in-the-middle attackers are just used to disrupt networks by when they have sniffed the network they just alter or reroute data along a different path causing heavy traffic and sometimes crashing the networks.

Man-in-the-middle attacks are also called:

Fire bridge attack

Bucket-bridge attack

Monkey-in-the-middle

Session hijacking

TCP hijacking

TCP session Hijacking

Spanning Tree Protocols

Spanning tree protocols or STP is a protocol that creates a loop free network so none of the data loops around multiple times and get reduce traffic by changing ports on the network switches from blocked to forward about every 50 seconds so that data can travel different paths so the flow of traffic on the network is smooth and no so congested.

There are three steps in which Spanning tree protocols establishes its topology, first by electing the root bridge (the bridge with the smallest/lowest bridge ID) this is done by exchanging the layer 2 BPDUs(bridge protocol data units),second selecting one root port per every non-root bridge and then third selecting one designated port per segment of the network.

Attacks on the Spanning tree protocols, start by destabilising the mac addresses of the switches on the network so it makes the network hold in a constant state of electing the root bridge and this is easily done by due to no authentication built into the spanning tree to prevent this. By repeating this process of the network being in a constant stand still and the state keep trying to re-elect the root bridge and the broadcast held also, causes a broadcast storm to be made and this causes a flood in the network of frames.

Other ways of attacking the Spanning tree protocol involves the attacker sending raw configuration of Bride protocol data units (BPDUs) and the transmission of the raw BPDU, also STP attacks can involve Dos attacks and With this Dos (denial-of-service) can launch the RAW TCN (topology change notification) BDPU. More badly influenced attacks on STP can be by claiming key parts of the protocol such as the Root role and the Root role dual –home.

Layer 2 Spoofing

The layer 2 of a network is the data link layer where the MAC addressing lives which is before the access lists and firewalls on a network to do with the security. This layer is the main area where man-in-the-middle attacks happen along with attacks against the switches (this is where the STP is) and how the breach may have first been hit in the CropTrends network.

Layer 2 attacks also involve CAM overflows where the content addressable memory table is flooded with mac address and the system/device can’t cope with the flooding. Next are the DHCP attacks where the attack can make any machine on the network a DHCP server which is very bad allowing that machine to give DHCP based information, which then allows access to more secure information on the network and servers. Another attack used on layer 2 is VLAN Hopping an attack which is done on a virtual network to gain access to traffic on other Vlans (virtual local area networks), this is done by gaining access to the switch port configuration in the Vlan.

Now to the area that was part of the breach into the CropTrends network, Mac spoofing used to gain access to the network by taking a mac address that is currently on the network, to hide and be stealthier, while attacking the network so the network and the users don’t suspect any attacks on the network. They can also take the MAC address to impersonate a device on the network to gain control of other more secure devices; this can only be done on LAN due to the limited broadcast range of the attack. This is normally launched by clients on the network already so the attack on the CropTrends network could have been an inside attack or the inside could be part of it. Where they use the spoofed address to start the Man-in-the-middle attacks explaining how the breach was started to gain access into the network.

Trunk Related Protocols

The dynamic trunking protocols which Vlan hopping is based on is used for negotiating trunking between two switches or devices on the network, which can be enabled by a simple command. This feature makes the process of setting up switches easier the feature hides a weakness for the Vlan, where it can be spoofed very easily by switching encapsulation, causing a trunk link making the attacker a member of all Vlans.

ARP (address resolution Protocol) attacks are one of the trunk related protocols that can be a real pain due to the attack first obtains the IP and any other information they need for a tactical attack, once they have enough data they need they then plan the attack on the network. First the majority of the time flooding the switches with ARP broadcasts telling that a range of the IP’s or all of them belong to the attacker, so then the path of the data has to go by the attacker while he sniffs and searches the data for valuable information that might be being transmitted such a bank account details and passwords for more secure locations and devices on the network.

How to harden the network

Against MITM (man-in-the-middle) Attacks

The networks can have many defences against various attacks some better than others, but none yet that make a network secure enough that it is attackable. For Man-in-the-middle attacks there are tools that can monitor the network and detect man-in-the-middle attacks which are good to do with they have multiple features, rather than just for man-in-the-middle. Some tools have features against ARP attacks that stop the spoofing the ARP table and intercepts them before that can hit.

Here are some of the tools used for Man-in-the-middle attacks:

Ettercap

PacketCreator

Dsniff

Cain e Abel

These tools are efficient on LAN networks but not as on networks connected to an Internet connection.

Another way to defend against Man-in-the-middle attacks is to use authentication techniques to make the network more secure along all the routes and stages that packets take. One the main attacks that users go for on man-in-the-middle attacks in on the public key, using authentication on the public key infrastructure the prevention of man-in-the-middle is quite effect. This happens due to not only the application validating the user the , users device/machine validates the application, this helps by filtering out the rogue/attacks application that is intercepting data and can show the genuine applications and let them through while blocking rouge/attackers.

More ways to protect is the use of stronger mutual authentication such as password and secret keys. Only thing is with passwords they apply some security but they aren’t as secure as secret keys which use higher information entropy secrets and making them more secure than passwords.

There is also the use of latency monitors on the network and between two users that monitors the latency/ping of the call or data transfer, that if the normal latency speed of a connection between two parties/users is 30 seconds but sometimes there is a delay and it takes double this can be an indication there is a man in the middle attack about to happen.

Against STP (Spanning tree protocol) Attacks

Defending against attacks on the Spanning tree protocol, is a bit more easier to do since there is 3 successful countermeasures that can be put into place to help, from findings is not 100% secure buts its close enough to nearly be. The three counter measures are PDU rate limiter on layer 2, BPDU guard and BPDU filtering.

Starting with the layer 2 PDU rate limiter, this helps by letting a set amount of Protocol data units through when a port on the switch at layer 2 is set to forward. This prevents in an attack, the ports all being opened and flooding the network with PDUs, so only a set amount is allowed each time to control the traffic.

Second is the BPDU guard, this feature on a switch is a simple yet effective thing to help with the STP attacks. First the switch has to be enabled on ports where you don’t want BPDU packets sent, with this set in place if somehow the attacks on the network and switch can remove the limiter on the PDU packets, if any the ports with the guard are enabled the ports are shutdown so the switch can’t be flooded. This provides a secure response to invalid settings on the switch, but to reset the switch this has to be manually done due to the ports are shutdown.

Lastly would be the BPDU filtering this is put into place to filter through the BPDU packets to make sure there aren’t any intruders among them. This is applied on the port fast enabled interfaces to stop them from sending or receiving. Some packets are sent on start up until the switch enables outbound BPDU filtering and also to enable the global setting for all devices and users connected so they don’t receive any BPDU packets.

For the most effective away having all three on at once to make sure the switch is the most secure it possibly can be, also with a few more changes.

More ways is to deny any access to the STP enabled ports to any ordinary users unless they have permissions assigned, also disabling any access ports and enable port security on the switch on all user ports. Making the network equipment locked and out of reach can prevent any future tampering for an attacker to gain access.

Against Layer 2 Spoofing Attacks

Defending against attacks that are to do with spoofing layer 2 such as mac spoofing which is one of the most common attacks at layer 2 spoofing. Ways to defend this are mac locking, where it locks mac addresses to physical ports so that the mac address can’t be switched to an attacker to try an attack. This is along with hardening the access points and the access to physical machines to prevent internal attacks and then this can harden the areas that are weak for external attacks.

Also such defences can be improved by enabling sticky ARP, mac/IP filtering and also run RARP, which will show if there is currently any suspicious this can determine if there is due to if the scan if run on a certain address and a single address returns that means there isn’t any attacks with that address but if it returns multiple address there could be an attack in motion which leads to further investigation.

There is also the use of port security, with the maximum mac address per port is set to one but this can be a real pain due to it can have a greater risk of an attack.

Against Trunk Related Protocol Attacks

The ways to defend against trunk related protocol attacks are as followed with Vlans making the Vlan IDs for all ports dedicated and also then disabling the unused ports and separating them into an unused Vlan so then if any unused get accessed that can’t attack anything. More features to do with the ports are to disable the auto trunking on the user ports and make sure the port negotiation isn’t set to auto.

There are tools such as intrusion–detection systems to track and record the Arp broadcasting and report them if such attack occur. Another way to is to disable all the VTP all together but isn’t very good on a large network, or you can sue the more effective way of using MD5 authentication for all messages , so that they can’t gain access if the password if wrong.

Conclusion