WEBVTT

0
00:00.800 --> 00:06.380
In the last lecture we've seen how to destroy on Ethernet switch using DoS 


1
00:06.410 --> 00:10.230
attack called MAC Flooding! In this lecture

2
00:10.310 --> 00:14.590
I'll show you what countermeasures you can take to protect your network.

3
00:14.600 --> 00:22.250
The first thing I want to tell you is that you can avoid this attack only if your switch has some build-in

4
00:22.310 --> 00:27.550
security features in its operating system and allows a basic management.


5
00:28.070 --> 00:34.130
If you have a home user transparent switch, that can only be turned on and off,

6
00:34.190 --> 00:37.610
there is no way to protect it against Mac flooding.

7
00:38.120 --> 00:45.590
Fortunately all vendors that produce professional devices have included in their switches some security

8
00:45.590 --> 00:49.160
features against this type of attack.

9
00:49.160 --> 00:57.830
For this lab we have this Cisco Catalyst Switch. The countermeasures for Mac flooding is to configure

10
00:57.830 --> 01:02.330
a security feature called port security on the switch.

11
01:02.330 --> 01:09.860
This will limit the number of a  MAC addresses  the switch can learn on each interface or port. A MAC address

12
01:09.860 --> 01:17.450
configured by port security is called a secure MAC address and there are three types of secure

13
01:17.450 --> 01:26.870
MAC addresses: static secure MAC addresses, dynamic secure micro addresses and the sticky secure MAC addresses.

14
01:27.330 --> 01:33.920
Static secure MAC addresses are manually configured MAC addresses that are stored in the MAC

15
01:34.010 --> 01:39.370
address table and added to the switch running configuration and saved

16
01:39.560 --> 01:48.320
after a restart. The second category Dynamic secure MAC addresses  are dynamically learned MAC addresses

17
01:48.530 --> 01:56.300
stored only in the address table and removed when the switch restarts. And Sticky secure MAC adresses

18
01:56.570 --> 02:04.490
are dynamically learned or manually configured stored in the address table and added to the running configuration

19
02:04.700 --> 02:13.240
so they are also available after the switch restarts. If these addresses are saved in the configuration

20
02:13.240 --> 02:13.940
file

21
02:13.990 --> 02:20.380
the interface does not need to dynamically lern them again when the switch restarts.

22
02:25.090 --> 02:30.170
Perfect! When the maximum number of secure MAC addresses have been reached

23
02:30.280 --> 02:32.670
a security violation occurs.

24
02:32.800 --> 02:37.600
The switch can react to a security violation in three different ways:

25
02:37.660 --> 02:46.510
protect, restrict and shut down. Let's see what does "protect" the mean! When the number of secure MAC addresses

26
02:46.520 --> 02:54.590
reaches the limit allowed on the port packets with unknown source addresses are dropped

27
02:54.890 --> 03:02.060
until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowed

28
03:02.120 --> 03:03.280
addresses.

29
03:03.320 --> 03:09.440
There is no notification that a security violation has occurred. Then "restrict"

30
03:09.500 --> 03:14.930
it's the same as protect just that a notification of type SNMP

31
03:14.930 --> 03:24.410
trap a syslog message is logged, and the violation counter 	increments. And the last security

32
03:24.410 --> 03:33.470
violation is "shutdown" which is also the default mode. In this mode a port security violation causes

33
03:33.590 --> 03:38.050
the interface to immediately become error disabled.

34
03:38.060 --> 03:40.960
It also sends an SNMP trap,

35
03:40.970 --> 03:49.520
logs a syslog message, and increments the violation 	counter. When a secure port is in the error-disabled 

36
03:49.610 --> 03:50.720
state,

37
03:50.720 --> 03:58.550
one way you can use to bring it out of it is to manually re-enable the port to by entering the shutdown

38
03:58.880 --> 04:06.140
and no shutdown interface configuration commands. I'll attach a comprehensive resource on port security

39
04:06.140 --> 04:14.960
to this lecture. Let's return to the switch and enable port security for the interface to which the attacker

40
04:15.080 --> 04:21.620
is connected. Let's see the switch interfaces sh ip int brief


41
04:26.250 --> 04:34.230
The interface to which the Linux machine is connected is FastEthernet0/21 We notice that's 

42
04:34.260 --> 04:45.020
the only interface enabled. I am entering the interface configuration mode. conf-t interface fastethernet


43
04:45.020 --> 04:54.310
0/1 Port security works only on an access port so I set it as an access port: switch

44
04:54.310 --> 05:05.250
port mode access and I am enabling port security on the port: switch port port security and I'll set

45
05:05.270 --> 05:14.330
the maximum number of secure MAC addresses for the interface to 5 switch port port security maximum

46
05:14.660 --> 05:22.120
5 and I want the interface to become error disabled when a violation occurs.

47
05:22.120 --> 05:30.640
This is by the way the default: switch port port security violation and we have protect restrict and

48
05:30.810 --> 05:40.340
shutdown. Let's lunch the Mac flooding attack again! I'm going to Kali Linux and I am executing the last

49
05:40.340 --> 05:40.850
command.

50
05:44.010 --> 05:52.740
Let's return to the switch and we notice that the switch has immediately shutdown the interface fast

51
05:52.800 --> 06:02.200
Ethernet0/1: port security violation error putting Fa0/1  error disable 

52
06:02.200 --> 06:03.890
state

53
06:03.930 --> 06:11.180
The security violation has occurred after five frames with random source MAC addresses have

54
06:11.180 --> 06:18.980
been sent to the switch. The attack is running but the switch is not affected anymore.

55
06:18.990 --> 06:27.040
Let's see the MAC address table and CPU utilization. From privileged exec mode

56
06:27.050 --> 06:29.420
I'll execute show MAC address table

57
06:37.720 --> 06:44.320
and there is no dynamic Mac learned by the switch; the interface to which the attacker is connected

58
06:44.530 --> 06:47.450
was shot down.

59
06:47.550 --> 06:49.690
See the CPU utilization

60
06:55.740 --> 07:03.210
and we notice that the switch CPU is idle. The CPU utilization is only 5 %

61
07:05.950 --> 07:13.940
show interface F0/1 shows us that the interface is in error disable state.

62
07:13.990 --> 07:22.450
Now I know that the attack was launched on Port F0/1 slash 1. If I want to enable the port I can

63
07:22.450 --> 07:33.500
do it manually like this. I'm going into interface configuration mode and I'll execute 2 commands: shut

64
07:33.550 --> 07:41.480
down and no shut down. But first I'll stop the attack, otherwise port security will shut down the port again:

65
07:44.380 --> 07:47.230
so shut and no shut

66
07:50.310 --> 07:58.080
and the the interface changed state to up. Okay! Another way to protect against the Mac flooding attack

67
07:58.170 --> 08:03.750
is to implement  IEEE 802.1X authentication.

68
08:07.200 --> 08:15.060
This allows packet filtering rules issued by a centralised AAA server, such as a Radius server, 


69
08:15.300 --> 08:22.840
based on dynamic learning of clients. Congratulations, you've just learned how to protect your switches

70
08:23.140 --> 08:25.330
against Mac flooding attacks!