Verificación de flooding inter VLAN
Fecha: 9 de septiembre del 2014 Clase: CCNA Security
Escenario
Este laboratorio intenta demostrar, que si generando una inundación en la tabla de MAC address de un switch,
es afectada la VLAN donde se genera o la tabla entera.
Según la currícula de CCNASec, esta inundación de tráfico no afecta las otras VLANs.
A verificarlo…
The key to understanding how MAC address overflow attacks work is to know that MAC address tables are limited in size.
MAC flooding takes advantage of this limitation by bombarding the switch with fake source MAC addresses until the switch
MAC address table is full. If enough entries are entered into the MAC address table before older entries expire, the table
fills up to the point that no new entries can be accepted. When this occurs, the switch begins to flood all incoming traffic to
all ports because there is no room in the table to learn any legitimate MAC addresses. The switch, in essence, acts like a hub.
As a result, the attacker can
see all of the frames sent from one host to another. Traffic is flooded only within the local VLAN,
so the intruder sees only traffic within the local VLAN to which the intruder is connected.
Verificación inicial:
Cisco_2960>show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 VLAN0002 active Fa0/1, Fa0/2
3 VLAN0003 active Fa0/3, Fa0/4
4 VLAN0004 active Fa0/5, Fa0/6
5 VLAN0005 active Fa0/7, Fa0/8
---resumido---
Cisco_2960>
Cisco_2960>sh mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
---resumido---
All ffff.ffff.ffff STATIC CPU
1 001b.387e.f171 DYNAMIC
Fa0/24
1 54be.f757.effb DYNAMIC Fa0/23
2 54be.f757.f30e DYNAMIC
Fa0/1
Total Mac Addresses for this criterion: 28
Cisco_2960>
Durante la inundación de la tabla de MAC (desde el port Fa0/24):
Cisco_2960>sh mac address-table | incl Total
Total Mac Addresses for this criterion: 8092
Cisco_2960>sh proc | incl CPU (no tiene demasiado impacto en el procesador)
CPU utilization for five seconds: 35%/2%; one minute: 69%; five minutes: 36%
Cisco_2960>
En la PC de la VLAN atacada (vlan1, port Fa0/23):
En la PC de la VLAN no atacada (vlan 2, port Fa0/1):
Verificamos que la tabla de mac address, al llenarse, realiza flooding sólo en la VLAN donde se inyecta el tráfico.
Se puede observar que el spanning tree y el CDP se desactivaron para realizar una captura de tráfico limpia, sólo
se muestra el tráfico generado por el ataque.
Si bien estaba en la currícula, hay que ver para creer.
(2014) Sensei, does the
packet storm comes from the cloud ?
Rosario, Argentina