2. BACK TO BASICS 101
What is MAC Address ?
What Is ARP ? How it works ?
What is Switch ? What They do for living ?
Layer 2 Attacks and Countermeasures
3. BACK TO BASICS 101
What is MAC address (media access control address) ?
• It’s Also Known as Ethernet hardware address , Burned in Address (BIA) , Physical Address
• 48 bit Address commonly represented as 01:23:45:67:89:ab or 0123.4567.89ab or ?
4. BACK TO BASICS 101
ARP (Address resolution Protocol)
• Why we required ARP ?
5. BACK TO BASICS 101
ARP (Address resolution Protocol)
IP PACKETAAA ???
6. BACK TO BASICS 101
ARP (Address resolution Protocol)
IP PACKETAAA ???
ARP TABLE
192.168.1.1:AAA
ARP TABLE
192.168.1.2:BBB
ARP REQ
ARPREP
IP PACKETAAA BBB
8. Ethernet is Layer 2 protocol .
Ethernet frames need a destination MAC address.
If Destination MAC is in your ARP table , You can send the Frame .
If isn’t , you send a broadcast ARP request to find the mac address .
IF the destination host is On your subnet you can send frame directly to that HOST .
If the Destination host is on another subnet , you have to send frame to your default gateway .
Remember you send frame to the gateway’s MAC address .
9. BACK TO BASICS 101
What is switch ? What they do for Living .
10. BACK TO BASICS 101
• Switch is Layer2/3 Device .
• Every Port have their Own Intelligence (ASIC).
• VLANS
- Used for Separate ports into different broadcast domain (BY default its single BD )
- Host in same vlan share the same broadcast domain
- Traffic inside The Vlan is layer 2 (magically) Switched.
- Traffic outside or between vlans must be layer 3 routed
14. CAM Overflow
macof Tool since 1999
Attack successful by exploiting the size limit on CAM
tables
Macof sends floods of frames with random source mac
and ip address
SW#show mac-address-table count
MAC Entries for all vlans :
Dynamic Address Count: 924
Static Address (User-defined) Count: 115
Total MAC Addresses In Use: 1039
Total MAC Addresses Available: 65536
15. CAM Overflow - Countermeasures
Cisco IOS Mitigation
switch(config-if)# switchport mode access
!Set the interface mode as access!
switch(config-if)# switchport port-security
!Enable port-security on the interface!
switch(config-if)# switchport port-security mac-address { <mac_addr> | sticky }
!Enable port security on the MAC address as H.H.H or record the first MAC address connected to the interface!
switch(config-if)# switchport port-security maximum <max_addresses>
!Set maximum number of MAC addresses on the port!
switch(config-if)# switchport port-security violation { protect | restrict | shutdown }
!Protect, Restrict or Shutdown the port. Cisco recommends the shutdown option!