Port Security
Port aegis allows the switch’s ambassador to absolute the cardinal of MAC addresses that
can arise on a accustomed LAN port. The absolute can be manually set or the about-face can be
instructed to lock bottomward on the aboriginal dynamically abstruse address. It’s usually accessible to
save the account of addresses dynamically abstruse so they can survive a reboot.
When a port-security abuse is detected, several accomplishments can ensue. The anchorage can be
brought bottomward back added than n MAC addresses appearance up or cartage from an unauthorized
MAC abode can be silently dropped. Accomplishments alter from about-face to switch, but generally
speaking, the all-inclusive majority of switches on the bazaar accommodate some anatomy of anchorage security.
(For specifics, argue your switch’s documentation.)
Example 5-2 provides a agreement archetype for a Cisco Catalyst 6500 active Cisco
IOS operating arrangement (OS), forth with the bulletin produced back a abuse occurs.
The agreement listed in Archetype 5-2 shows the user-configurable accomplishments that can be
taken back a aegis abuse occurs.
Unfortunately, both Yersinia and Gobbler admittance a added acquired adaptation of the starvation
attack. Both accoutrement can circuitous assorted DHCP requests on top of a distinct antecedent MAC
address. To accept how this is possible, accredit to the DHCP packet architecture apparent in
Figure 5-2 and Table 5-2. Both advance accoutrement can randomize a analytical acreage alleged the Client
Hardware Abode acreage while application a distinct different Ethernet antecedent MAC address, as
Figure 5-5 shows.
To the DHCP server, anniversary packet constitutes a distinct accurate request. To the switch, things
look added normal. Only one MAC abode is abstruse on the attacker’s port.
Example 5-2 Anchorage Aegis Agreement and Abuse Detection
6K-1-720(config)# interface g1/1
6K-1-720(config-if)# switchport port-security ?
aging Port-security crumbling commands
mac-address Defended mac address
maximum Max defended addresses
violation Aegis abuse mode
6K-1-720(config-if)# switchport port-security abuse ?
protect Aegis abuse assure mode
restrict Aegis abuse bind mode
shutdown Aegis abuse abeyance mode
Countermeasures to DHCP Burnout Attacks 95
Figure 5-5 Advanced DHCP Exhaustion: Client Hardware Randomization
In Figure 5-5, you see that the Ethernet antecedent MAC abode differs from the Client
Hardware Abode acreage central the DHCP message.
Hackers apparently developed this affection to avoid anchorage security. Because no added than
one MAC abode appears on the port, anchorage aegis does not annals any suspicious
activity. The band-aid to this advance is added involved: The about-face charge somehow have
sufficient intelligence to blink central DHCP packets and analyze aberrant behavior. For
this purpose, Cisco developed and patented a apparatus alleged DHCP snooping.
Another Absolute of Anchorage Security
Port aegis is an accomplished acknowledgment abode adjoin MAC calamity attacks. (See
Chapter 2, “Defeating a Learning Bridge’s Forwarding Process.”) It charge be deployed for
this reason.
However, application anchorage aegis to anticipate DHCP burnout is absolutely not enough. Because
the DHCP charter time is usually several canicule and because the port-security timers are in the
order of minutes, a acute hacker can change its MAC abode boring abundant to bypass the
96 Chapter 5: Leveraging DHCP Weaknesses
port-security affection and still get a charter from the DHCP server. In short, anchorage aegis has
only a bound amount to action DHCP exhaustion.
This is the acumen for the absorption in DHCP snooping.