Table of Contents
Advertisement
Mitigation of Ethernet Switching Table Overflow Attacks
Mitigation of Rogue DHCP Server Attacks
Copyright © 2010, Juniper Networks, Inc.
Protection Against ARP Spoofing Attacks on page 3052
Protection Against DHCP Snooping Database Alteration Attacks on page 3052
Protection Against DHCP Starvation Attacks on page 3052
In an overflow attack on the Ethernet switching table, an intruder sends so many requests
from new MAC addresses that the table cannot learn all the addresses. When the switch
can no longer use information in the table to forward traffic, it is forced to broadcast
messages. Traffic flow on the switch is disrupted, and packets are sent to all hosts on
the network. In addition to overloading the network with traffic, the attacker might also
be able to sniff that broadcast traffic.
To mitigate such attacks, configure both a MAC limit for learned MAC addresses and
some specific allowed MAC addresses. Use the MAC limit feature to control the total
number of MAC addresses that can be added to the Ethernet switching table for the
specified interface or interfaces. By setting the MAC addresses that are explicitly allowed,
you ensure that the addresses of network devices whose network access is critical are
guaranteed to be included in the Ethernet switching table. See "Example: Configuring
MAC Limiting, Including Dynamic and Allowed MAC Addresses, to Protect the Switch
from Ethernet Switching Table Overflow Attacks" on page 3080.
If an attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server on
the LAN, the rogue server can start issuing leases to the network's DHCP clients. The
information provided to the clients by this rogue server can disrupt their network access,
causing DoS. The rogue server might also assign itself as the default gateway device for
the network. The attacker can then sniff the network traffic and perpetrate a
man-in-the-middle attack—that is, it misdirects traffic intended for a legitimate network
device to a device of its choice.
To mitigate a rogue DHCP server attack, set the interface to which that rogue server is
connected as untrusted. That action will block all ingress DHCP server messages from
that interface. See "Example: Configuring a DHCP Server Interface as Untrusted to Protect
the Switch from Rogue DHCP Server Attacks" on page 3083.
NOTE: The switch logs all DHCP server packets that are received on untrusted
ports—for example:
5 untrusted DHCPOFFER received, interface ge-0/0/0.0[65], vlan v1[10] server
ip/mac 12.12.12.1/00:00:00:00:01:12 offer ip/client mac
12.12.12.253/00:AA:BB:CC:DD:01
You can use these messages to detect malicious DHCP servers on the
network.
Chapter 99: Port Security Overview
3051
Advertisement
Chapters
Table of Contents
Troubleshooting
