CAM表溢出攻击和MAC地址欺骗

CAM表溢出攻击CAM表是交换机接口和所接设备的MAC地址的对应表(默认老化时间5分钟)CAM表容量有限，满了之后，后面的条目会覆盖前面的条目，CAM表的攻击便会利用到这一条CAM表正常情况下，PC1和PC2之间的通讯是单播，中间的黑客是无法收到任何的包。CAMPC1需要将数据包发送给PC2CAM表中无法找到PC2的MAC所对应的交换机接的数据包。MAC地址欺骗1刚开始的MAC地址表是正常的2之后，黑客发给交换机一个伪装包，包的源地址是PC2的MAC地址，于是，交换机更新了CAM表，发生错误的定位，黑客可以获得发往PC2的数据包。防范方法故障现象：深圳LAN1下的所有SGSN（4台）全部无法，ping发现大量丢包，只能偶尔ping通。排故过程：OM二层直连交换机），发现直连现象一样。首先认为是生成树的问题，但是查了一下SGSN的MAC是一个未知的设备，定位故障，断开这个端口，故障解除。故障分析：首先登陆核心交换机，发现直连都不通，那就可以把故障范围定位在二层上，然后通过一下命令检查交换机cam表的mac地址对应表。6509MSFC#ping5Typeescapesequencetoabort.Sending5,100-byteICMPEchosto5,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=1/1/4ms6509MSFC#showarp|in5Internet520006.2973.121dARPAVlan5的MAC地址是0006.2973.121d,这是IOS设备的MAC地址表达方式，在CatOS中，应写为00-06-29-73-12-1d.2.在交换机上找出MAC地址所对应的端口6509SE>(enable)showcam00-06-29-73-12-1d*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------200-06-29-73-12-1d9/41[ALL]TotalMatchingCAMEntriesDisplayed=1这是不是说为5的机器就接在端口9/41上呢？不一定。如果以下命令中显示该端口上只有一个活动的MAC地址，那么答案就是肯定的：6509SE>(enable)showcamdynamic9/41*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------200-06-29-73-12-1d9/41[ALL]TotalMatchingCAMEntriesDisplayed=1如果该命令显示该端口上有多个活动的MAC地址，那么这个端口应该连接到别的交换机或HUB设备上，见下面的例子（查找为50所对应的交换机端口）:6509MSFC#ping50Typeescapesequencetoabort.Sending5,100-byteICMPEchosto50,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=1/1/1ms6509MSFC#showarp|in50Internet5040009.6b8c.64ecARPAVlan26509SE>(enable)showcam00-09-6b-8c-64-ec*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------200-09-6b-8c-64-ec3/11[ALL]TotalMatchingCAMEntriesDisplayed=16509SE>(enable)showcamdy3/11*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------100-03-e3-4b-06-803/11[ALL]100-08-02-e6-b0-cd3/11[ALL]100-02-a5-ee-f2-4f3/11[ALL]100-09-6b-8c-66-d63/11[ALL]100-09-6b-63-17-d93/11[ALL]100-0b-cd-03-ec-f53/11[ALL]100-09-6b-63-17-d83/11[ALL]100-08-02-e6-b0-c13/11[ALL]100-08-02-e6-b0-853/11[ALL]100-08-02-e6-b0-813/11[ALL]100-02-a5-ef-16-af3/11[ALL]100-02-a5-ee-f2-933/11[ALL]100-02-55-c6-05-613/11[ALL]200-09-6b-8c-64-ec3/11[ALL]100-08-02-e6-b0-ed3/11[ALL]100-08-02-e6-b0-a93/11[ALL]100-02-55-54-7a-e03/11[ALL]100-02-a5-ef-15-a63/11[ALL]100-08-02-e6-af-8f3/11[ALL]100-08-02-e6-b0-bd3/11[ALL]100-0b-cd-03-db-8b3/11[ALL]100-09-6b-8c-25-503/11[ALL]Doyouwishtocontinuey/n[n]?n由于该端口连接到另一台交换机或HUB,必须继续追查，方法如下：6509SE>(enable)showcdpnei3/11*-indicatesvlanmismatch.#-indicatesduplexmismatch.PortDevice-IDPort-IDPlatform----------------------------------------------------------------------------3/11Cisco2924GigabitEthernet1/1ciscoWS-C2924M-XL该命令显示对端设备是一台Cisco2924，如果没有显示，那么说明连接的是别的厂家的设备，可能要到该交换机上用类似的办法继续追查。本例子中是Cisco设备，所有我们可以继续：6509SE>(enable)showcdpnei3/11dePort(OurPort):3/11Device-ID:Cisco2924DeviceAddresses:IPAddress:0Holdtime:153secCapabilities:TRANSPARENT_BRIDGESWITCHVersion:CiscoInternetworkOperatingSystemSoftwareIOS(tm)C2900XLSoftware(C2900XL-C3H2S-M),Version12.0(5.2)XU,MAINTENANCEINTERIMSOFTWARECopyright(c)1986-2000byciscoSystems,Inc.CompiledMon17-Jul-0017:35byayounesPlatform:ciscoWS-C2924M-XLPort-ID(PortonNeighbors'sDevice):GigabitEthernet1/1VTPManagementDomain:lanNativeVLAN:1Duplex:fullSystemName:unknownSystemObjectID:unknownManagementAddresses:unknownPhysicalLocation:unknownCisco2924#showmac-address-tabledynamicaddress0009.6b8c.64ecNon-staticAddressTable:DestinationAddressAddressTypeVLANDestinationPort-------------------------------------------------------0009.6b8c.64ecDynamic2FastEthernet0/2Cisco2924#showmac-address-tabledynamicinterfacef0/2Non-staticAddressTable:DestinationAddressAddressTypeVLANDestinationPort-------------------------------------------------------0009.6b8c.64ecDynamic2FastEthernet0/2通过以上的命令发现核心交换机上所有SGSN地址对应的端口全是2/28（这个接口接的设备未知）。因此怀疑这个端口的设备发起ARP攻击导致核心交换机的ARP解析错误，导致故障。本次案例的分析总结：登录到LAN1的交换机SW103，发现无法登录SG102，PINGSG102有时能通有时不能通；SZHSW103BNk#telnet05Trying05...（05为SG102的OM地址）%Connectiontimedout;remotehostnotrespondingSZHSW103BNk#ping05Typeescapesequencetoabort.Sending5,100-byteICMPEchosto05,timeoutis2seconds:.!!!!Successrateis80percent(4/5),round-tripmin/avg/max=1/1/1msSZHSW103BNk#ping05Typeescapesequencetoabort.Sending5,100-byteICMPEchosto05,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=1/1/1msSZHSW103BNk#ping05Typeescapesequencetoabort.Sending5,100-byteICMPEchosto05,timeoutis2seconds:.....Successrateis0percent(0/5)3.检查交换机SW103和的正常，连接SG102的端口状态正常；4.检查SW103上05的mac地址，发现解析正常而且稳定；SZHSW103BNk#showarp|include05Internet05SZHSW103BNk#showarp|include05Internet050000.501d.a518ARPAVlan16SZHSW103BNk#showarp|include05Internet050000.501d.a518ARPAVlan16SZHSW103BNk#showarp|include05Internet050000.501d.a518ARPAVlan1640000.501d.a518ARPAVlan164445.检查SW103上0000.501d.a518的二层转发表，发现异常，时而指向SG102的SWU0与SW103的接口1/1，时而指向SW103与SW1045/9,6/0；SZHSW103BNk>(enable)showcam0000.501d.a51816SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.5/9,6/9[ALL]SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.5/9,6/9[ALL]00-00-50-1d-a5-1815sec.5/9,6/9[ALL]01/1[ALL]1/1[ALL]1/1[ALL]1/1[ALL]0006.在SW104上检查0000.501d.a518的二层转发表，发现错误指向到2/28端口，该端口并非是SG102的SWU与SW104相连的端口；SZHSW104BNk>(enable)showcam0000.501d.a51816SZHSW104BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.2/28[ALL]SZHSW104BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.2/28[ALL]00-00-50-1d-a5-1810sec.2/28[ALL]7.检查SG103和SG104的OM地址的二层指向，发现也同样指向了2/28口；SZHSW104BNk#showarp|include06Internet062320000.501e.7aaeARPAVlan16SZHSW104BNk#showarp|include07Internet072340000.501e.7d6dARPAVlan16SZHSW104BNk>(enable)showcam0000.501e.7aae16SZHSW104BNk>(enable)showcam0000.501e.7d6d1600-00-50-1e-7d-6d10sec.2/28[ALL]00-00-50-1e-7a-ae10sec.2/28[ALL]8.初步怀疑，深圳LAN1交换机SW103和SW104的OM受到了SW104的2/28mac地址攻击，即2/28口发出了源地址为LAN1SGSN的mac地址的二层广播包，导致SW103和SW104的二层转发表受到了欺骗，错误指向了SW104的2/28，而不是指向SGSN与交换机相连的接口，因此造成SGSN无法登录；SZHSW104BNk>(enable)showportdesc2/28PortDescription--------------------------------------------------------------------2/28USED_IL_TO_DAKEHU9.将