Spoofing Attacks

In order to secure the internal network against threats you need to consider the tactic of presenting an attacking device as a trusted device in order to lull users into handing over credentials or files. An attacker can perform this in several ways, for example, by modifying their MAC address to mirror one of a target device and then poisoning the ARP cache of a local switch in order to redirect traffic toward the malicious device, or setting up fake access points.

Mitigation for the MAC spoofing attack isn’t turned on out of the box, so as a network admin you’ll need to understand the mechanics of the attack and the solutions packaged into your switches that can overcome the attack vectors.

One way Cisco implements this is through port security to lock down ports to known MAC addresses. You’d set up the port with static MAC address(es) you’re expecting to see on the interface and the port can then enter a disabled if an unlisted MAC is observed on the port. Likewise, you can setup limits to say to the switch you only expect x number of MAC addresses on the interfaces, any more and something wrong is happening.

Another feature is to use DHCP Snooping in combination with Dynamic ARP Inspection (DAI) which will log DHCP traffic and build a binding table of IP to MAC addresses. This not only allows verification of MAC address to IP address bindings, but allows for rogue DHCP servers to be eliminated. With DHCP Snooping you’ll need to also inform the switch which ports it expects to see DHCP offers from.

For wireless attacks an attacker may setup a rogue access point for less savvy employees to connect to, for example, setting up an AP close to or within the perimeter of a company  to lure people onto with an SSID like “Company x WiFi” with no key configured. This isn’t as straight forward or fool proof as a mitigation, but it is possible to configure (where supported) your trusted APs can perform a DoS attack on this rogue AP by issuing de-authenticate and ensuring your users do not remain connected if they stray. Bear in mind the “with great power comes great responsibility” saying as misuse of this could land you in hot water, as the Marriott found out to great cost: link

The key thing to remember when setting up infrastructure is to know how to break into it and then you can start thinking how you can best mitigate the known threats.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s