Ever since the beginning of the Internet, we have been facing ever increasing threats which can affect the stability and usability of your network.
Nowadays, our businesses rely on their networks and the Internet more and more, but how can we prevent being attacked by hackers?
In order to defeat those attacks, we need to thoroughly understand how they work. The first step is to detect those attacks in real-time.
Let's take a Mac flooding attack for example here:
What is MAC flooding attack?
In computer network jargon, MAC flooding is a technique employed in order to compromise the security of the network switches.
Switches maintain a list (called a CAM Table) that maps individual MAC addresses on the network to the physical ports on the switch.
This enables it to only send data out of the physical port where the recipient computer is located, instead of indiscriminately broadcasting the data out of all ports like a hub.
The advantage of this method is that data is only routed to the network segment containing the computer that the data is specifically destined for.
In a typical MAC flooding attack, a switch is flooded with packets, each containing different source MAC addresses. The intention is to consume the limited memory set aside in the switch to store the MAC address-to-physical port translation table.
The result of this attack causes the switch to enter a state called "failopen mode", in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation.
A malicious user could then use a packet sniffer (such as Wireshark) running in promiscuous mode to capture sensitive data from other computers (such as unencrypted passwords, e-mail and instant messaging conversations), which would not be accessible were the switch operating normally.
Some more advanced switches, such as those from Nortel, Cisco or Allied Telesis gives you an opportunity to set up protection against this attack with limiting and/or hardwiring some MAC addresses to a dedicated port.
You can also set the policy that if a port gets too many MAC addresses, the default is to shut the port down, and generate a log message.
How to Detect MAC Flooding Attack
Now I will demonstrate the process to you with Colasoft Capsa Analyzer.
Let’s start capture analysis from the SUMMARY TAB. All these statistics seem right. Except one when we come to the Physical address count. There are more than a hundred thousand MAC addresses discovered in this network.
How could this small network have so many machines?
We need to check the addresses in the NOD EXPLORE. Open the physical explorer, and look at this number; there are more than 1800 MAC addresses in local segment. It’s abnormal, there is no way that so many machines exist in this network.
And apparently, these addresses are not real. We are sure that there are worm activities, or attacks in the network.
Let’s see how these nodes are communicating. Open the MATRIX TAB. Choose Top 1000 physical node matrix type. We see this matrix, what a mess! There are so many nodes communicating, and according to the colors of the line, red means one way transmitting.
And we can go to the PHYSICAL CONVERSATION TAB to read that it’s true. Almost all nodes only send one packet out. Most packets are 64 bytes.
We know that all machines in our network are connected with a switch. This looks like a MAC flooding attack.
Still, to confirm our prediction, we need to see the original data of the packets they send out. Open the PACKET TAB. We see the delta time between packets is very small, which gives a great pressure to the switch.
Almost all packets are 64 bytes. And let’s look at the original data in the packets. Almost all packets are randomly generated by padding same digits in the packets.
According to all these behaviors, and decoded information from packets, we are pretty sure that there is MAC flooding in this network. But it’s hard to find the attacker’s address directly because all addresses are forged.
However, we can cut some machines off the network to eliminate the innocent machines until we find the target one.
Detecting the attacks in time is the first and most important step to secure our network, with those packet sniffer tools such as Colasoft Capsa, we can work more effectively.
We will discuss how to detect and defeat the other attacks next time.