CAM表溢出攻擊和MAC地址欺騙

CAM表溢出攻擊CAM表是交換機(jī)接口和所接設(shè)備的MAC地址的對應(yīng)表(默認(rèn)老化時(shí)間5分鐘)CAM表容量有限，滿了之后，后面的條目會(huì)覆蓋前面的條目，CAM表的攻擊便會(huì)利用到這一條CAM表正常情況下，PC1和PC2之間的通訊是單播，中間的黑客是無法收到任何的包。CAMPC1需要將數(shù)據(jù)包發(fā)送給PC2CAM表中無法找到PC2的MAC所對應(yīng)的交換機(jī)接的數(shù)據(jù)包。MAC地址欺騙1剛開始的MAC地址表是正常的2之后，黑客發(fā)給交換機(jī)一個(gè)偽裝包，包的源地址是PC2的MAC地址，于是，交換機(jī)更新了CAM表，發(fā)生錯(cuò)誤的定位，黑客可以獲得發(fā)往PC2的數(shù)據(jù)包。防范方法故障現(xiàn)象：深圳LAN1下的所有SGSN（4臺(tái)）全部無法，ping發(fā)現(xiàn)大量丟包，只能偶爾ping通。排故過程：OM二層直連交換機(jī)），發(fā)現(xiàn)直連現(xiàn)象一樣。首先認(rèn)為是生成樹的問題，但是查了一下SGSN的MAC是一個(gè)未知的設(shè)備，定位故障，斷開這個(gè)端口，故障解除。故障分析：首先登陸核心交換機(jī)，發(fā)現(xiàn)直連都不通，那就可以把故障范圍定位在二層上，然后通過一下命令檢查交換機(jī)cam表的mac地址對應(yīng)表。6509MSFC#ping5Typeescapesequencetoabort.Sending5,100-byteICMPEchosto5,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=1/1/4ms6509MSFC#showarp|in5Internet520006.2973.121dARPAVlan5的MAC地址是0006.2973.121d,這是IOS設(shè)備的MAC地址表達(dá)方式，在CatOS中，應(yīng)寫為00-06-29-73-12-1d.2.在交換機(jī)上找出MAC地址所對應(yīng)的端口6509SE>(enable)showcam00-06-29-73-12-1d*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------200-06-29-73-12-1d9/41[ALL]TotalMatchingCAMEntriesDisplayed=1這是不是說為5的機(jī)器就接在端口9/41上呢？不一定。如果以下命令中顯示該端口上只有一個(gè)活動(dòng)的MAC地址，那么答案就是肯定的：6509SE>(enable)showcamdynamic9/41*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------200-06-29-73-12-1d9/41[ALL]TotalMatchingCAMEntriesDisplayed=1如果該命令顯示該端口上有多個(gè)活動(dòng)的MAC地址，那么這個(gè)端口應(yīng)該連接到別的交換機(jī)或HUB設(shè)備上，見下面的例子（查找為50所對應(yīng)的交換機(jī)端口）:6509MSFC#ping50Typeescapesequencetoabort.Sending5,100-byteICMPEchosto50,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=1/1/1ms6509MSFC#showarp|in50Internet5040009.6b8c.64ecARPAVlan26509SE>(enable)showcam00-09-6b-8c-64-ec*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------200-09-6b-8c-64-ec3/11[ALL]TotalMatchingCAMEntriesDisplayed=16509SE>(enable)showcamdy3/11*=StaticEntry.+=PermanentEntry.#=SystemEntry.R=RouterEntry.X=PortSecurityEntry$=Dot1xSecurityEntryVLANDestMAC/RouteDes[CoS]DestinationPortsorVCs/[ProtocolType]----------------------------------------------------------------------100-03-e3-4b-06-803/11[ALL]100-08-02-e6-b0-cd3/11[ALL]100-02-a5-ee-f2-4f3/11[ALL]100-09-6b-8c-66-d63/11[ALL]100-09-6b-63-17-d93/11[ALL]100-0b-cd-03-ec-f53/11[ALL]100-09-6b-63-17-d83/11[ALL]100-08-02-e6-b0-c13/11[ALL]100-08-02-e6-b0-853/11[ALL]100-08-02-e6-b0-813/11[ALL]100-02-a5-ef-16-af3/11[ALL]100-02-a5-ee-f2-933/11[ALL]100-02-55-c6-05-613/11[ALL]200-09-6b-8c-64-ec3/11[ALL]100-08-02-e6-b0-ed3/11[ALL]100-08-02-e6-b0-a93/11[ALL]100-02-55-54-7a-e03/11[ALL]100-02-a5-ef-15-a63/11[ALL]100-08-02-e6-af-8f3/11[ALL]100-08-02-e6-b0-bd3/11[ALL]100-0b-cd-03-db-8b3/11[ALL]100-09-6b-8c-25-503/11[ALL]Doyouwishtocontinuey/n[n]?n由于該端口連接到另一臺(tái)交換機(jī)或HUB,必須繼續(xù)追查，方法如下：6509SE>(enable)showcdpnei3/11*-indicatesvlanmismatch.#-indicatesduplexmismatch.PortDevice-IDPort-IDPlatform----------------------------------------------------------------------------3/11Cisco2924GigabitEthernet1/1ciscoWS-C2924M-XL該命令顯示對端設(shè)備是一臺(tái)Cisco2924，如果沒有顯示，那么說明連接的是別的廠家的設(shè)備，可能要到該交換機(jī)上用類似的辦法繼續(xù)追查。本例子中是Cisco設(shè)備，所有我們可以繼續(xù)：6509SE>(enable)showcdpnei3/11dePort(OurPort):3/11Device-ID:Cisco2924DeviceAddresses:IPAddress:0Holdtime:153secCapabilities:TRANSPARENT_BRIDGESWITCHVersion:CiscoInternetworkOperatingSystemSoftwareIOS(tm)C2900XLSoftware(C2900XL-C3H2S-M),Version12.0(5.2)XU,MAINTENANCEINTERIMSOFTWARECopyright(c)1986-2000byciscoSystems,Inc.CompiledMon17-Jul-0017:35byayounesPlatform:ciscoWS-C2924M-XLPort-ID(PortonNeighbors'sDevice):GigabitEthernet1/1VTPManagementDomain:lanNativeVLAN:1Duplex:fullSystemName:unknownSystemObjectID:unknownManagementAddresses:unknownPhysicalLocation:unknownCisco2924#showmac-address-tabledynamicaddress0009.6b8c.64ecNon-staticAddressTable:DestinationAddressAddressTypeVLANDestinationPort-------------------------------------------------------0009.6b8c.64ecDynamic2FastEthernet0/2Cisco2924#showmac-address-tabledynamicinterfacef0/2Non-staticAddressTable:DestinationAddressAddressTypeVLANDestinationPort-------------------------------------------------------0009.6b8c.64ecDynamic2FastEthernet0/2通過以上的命令發(fā)現(xiàn)核心交換機(jī)上所有SGSN地址對應(yīng)的端口全是2/28（這個(gè)接口接的設(shè)備未知）。因此懷疑這個(gè)端口的設(shè)備發(fā)起ARP攻擊導(dǎo)致核心交換機(jī)的ARP解析錯(cuò)誤，導(dǎo)致故障。本次案例的分析總結(jié)：登錄到LAN1的交換機(jī)SW103，發(fā)現(xiàn)無法登錄SG102，PINGSG102有時(shí)能通有時(shí)不能通；SZHSW103BNk#telnet05Trying05...（05為SG102的OM地址）%Connectiontimedout;remotehostnotrespondingSZHSW103BNk#ping05Typeescapesequencetoabort.Sending5,100-byteICMPEchosto05,timeoutis2seconds:.!!!!Successrateis80percent(4/5),round-tripmin/avg/max=1/1/1msSZHSW103BNk#ping05Typeescapesequencetoabort.Sending5,100-byteICMPEchosto05,timeoutis2seconds:!!!!!Successrateis100percent(5/5),round-tripmin/avg/max=1/1/1msSZHSW103BNk#ping05Typeescapesequencetoabort.Sending5,100-byteICMPEchosto05,timeoutis2seconds:.....Successrateis0percent(0/5)3.檢查交換機(jī)SW103和的正常，連接SG102的端口狀態(tài)正常；4.檢查SW103上05的mac地址，發(fā)現(xiàn)解析正常而且穩(wěn)定；SZHSW103BNk#showarp|include05Internet05SZHSW103BNk#showarp|include05Internet050000.501d.a518ARPAVlan16SZHSW103BNk#showarp|include05Internet050000.501d.a518ARPAVlan16SZHSW103BNk#showarp|include05Internet050000.501d.a518ARPAVlan1640000.501d.a518ARPAVlan164445.檢查SW103上0000.501d.a518的二層轉(zhuǎn)發(fā)表，發(fā)現(xiàn)異常，時(shí)而指向SG102的SWU0與SW103的接口1/1，時(shí)而指向SW103與SW1045/9,6/0；SZHSW103BNk>(enable)showcam0000.501d.a51816SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-18SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.5/9,6/9[ALL]SZHSW103BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.5/9,6/9[ALL]00-00-50-1d-a5-1815sec.5/9,6/9[ALL]01/1[ALL]1/1[ALL]1/1[ALL]1/1[ALL]0006.在SW104上檢查0000.501d.a518的二層轉(zhuǎn)發(fā)表，發(fā)現(xiàn)錯(cuò)誤指向到2/28端口，該端口并非是SG102的SWU與SW104相連的端口；SZHSW104BNk>(enable)showcam0000.501d.a51816SZHSW104BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.2/28[ALL]SZHSW104BNk>(enable)showcam0000.501d.a5181600-00-50-1d-a5-1810sec.2/28[ALL]00-00-50-1d-a5-1810sec.2/28[ALL]7.檢查SG103和SG104的OM地址的二層指向，發(fā)現(xiàn)也同樣指向了2/28口；SZHSW104BNk#showarp|include06Internet062320000.501e.7aaeARPAVlan16SZHSW104BNk#showarp|include07Internet072340000.501e.7d6dARPAVlan16SZHSW104BNk>(enable)showcam0000.501e.7aae16SZHSW104BNk>(enable)showcam0000.501e.7d6d1600-00-50-1e-7d-6d10sec.2/28[ALL]00-00-50-1e-7a-ae10sec.2/28[ALL]8.初步懷疑，深圳LAN1交換機(jī)SW103和SW104的OM受到了SW104的2/28mac地址攻擊，即2/28口發(fā)出了源地址為LAN1SGSN的mac地址的二層廣播包，導(dǎo)致SW103和SW104的二層轉(zhuǎn)發(fā)表受到了欺騙，錯(cuò)誤指向了SW104的2/28，而不是指向SGSN與交換機(jī)相連的接口，因此造成SGSN無法登錄；SZHSW104BNk>(enable)showportdesc2/28PortDescription--------------------------------------------------------------------2/28USED_IL_TO_DAKEHU9.將