>> Layer 2 switches learn where hosts are by analyzing the source mac address fieldin ethernet frames, as the frames enter switch ports, which is why this tablein memory is sometimes called SAT, Source Address Table.It's also referred to as CAM, Content Addressable Memory table, and mac address table.The table contains bindings of mac addresses to the switch ports that they were heard on.Based on the destination mac address in the ethernet frame, the switch knows which portto forward the frames out of, after consulting the CAM table.If a switch doesn't have an entry in its CAM table, for a destination mac address,the switch floods the frame out of all ports, except the port on which the frame originated.Broadcasts and multicasts are flooded in the same fashion.The switch can keep a specific number of mac addresses in this table,and different switches can hold different amounts.What would happen if an attacker connected to a switch port and ran a tool or scriptthat sent thousands of ethernet frames into the switch port with different,randomly generated mac addresses.Well, the switch would happily enter each mac address into the CAM table,associating each mac address with the same physical port of the attacker.Eventually, the CAM table will run out of space.Now, the switch can't learn any new mac addresses,and simply starts flooding all traffic from new hosts out of old portson the switch, except the originating ports.This cam overflow attack also known as a mac flooding attack, essentially turns a switchinto an old, obsolete networking device called a hub, which always flooded trafficout of all ports except the port on which the message originated.The switch, and its CAM table, put hubs out of business.The attacker is now able to sniff every single frame sent into the switch.Confidentiality is at great risk.Macof, part of the dsniff suite of tools, can generate hundreds of thousandsof random mac addresses and flood them into a switch.From a cybersecurity perspective, this tests your switch's resistance to such an attack.To mitigate this attack, we can use a switch feature called port security.First, you need to identify allowed mac addresses so they can get access to the port.This can be done either statically, or dynamically, as frames enter a switch port.The next step involves specifying the maximum number of mac addressesthat will have access to the port.By default, it's 1.In a switched environment, the only time more than one mac address will be heard from,through a single switch port, is when a switch port is connected to a neighboring switch port.For example, all traffic coming into switch A, from hosts in switch B,will be heard through the port on switch A, that connects to switch B. A violation occursif a new mac address is heard on a switch port after the maximum numberof mac addresses have been learned.On switch ports that are statically configured for certain mac addresses,an unknown mac address heard on that port, would trigger a violation as well.When a violation occurs, the switch will enter oneof the following three states, and take appropriate action.Shut down-- the switch port is immediately shut down.No frames can enter or exit and an SNMP,Simple Network Management Protocol, trap notification is sent.The network engineer must re-enable the port manually, although the switch can be toldto come back up again after a certain period of time has elapsed. Restrict-- the switch port doesn't shut down,but all frames from violating mac addresses are discarded.The switch logs the number of violating frames, and can send an SNMP trap,as well as a syslog message if configured to do so.Protect-- the switch port doesn't shut down,but all frames from violating mac addresses are discarded.So far, exactly the same as restrict.The only different is now, no violations are logged.
转载于:https://www.cnblogs.com/sec875/articles/10028785.html
