1 00:00:07,250 --> 00:00:10,520 - [Announcer] Before we go over what ARP Cache Poisoning 2 00:00:10,520 --> 00:00:13,490 and Route Manipulations attacks are, 3 00:00:13,490 --> 00:00:16,280 let's refresh on what is a Spoofing Attack. 4 00:00:16,280 --> 00:00:17,847 Basically a Spoofing Attack is when 5 00:00:17,847 --> 00:00:21,300 an attacker impersonates another device, 6 00:00:21,300 --> 00:00:24,710 or another IP address, or another person, 7 00:00:24,710 --> 00:00:26,990 to actually execute an attack. 8 00:00:26,990 --> 00:00:29,490 The following are a few examples of Spoofing Attacks. 9 00:00:29,490 --> 00:00:33,250 The first one is an IP address spoofing attack. 10 00:00:33,250 --> 00:00:36,400 And the attacker in this case sends a IP packet 11 00:00:36,400 --> 00:00:39,420 from a fake or a spoofed source address 12 00:00:39,420 --> 00:00:41,700 in order to actually disguise itself. 13 00:00:41,700 --> 00:00:44,940 DDoS attacks typically use spoofing attacks 14 00:00:44,940 --> 00:00:47,150 or IP spoofing attacks to make the packets appear 15 00:00:47,150 --> 00:00:51,160 from legitimate sources and IP addresses, 16 00:00:51,160 --> 00:00:54,700 so, they will avoid being blocked. 17 00:00:54,700 --> 00:00:58,910 Now another type of spoofing attack is ARP spoofing attack. 18 00:00:58,910 --> 00:01:03,100 And in this case, the attacker sends a spoof ARP packet 19 00:01:03,100 --> 00:01:08,092 across a layer 2 network in order to link to the attackers, 20 00:01:08,092 --> 00:01:11,310 or to link the attackers MAC address with the IP address 21 00:01:11,310 --> 00:01:12,891 of a legitimate host. 22 00:01:12,891 --> 00:01:17,891 The best practices that we actually cover later in here, 23 00:01:19,240 --> 00:01:20,290 we will, 24 00:01:20,290 --> 00:01:24,130 will help me actually mitigate our spoofing attacks. 25 00:01:24,130 --> 00:01:27,270 And the other one is actually DNS Server spoofing attacks. 26 00:01:27,270 --> 00:01:29,040 And in this case the actual attacker 27 00:01:29,040 --> 00:01:31,970 modifies the DNS server in only 28 00:01:31,970 --> 00:01:35,150 in order to reroute a specific domain name 29 00:01:35,150 --> 00:01:36,970 to a different IP address. 30 00:01:36,970 --> 00:01:39,060 And DNS server spoofing attacks 31 00:01:39,060 --> 00:01:42,010 are typically used to spread malware. 32 00:01:42,010 --> 00:01:45,220 Now threat actors can attack host, switches 33 00:01:45,220 --> 00:01:48,185 and routers connected to a layer 2 network 34 00:01:48,185 --> 00:01:51,400 by poisoning the ARP cache of systems 35 00:01:51,400 --> 00:01:52,870 connected to the subnet 36 00:01:52,870 --> 00:01:56,670 and by intercepting traffic intended for other host 37 00:01:56,670 --> 00:01:58,100 in the subnet. 38 00:01:58,100 --> 00:02:00,660 Cisco switches support a feature called 39 00:02:00,660 --> 00:02:02,570 Dynamic ARP Inspection, 40 00:02:02,570 --> 00:02:05,931 that validates our packets and intercepts logs 41 00:02:05,931 --> 00:02:09,840 and discards our packets with the invalid IP 42 00:02:09,840 --> 00:02:11,362 to Mac address binding. 43 00:02:11,362 --> 00:02:14,210 Now this feature also protects the network 44 00:02:14,210 --> 00:02:16,420 from certain mine in the middle of attacks 45 00:02:16,420 --> 00:02:18,994 and the dynamic ARP inspection feature safeguard 46 00:02:18,994 --> 00:02:22,637 that only ARP a valid request. 47 00:02:22,637 --> 00:02:27,460 So only valid ARP request and responses are relayed. 48 00:02:27,460 --> 00:02:30,760 They do this by performing a few things. 49 00:02:30,760 --> 00:02:33,737 First, intercepting all ARP request 50 00:02:33,737 --> 00:02:36,441 and responses on untrusted ports. 51 00:02:36,441 --> 00:02:40,068 Then also verifying that each of the intercepted packet 52 00:02:40,068 --> 00:02:45,068 have a valid IP-to-MAC address binding before updating 53 00:02:45,070 --> 00:02:48,490 the local ARP cache, or even before forwarding the packet 54 00:02:48,490 --> 00:02:50,763 to the respective destination host. 55 00:02:51,660 --> 00:02:54,381 They also dropped invalid ARP packets 56 00:02:54,381 --> 00:02:58,670 and determining if an ARP packet is valid based on 57 00:02:58,670 --> 00:03:02,930 the IP-to-MAC address binding stored in a trusted database. 58 00:03:02,930 --> 00:03:04,487 And this database is called 59 00:03:04,487 --> 00:03:07,663 the DHCP snooping binding database. 60 00:03:08,607 --> 00:03:11,620 Now here there are some additional layer 2 61 00:03:11,620 --> 00:03:13,270 security best practices, 62 00:03:13,270 --> 00:03:17,044 for securing your infrastructure against layer 2 attacks. 63 00:03:17,044 --> 00:03:20,650 The first one is actually to select an unused VLAN other 64 00:03:20,650 --> 00:03:23,100 than VLAN 1, and then use that 65 00:03:23,100 --> 00:03:25,250 for the native VLAN for all your trunks. 66 00:03:25,250 --> 00:03:29,420 So don't use VLAN 1 and do not use this native VLAN 67 00:03:29,420 --> 00:03:32,700 for any of your enabled access ports at all. 68 00:03:32,700 --> 00:03:35,597 Right? So, always avoid using VLAN 1 anywhere 69 00:03:35,597 --> 00:03:37,819 because it's actually the default. 70 00:03:37,819 --> 00:03:42,097 Now you can also administratively configure switch ports 71 00:03:42,097 --> 00:03:44,604 as access ports so they, 72 00:03:44,604 --> 00:03:47,980 that the users cannot negotiate a trunk 73 00:03:47,980 --> 00:03:49,792 and then disable the negotiation of trunking. 74 00:03:49,792 --> 00:03:54,522 So, you know basically no Dynamic Trunk Protocol or DTP. 75 00:03:54,522 --> 00:03:57,460 Also, you should limit the number of MAC addresses 76 00:03:57,460 --> 00:04:01,280 learned on a given port with a port security feature. 77 00:04:01,280 --> 00:04:04,320 You can also enable Control Spanning Tree, 78 00:04:04,320 --> 00:04:06,610 to stop users or unknown devices 79 00:04:06,610 --> 00:04:08,480 from manipulating a spanning tree. 80 00:04:08,480 --> 00:04:11,065 And you can do so by using the BPDU Guard 81 00:04:11,065 --> 00:04:15,960 and Root Guard features in those switches. 82 00:04:15,960 --> 00:04:19,188 You should also turn off Cisco Discovery Protocol 83 00:04:19,188 --> 00:04:22,699 on ports that are facing untrusted 84 00:04:22,699 --> 00:04:26,000 or unknown networks that do not require CDP 85 00:04:26,000 --> 00:04:27,760 for anything positive. Right? 86 00:04:27,760 --> 00:04:30,069 So CDP actually operates at layer 2 87 00:04:30,069 --> 00:04:32,250 and may provide attackers with information 88 00:04:32,250 --> 00:04:34,049 that we would rather not disclose, 89 00:04:34,049 --> 00:04:36,550 you know in those ports. 90 00:04:36,550 --> 00:04:37,829 Now on a new switch, 91 00:04:37,829 --> 00:04:41,050 shut down all the ports and assign them to a VLAN 92 00:04:41,050 --> 00:04:43,010 that is not used for anything else. 93 00:04:43,010 --> 00:04:45,968 Then, bring up the ports and assign the correct VLANs 94 00:04:45,968 --> 00:04:49,530 as the ports are actually allocated and needed 95 00:04:49,530 --> 00:04:51,750 you know, in your environment. 96 00:04:51,750 --> 00:04:54,350 Now there are several other layer 2 security features 97 00:04:54,350 --> 00:04:56,253 that can be used to protect your infrastructure, 98 00:04:56,253 --> 00:04:58,073 including Port Security. 99 00:04:58,073 --> 00:05:00,440 And this is actually used to limit the number 100 00:05:00,440 --> 00:05:01,713 of MAC addresses that can be learned 101 00:05:01,713 --> 00:05:04,039 on an access switch port. 102 00:05:04,039 --> 00:05:08,470 Like I mentioned before, BPDU Guard. 103 00:05:08,470 --> 00:05:13,470 So if BPDUs show up where they should not, 104 00:05:13,890 --> 00:05:16,230 then the switch will protect itself. 105 00:05:16,230 --> 00:05:18,000 And other features are Root Guard, 106 00:05:18,000 --> 00:05:21,419 like we mentioned before which actually controls which ports 107 00:05:21,419 --> 00:05:25,520 are not allowed to become root ports or on remote switches. 108 00:05:25,520 --> 00:05:28,177 And then the dynamic ARP inspection 109 00:05:28,177 --> 00:05:30,751 as we actually covered earlier. Right? 110 00:05:30,751 --> 00:05:35,060 IP Source Guard is another one that prevents spoofing 111 00:05:35,060 --> 00:05:38,250 of layer 3 information by hosts. 112 00:05:38,250 --> 00:05:41,619 802.1X to authenticate and authorize users 113 00:05:41,619 --> 00:05:45,220 before you allow them into the network 114 00:05:45,220 --> 00:05:47,367 and to communicate with the rest of the network. 115 00:05:47,367 --> 00:05:51,130 DHCP snooping to prevent rogue DHCP servers 116 00:05:51,130 --> 00:05:52,690 from impacting the network. 117 00:05:52,690 --> 00:05:55,850 Storm Control to limit the amount of broadcast 118 00:05:55,850 --> 00:05:58,800 and multicast traffic flowing through the switch. 119 00:05:58,800 --> 00:06:01,450 And then of course, Access Control list, 120 00:06:01,450 --> 00:06:03,700 both at layer 3 and layer 2, 121 00:06:03,700 --> 00:06:06,570 for traffic control and policy enforcement. 122 00:06:06,570 --> 00:06:09,690 There are different Route Manipulation Attacks up there. 123 00:06:09,690 --> 00:06:13,070 But one of the most common is the BGP hijacking attack. 124 00:06:13,070 --> 00:06:15,270 BGP as you know, is a dynamic routing protocol 125 00:06:15,270 --> 00:06:17,805 that is used to route internet traffic. 126 00:06:17,805 --> 00:06:22,220 And basically, the BGP hijacking attack is launched 127 00:06:22,220 --> 00:06:25,917 by an attacker, by configuring or compromising 128 00:06:25,917 --> 00:06:29,890 an edge router in order to announce prefixes 129 00:06:29,890 --> 00:06:34,070 that have not been assigned to his or her organization. 130 00:06:34,070 --> 00:06:37,123 So if the malicious announcement contains a route 131 00:06:37,123 --> 00:06:39,850 that is more specific at the legitimate advertisement 132 00:06:39,850 --> 00:06:43,080 or even if it presents a shorter path, 133 00:06:43,080 --> 00:06:46,470 then the victim traffic may be redirected to the attacker. 134 00:06:46,470 --> 00:06:48,601 Right? And then of course in all bets are off. 135 00:06:48,601 --> 00:06:52,830 You know this traffic can actually be, you know, 136 00:06:52,830 --> 00:06:56,320 monitor and information can be stolen. 137 00:06:56,320 --> 00:06:58,780 Now in the past threat actors have leveraged unused 138 00:06:58,780 --> 00:07:02,380 prefixes for BGP hijacking in order to avoid attention 139 00:07:02,380 --> 00:07:06,083 from the legitimate users or a specific organization.