D-Link DGS-3120-24TC Product Manual - Page 324

Prevent ARP Spoofing via Packet Content ACL, Configuration

Get D-Link DGS-3120-24TC PDF manuals and user guides View all D-Link DGS-3120-24TC manuals
Add to My Manuals
Save this manual to your list of manuals

Page 324 highlights

xStack® DGS-3120 Series Managed Switch Web UI Reference Guide A common DoS attack today can be done by associating a nonexistent or any specified MAC address to the IP address of the network's default gateway. The malicious attacker only needs to broadcast one Gratuitous ARP to the network claiming it is the gateway so that the whole network operation will be turned down as all packets to the Internet will be directed to the wrong node. Likewise, the attacker can either choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). Figure 5 The hacker cheats the victim PC that it is a router and cheats the router that it is the victim. As can be seen in Figure 5 all traffic will be then sniffed by the hacker but the users will not discover. Prevent ARP Spoofing via Packet Content ACL D-Link managed switches can effectively mitigate common DoS attacks caused by ARP spoofing via a unique Package Content ACL. For the reason that basic ACL can only filter ARP packets based on packet type, VLAN ID, Source, and Destination MAC information, there is a need for further inspections of ARP packets. To prevent ARP spoofing attack, we will demonstrate here via using Packet Content ACL on the Switch to block the invalid ARP packets which contain faked gateway's MAC and IP binding. Configuration The configuration logic is as follows: 1. Only if the ARP matches Source MAC address in Ethernet, Sender MAC address and Sender IP address in ARP protocol can pass through the switch. (In this example, it is the gateway's ARP.) 2. The switch will deny all other ARP packets which claim they are from the gateway's IP. The design of Packet Content ACL on the Switch enables users to inspect any offset chunk. An offset chunk is a 4byte block in a HEX format, which is utilized to match the individual field in an Ethernet frame. Each profile is allowed to contain up to a maximum of four offset chunks. Furthermore, only one single profile of Packet Content ACL can be supported per switch. In other words, up to 16 bytes of total offset chunks can be applied to each profile and a switch. Therefore, a careful consideration is needed for planning and configuration of the valuable offset chunks. In Table 6, you will notice that the Offset_Chunk0 starts from the 127th byte and ends at the 128th byte. It also can be found that the offset chunk is scratched from 1 but not zero. 316

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
xStack® DGS-3120 Series Managed Switch Web UI Reference Guide
316
A common DoS attack today can
be done by associating a
nonexistent or any specified MAC
address to the IP address of the
network’s default gateway. The
malicious attacker only needs to
broadcast one Gratuitous ARP to
the network claiming it is the
gateway so that the whole
network operation will be turned
down as all packets to the
Internet will be directed to the
wrong node.
Likewise, the attacker can either
choose to forward the traffic to the
actual default gateway (passive
sniffing) or modify the data before
forwarding it (man-in-the-middle
attack).
Figure 5
The hacker cheats the victim PC that it is a router and cheats the router that it is the victim. As can be seen in
Figure 5 all traffic will be then sniffed by the hacker but the users will not discover.
Prevent ARP Spoofing via Packet Content ACL
D-Link managed switches can effectively
mitigate common DoS attacks caused by
ARP spoofing via a unique Package Content
ACL.
For the reason that basic ACL can only filter
ARP packets based on packet type, VLAN
ID, Source, and Destination MAC
information, there is a need for further
inspections of ARP packets. To prevent ARP
spoofing attack, we will demonstrate here via
using Packet Content ACL on the Switch to
block the invalid ARP packets which contain
faked gateway’s MAC and IP binding.
Configuration
The configuration logic is as follows:
1.
Only if the ARP matches Source MAC address in Ethernet, Sender MAC address and Sender IP address
in ARP protocol can pass through the switch. (In this example, it is the gateway’s ARP.)
2.
The switch will deny all other ARP packets which claim they are from the gateway’s IP.
The design of Packet Content ACL on the Switch enables users to inspect any offset chunk. An offset chunk is a 4-
byte block in a HEX format, which is utilized to match the individual field in an Ethernet frame. Each profile is
allowed to contain up to a maximum of four offset chunks. Furthermore, only one single profile of Packet Content
ACL can be supported per switch. In other words, up to 16 bytes of total offset chunks can be applied to each
profile and a switch. Therefore, a careful consideration is needed for planning and configuration of the valuable
offset chunks.
In Table 6, you will notice that the Offset_Chunk0 starts from the 127th byte and ends at the 128th byte. It also can
be found that the offset chunk is scratched from 1 but not zero.