Data-plane attacks and Mitigation Techniques
- CAM Table OverFlow Attack (DoS attack)(macof –i eth0): Port-Security
- DHCP Starvation Attack (DoS attack): Port-Security and Rate-limiting requests.
- DHCP Spoofing/Rogue DHCP Attack (Mitm attack): DHCP Snooping
- VLAN Hopping attack (negotiate trunk using DTP)(yersinia -G): set all the ports not connected to switches to no-negotiate and access ports, as by default they are set to negotiate i.e. ‘dynamic-auto’.
Also don’t use vlan1 as native vlan.
- Rogue Switch Attack (Switch Mitm i.e. becomes the root bridge): portfast and BPDU Guard (turned ON globally if the port is an access port)(shuts the port down).
BPDU Filter (Doesn’t allow BPDUs, but doesn’t shut the port down).
Root Guard (tell the switch that certain ports can’t be root ports i.e. if you are connected to legitimate switches).
- Arp Spoofing/ARP Poisoning attack (Gratuitous ARP) (Mitm attack): DAI (Dynamic Arp Inspection)