Data-plane attacks and Mitigation Techniques

  1. CAM Table OverFlow Attack (DoS attack)(macof –i eth0): Port-Security
  2. DHCP Starvation Attack (DoS attack): Port-Security and Rate-limiting requests.
  3. DHCP Spoofing/Rogue DHCP Attack (Mitm attack): DHCP Snooping
  4. VLAN Hopping attack (negotiate trunk using DTP)(yersinia -G): set all the ports not connected to switches to no-negotiate and access ports, as by default they are set to negotiate i.e. ‘dynamic-auto’.

Also don’t use vlan1 as native vlan.

  1. Rogue Switch Attack (Switch Mitm i.e. becomes the root bridge): portfast and BPDU Guard (turned ON globally if the port is an access port)(shuts the port down).

BPDU Filter (Doesn’t allow BPDUs, but doesn’t shut the port down).

Root Guard (tell the switch that certain ports can’t be root ports i.e. if you are connected to legitimate switches).

  1. Arp Spoofing/ARP Poisoning attack (Gratuitous ARP) (Mitm attack): DAI (Dynamic Arp Inspection)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: