In this blog, we will see how to completely destroy an enterprise switch & router and also see how to prevent this DoS Attack. We are to attack the CDP Cisco discovery protocol
with the help of Yersinia. This attack is very easy and extremely powerful. This attack
comes under of denial-of-service attack. To make the switch fail we
need a Linux machine and simulation. The protocol we are going exploit is by
default enabled on Cisco routers and switches CDP.
Let’s take an overview look at CDP: -
CDP (Cisco discovery protocol) is a Cisco proprietary
protocol which is designed by Cisco. CDP is used to collect information about
directly connected devices. We can collect the hardware and protocol
information about neighboring devices. This information is very helpful when we
do troubleshoot or document the network.
this is the topology we are going to use for the lab: -
So before
starting our lab let me give the overview of what is actually going to happen to
our switch while doing this attack. For example, when we log into a switch and
write the command show CDP neighbors. The router is going to display all the
directly connected enabled CDP neighbors' devices. Like this
R1#show cdp
neighbors
Capability
Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I -
IGMP, r - Repeater
Device
ID Local Intrfce Holdtme
Capability Platform Port ID
switch2 Fas 1/0 178 R S I Linux Uni Eth 0/0
switch1 Fas 0/0 149 R S I Linux Uni Eth 0/0
We are
going flood thousands of CDP fake packets to the switch with the help of
Yersinia and these packets will freeze down the switch operating system
and the switch processor will utilize its full power until it crashes. In the
end switch will no longer be a switch it’s become a hub.
you will also see a warning:
*Sep 21 10:02:23.606: %SYS-2-NOMEMORY: No memory available for DSensor Malloc 17
let's see the configuration: -
- configure topology as per the diagram
- configure the IP address on kali machine
- make sure to check CPU utilization before and after attack
- configure attack using yersinia
- diagnose the attack and prevent this attack.
switch1#show cdp
Global CDP information:
Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
(as you can see CDP is enable by default)
switch-core#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
switch2 Eth 0/2 176 R S I Linux Uni Eth 0/0
switch1 Eth 0/1 172 R S I Linux Uni Eth 0/0
(our core-switch is having two neighborship)
switch-core#show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
switch-core#show processes cpu
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
switch-core#show processes memory
Processor Pool Total: 153981584 Used: 53056736 Free: 100924848
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 116841704 67245936 44930064 0 0 *Init*
0 0 0 195088 0 0 0 *Sched*
0 0 174504 10744 143408 1538139 0 *Dead*
0 0 0 0 394704 0 0 *MallocLite*
1 0 20888 0 33864 0 0 Chunk Manager
2 0 232 232 6976 0 0 Load Meter
3 0 130712 34264 122256 0 0 Exec
4 0 1744 0 14720 0 0 Check heaps
(As of now everything is working fine. CPU utilization is good)
(now let configure the IP address on our kali machine 30.1.1.1/8)
(Install the yersinia on your kali machine)
(Now open yersinia in graphical)
(select the CDP and launch the attack)
(Select the flooding CDP table option and click on OK and after that take a look on switch and CDP neighbor table)
switch-core#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
XJJJJJ2 Eth 0/0 192 B S r yersinia Eth 0
3KKKXXX Eth 0/0 235 R T S H yersinia Eth 0
2JJJXXX Eth 0/0 219 R T B S H yersinia Eth 0
2EEEEEW Eth 0/0 249 T B I yersinia Eth 0
2JJJJJX Eth 0/0 246 R T S H yersinia Eth 0
2EEEWWW Eth 0/0 219 T B I yersinia Eth 0
switch2 Eth 0/2 136 R S I Linux Uni Eth 0/0
Y333KKK Eth 0/0 201 T I r yersinia Eth 0
GGYK333 Eth 0/0 200 T B S r yersinia Eth 0
4LLLYYY Eth 0/0 200 B S H I yersinia Eth 0
3KKKKKY Eth 0/0 254 B S H I yersinia Eth 0
222ARRR Eth 0/0 185 R B S H I yersinia Eth 0
BTTTTT7 Eth 0/0 217 I yersinia Eth 0
BTTT777 Eth 0/0 245 B r yersinia Eth 0
3KKKYYY Eth 0/0 219 B S H I yersinia Eth 0
3JJJXXX Eth 0/0 234 R T B H yersinia Eth 0
4LLLLLY Eth 0/0 249 S H yersinia Eth 0
3JJJJJX Eth 0/0 193 R T B S H yersinia Eth 0
FFFT000 Eth 0/0 197 T S yersinia Eth 0
EWWW000 Eth 0/0 214 R T B r yersinia Eth 0
Device ID Local Intrfce Holdtme Capability Platform Port ID
DVVVVV0 Eth 0/0 222 R T B r yersinia Eth 0
4LZZZZZ Eth 0/0 178 R T S H yersinia Eth 0
5MMMZZZ Eth 0/0 223 R B S H yersinia Eth 0
1EEEVVV Eth 0/0 252 R T I yersinia Eth 0
4LLLLLZ Eth 0/0 254 R B S H yersinia Eth 0
1EEEEEV Eth 0/0 233 R B I yersinia Eth 0
DVVV000 Eth 0/0 250 R T S I yersinia Eth 0
4LLLZZZ Eth 0/0 237 R S H yersinia Eth 0
5MMMMMZ Eth 0/0 238 R S H yersinia Eth 0
EWWWWW0 Eth 0/0 240 R T I yersinia Eth 0
T888OOO Eth 0/0 232 T B I r yersinia Eth 0
5LLLZZZ Eth 0/0 227 R B S H yersinia Eth 0
1DDDVVV Eth 0/0 211 R B S I yersinia Eth 0
1DVVVVV Eth 0/0 227 R B S I yersinia Eth 0
1EWWWWW Eth 0/0 252 S r yersinia Eth 0
EVVVVV0 Eth 0/0 252 R T B r yersinia Eth 0
1EEEWWW Eth 0/0 249 T yersinia Eth 0
ARRRRR0 Eth 0/0 200 R T S H I yersinia Eth 0
EV00000 Eth 0/0 173 R B r yersinia Eth 0
55555UC Eth 0/0 172 R T B S yersinia Eth 0
2FFFFFW Eth 0/0 252 T yersinia Eth 0
P88888K Eth 0/0 221 T S yersinia Eth 0
1EEEEEW Eth 0/0 253 T B S I yersinia Eth 0
--More--
*Sep 21 10:30:58.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
(From the above output you will see there is now free space available and memory allocation is failed)
switch-core# show processes cpu history
444444444455555
55555555552222255555
100
90
80
70
60
50 ***************
40 ***************
30 ***************
20 ***************
10 ********************
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per second (last 60 seconds)
665554 1
123007 5
100
90
80
70
60 **
50 ******
40 *#*##*
30 ######
20 ###### *
10 ###### *
0....5....1....1....2....2....3....3....4....4....5....5....6
0 5 0 5 0 5 0 5 0 5 0
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
100
90
--More--
*Sep 21 10:36:28.947: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
80
70
60
50
40
30
20
10
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
*Sep 21 10:31:28.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
*Sep 21 10:31:58.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
*Sep 21 10:32:28.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
*Sep 21 10:32:58.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
*Sep 21 10:33:28.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
(How to prevent this attack? here i am going use two options first disable CDP in global mode and second is find the attacker interface and disable CDP for that particular port)
(You will notice that all the fake CDP packets our switch is receiving from Ethernet 0/0, so let's disable CDP on this port)
switch-core(config)#interface ethernet 0/0
switch-core(config-if)#no cdp enable
switch-core#clear cdp table
switch-core#clear cdp counter
switch-core#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
switch2 Eth 0/2 136 R S I Linux Uni Eth 0/0
switch1 Eth 0/1 159 R S I Linux Uni Eth 0/0
Total cdp entries displayed : 2
(Our switch is now working fine and have valid neighbors)
i hope you like blog. please visit to our youtube channel
No comments:
Post a Comment