Friday 22 September 2023

How to configure CDP flood attack? | How to prevent CDP attack?

In this blog, we will see how to completely destroy an enterprise switch & router and also see how to prevent this DoS Attack.  We are to attack the CDP Cisco discovery protocol with the help of Yersinia. This attack is very easy and extremely powerful. This attack comes under of denial-of-service attack. To make the switch fail we need a Linux machine and simulation. The protocol we are going exploit is by default enabled on Cisco routers and switches CDP.

Let’s take an overview look at CDP: -

CDP (Cisco discovery protocol) is a Cisco proprietary protocol which is designed by Cisco. CDP is used to collect information about directly connected devices. We can collect the hardware and protocol information about neighboring devices. This information is very helpful when we do troubleshoot or document the network.

this is the topology we are going to use for the lab: -



So before starting our lab let me give the overview of what is actually going to happen to our switch while doing this attack. For example, when we log into a switch and write the command show CDP neighbors. The router is going to display all the directly connected enabled CDP neighbors' devices. Like this

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater

 

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

switch2          Fas 1/0            178         R S I     Linux Uni Eth 0/0

switch1          Fas 0/0            149         R S I     Linux Uni Eth 0/0

 

 We are going flood thousands of CDP fake packets to the switch with the help of Yersinia and these packets will freeze down the switch operating system and the switch processor will utilize its full power until it crashes. In the end switch will no longer be a switch it’s become a hub. 

you will also see a warning:

 


*Sep 21 10:02:23.606: %SYS-2-NOMEMORY: No memory available for DSensor Malloc 17

 

let's see the configuration: -



  •  configure topology as per the diagram 
  • configure the IP address on kali machine 
  • make sure to check CPU utilization before and after attack 
  • configure attack using yersinia 
  • diagnose the attack and prevent this attack. 


switch1#show cdp
Global CDP information:
        Sending CDP packets every 60 seconds
        Sending a holdtime value of 180 seconds
        Sending CDPv2 advertisements is  enabled

(as you can see CDP is enable by default)



switch-core#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
switch2          Eth 0/2           176             R S I  Linux Uni Eth 0/0
switch1          Eth 0/1           172             R S I  Linux Uni Eth 0/0

(our core-switch is having two neighborship)



switch-core#show processes
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
 PID QTy       PC Runtime (ms)    Invoked   uSecs    Stacks TTY Process
 PID QTy       PC Runtime (ms)    Invoked   uSecs    Stacks TTY Process
  

switch-core#show processes cpu
CPU utilization for five seconds: 0%/0%; one minute: 0%; five minutes: 0%
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
 PID Runtime(ms)     Invoked      uSecs   5Sec   1Min   5Min TTY Process
 

switch-core#show processes memory
Processor Pool Total:  153981584 Used:   53056736 Free:  100924848

 PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
   0   0  116841704   67245936   44930064          0          0 *Init*
   0   0          0     195088          0          0          0 *Sched*
   0   0     174504      10744     143408    1538139          0 *Dead*
   0   0          0          0     394704          0          0 *MallocLite*
   1   0      20888          0      33864          0          0 Chunk Manager
   2   0        232        232       6976          0          0 Load Meter
   3   0     130712      34264     122256          0          0 Exec
   4   0       1744          0      14720          0          0 Check heaps



(As of now everything is working fine. CPU utilization is good)



(now let configure the IP address on our kali machine 30.1.1.1/8)



(Install the yersinia on your kali machine)



(Now open yersinia in graphical) 




(select the CDP and launch the attack)




(Select the flooding CDP table option and click on OK and after that take a look on switch and CDP neighbor table)



switch-core#show cdp neighbor
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
XJJJJJ2          Eth 0/0           192             B S r  yersinia  Eth 0
3KKKXXX          Eth 0/0           235           R T S H  yersinia  Eth 0
2JJJXXX          Eth 0/0           219          R T B S H yersinia  Eth 0
2EEEEEW          Eth 0/0           249             T B I  yersinia  Eth 0
2JJJJJX          Eth 0/0           246           R T S H  yersinia  Eth 0
2EEEWWW          Eth 0/0           219             T B I  yersinia  Eth 0
switch2          Eth 0/2           136             R S I  Linux Uni Eth 0/0
Y333KKK          Eth 0/0           201             T I r  yersinia  Eth 0
GGYK333          Eth 0/0           200            T B S r yersinia  Eth 0
4LLLYYY          Eth 0/0           200            B S H I yersinia  Eth 0
3KKKKKY          Eth 0/0           254            B S H I yersinia  Eth 0
222ARRR          Eth 0/0           185          R B S H I yersinia  Eth 0
BTTTTT7          Eth 0/0           217               I    yersinia  Eth 0
BTTT777          Eth 0/0           245              B r   yersinia  Eth 0
3KKKYYY          Eth 0/0           219            B S H I yersinia  Eth 0
3JJJXXX          Eth 0/0           234            R T B H yersinia  Eth 0
4LLLLLY          Eth 0/0           249              S H   yersinia  Eth 0
3JJJJJX          Eth 0/0           193          R T B S H yersinia  Eth 0
FFFT000          Eth 0/0           197              T S   yersinia  Eth 0
EWWW000          Eth 0/0           214            R T B r yersinia  Eth 0

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
DVVVVV0          Eth 0/0           222            R T B r yersinia  Eth 0
4LZZZZZ          Eth 0/0           178           R T S H  yersinia  Eth 0
5MMMZZZ          Eth 0/0           223           R B S H  yersinia  Eth 0
1EEEVVV          Eth 0/0           252             R T I  yersinia  Eth 0
4LLLLLZ          Eth 0/0           254           R B S H  yersinia  Eth 0
1EEEEEV          Eth 0/0           233             R B I  yersinia  Eth 0
DVVV000          Eth 0/0           250           R T S I  yersinia  Eth 0
4LLLZZZ          Eth 0/0           237             R S H  yersinia  Eth 0
5MMMMMZ          Eth 0/0           238             R S H  yersinia  Eth 0
EWWWWW0          Eth 0/0           240             R T I  yersinia  Eth 0
T888OOO          Eth 0/0           232            T B I r yersinia  Eth 0
5LLLZZZ          Eth 0/0           227           R B S H  yersinia  Eth 0
1DDDVVV          Eth 0/0           211           R B S I  yersinia  Eth 0
1DVVVVV          Eth 0/0           227           R B S I  yersinia  Eth 0
1EWWWWW          Eth 0/0           252              S r   yersinia  Eth 0
EVVVVV0          Eth 0/0           252            R T B r yersinia  Eth 0
1EEEWWW          Eth 0/0           249               T    yersinia  Eth 0
ARRRRR0          Eth 0/0           200          R T S H I yersinia  Eth 0
EV00000          Eth 0/0           173             R B r  yersinia  Eth 0
55555UC          Eth 0/0           172            R T B S yersinia  Eth 0
2FFFFFW          Eth 0/0           252               T    yersinia  Eth 0
P88888K          Eth 0/0           221              T S   yersinia  Eth 0
1EEEEEW          Eth 0/0           253           T B S I  yersinia  Eth 0
 --More--
*Sep 21 10:30:58.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor  Free: 0  Cause: Not enough free memory
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z


(From the above output you will see there is now free space available and memory allocation is failed)




switch-core#   show processes cpu history



                                      444444444455555
                                      55555555552222255555
  100
   90
   80
   70
   60
   50                                 ***************
   40                                 ***************
   30                                 ***************
   20                                 ***************
   10                                 ********************
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)




      665554                  1
      123007                  5
  100
   90
   80
   70
   60 **
   50 ******
   40 *#*##*
   30 ######
   20 ######                  *
   10 ######                  *
     0....5....1....1....2....2....3....3....4....4....5....5....6
               0    5    0    5    0    5    0    5    0    5    0
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%






  100
   90
 --More--
*Sep 21 10:36:28.947: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8
Pool: Processor  Free: 0  Cause: Not enough free memory
Alternate Pool: None  Free: 0  Cause: No Alternate pool
 -Process= "CDP Protocol", ipl= 0, pid= 99
-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z
   80
   70
   60
   50
   40
   30
   20
   10
     0....5....1....1....2....2....3....3....4....4....5....5....6....6....7..
               0    5    0    5    0    5    0    5    0    5    0    5    0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%










*Sep 21 10:31:28.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8

Pool: Processor  Free: 0  Cause: Not enough free memory

Alternate Pool: None  Free: 0  Cause: No Alternate pool

 -Process= "CDP Protocol", ipl= 0, pid= 99

-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z


*Sep 21 10:31:58.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8

Pool: Processor  Free: 0  Cause: Not enough free memory

Alternate Pool: None  Free: 0  Cause: No Alternate pool

 -Process= "CDP Protocol", ipl= 0, pid= 99

-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z

*Sep 21 10:32:28.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8

Pool: Processor  Free: 0  Cause: Not enough free memory

Alternate Pool: None  Free: 0  Cause: No Alternate pool

 -Process= "CDP Protocol", ipl= 0, pid= 99

-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z

*Sep 21 10:32:58.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8

Pool: Processor  Free: 0  Cause: Not enough free memory

Alternate Pool: None  Free: 0  Cause: No Alternate pool

 -Process= "CDP Protocol", ipl= 0, pid= 99

-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z

*Sep 21 10:33:28.920: %SYS-2-MALLOCFAIL: Memory allocation of 60 bytes failed from 0x83A85B3, alignment 8

Pool: Processor  Free: 0  Cause: Not enough free memory

Alternate Pool: None  Free: 0  Cause: No Alternate pool

 -Process= "CDP Protocol", ipl= 0, pid= 99

-Traceback= A0B2A85z B9B2D43z B9ABD5Ez 83A85B3z 83A9BFDz 83AB135z 9E2067Fz 9E1F3C6z


(How to prevent this attack? here i am going use two options first disable CDP in global mode and second is find the attacker interface and disable CDP for that particular port) 




(You will notice that all the fake CDP packets our switch is receiving from Ethernet 0/0, so let's disable CDP on this port) 



switch-core(config)#interface ethernet 0/0
switch-core(config-if)#no cdp enable
switch-core(config)#end


switch-core#clear cdp table
switch-core#clear cdp counter


switch-core#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
switch2          Eth 0/2           136             R S I  Linux Uni Eth 0/0
switch1          Eth 0/1           159             R S I  Linux Uni Eth 0/0

Total cdp entries displayed : 2


(Our switch is now working fine and have valid neighbors)


i hope you like blog. please visit to our youtube channel 

https://www.youtube.com/@internetworkss/playlists







No comments:

What is Cisco IOS Zone Based Firewall on router? How to configure ZBF on Cisco Routers?

 Zone Based Firewall ZBF (Zone Based Firewall) is the stateful firewall that is available on Cisco IOS routers, introduced in 2006. ZBF supp...