Anti ARP Spoofing of OmniSwitch

Posted on In Views:

簡介

ARP Spoofing(ARP Poisoning)是一個還蠻古老的中間人攻擊手法Man-in-the-middle attack (MITM),利用ARP的特性來欺騙受害者將所有流量轉向攻擊者指定的裝置,進行側錄封包來竊取可用的資訊,並轉送真正的目的端,受害者完全不知道自己的流量被攔截。

OmniSwitch可以透過內建的ACL Security Features-UserPorts來反制這個攻擊。

OmniSwitch必須要建立ip interface來學習VLAN的subnet,利用學習到的資訊與ARP Request的封包加以比對確認是否為spoofing的攻擊。

實作

假設port 1/2接入的是一般用途的裝置(例如PC, NB),我們可以將他定義成UserPorts

1
2
-> policy port group UserPorts 1/2
-> qos apply

user-port filter預設啟動spoof

如果加上user-port shutdown的參數,會一併將Port進行shutdown,完全阻斷攻擊封包。

1
2
-> qos user-port shutdown spoof
-> qos apply

阻斷效果

當OmniSwitch偵測到ARP Spoofing時,會直接進行port shutdown,Violations欄位會出現QoS的狀態。

1
2
3
4
5
6
7
8
9
10
11
12
13
-> show interfaces port 
Legends: WTR - Wait To Restore
         #   - WTR Timer is Running & Port is in wait-to-restore state
         *   - Permanent Shutdown

Slot/    Admin     Link    Violations  Recovery   Recovery      WTR            Alias
Port     Status   Status                 Time       Max        (sec)
------+----------+---------+----------+----------+----------+----------+-----------------------------------------
  1/1    enable      down      none           300         10          0 ""
  1/2    enable      down      QoS            300         10          0 ""
  1/3    enable      down      none           300         10          0 ""
  1/4    enable      down      none           300         10          0 ""
  1/5    enable      down      none           300         10          0 ""

執行interfaces clear-violation-all指令,即可將該port恢復運作。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-> interfaces 1/2 clear-violation-all

-> show interfaces port              
Legends: WTR - Wait To Restore
         #   - WTR Timer is Running & Port is in wait-to-restore state
         *   - Permanent Shutdown

Slot/    Admin     Link    Violations  Recovery   Recovery      WTR            Alias
Port     Status   Status                 Time       Max        (sec)
------+----------+---------+----------+----------+----------+----------+-----------------------------------------
  1/1    enable      down      none           300         10          0 ""
  1/2    enable      up        none           300         10          0 ""
  1/3    enable      down      none           300         10          0 ""
  1/4    enable      down      none           300         10          0 ""
  1/5    enable      down      none           300         10          0 ""