Some possible attack methods for ethernet switches are explained in this topic. These are quite common type of attack happening across the industrial control systems.
Media Access Control Attack
Media Access Control Attack: Switch Poisoning Attack: Ethernet switches keep forwarding table entries in a Content Addressable Memory (CAM). As a switch learns about a new destination host, it updates the table and for all future communications, this table entry is looked up to forward a frame. However, if the switch does not have a mapping to a new Media Access Control (MAC) address, i.e., which port to forward a new frame to, it will flood the frame on all of its outgoing ports.
An attacker could craft several frames with random addresses to populate an entire CAM. This would result in the switch flooding all the incoming data frames to all the outgoing ports, due to no space availability. This makes the frame available to the attacker attached to one of these ports. As a consequence, a MAC flooding attack would also affect all the VLANs filling their CAM. However, this kind of attack requires an attacker to control a device that is directly connected to an Ethernet switch.
Mitigation: This kind of attack would require authenticating and verifying the MAC addresses from some local database of legitimate addresses before populating the forwarding table entry.
MAC Spoofing
MAC Spoofing: Attacks occur when an attacker eavesdrops on a link and detects the MAC address of a target host. It then masquerades as a legitimate host by altering its host’s MAC address to match the newly detected MAC address. The attacker floods the network with the newly configured MAC address while directing the traffic to itself by altering the switch forwarding table entry. The switch is now tricked into forwarding the frames destined for the target host to the attacking host.
Mitigation: The 802.1X, (port-based authentication) is a good starting point for preventing unauthorized users from accessing any service on a network.
Address Resolution Protocol Spoofing
Address Resolution Protocol Spoofing: Attacks occur when an attacker sends a fake ARP message over a LAN, binding the target’s IP address to its own MAC address. Once it manages to compromise the ARP table, it will start receiving any data that were intended for the target’s IP address. ARP spoofing can also be used for DoS attacks by populating the ARP table with multiple IP addresses corresponding to a single MAC address of a target server.
Mitigation: Set limits on the number of addresses that can be learned per port on a switch. Some vendors use a verification process where they inspect the MAC address and IP address information in ARP packets against the MAC-IP bindings contained in a trusted binding table.
VLAN Hopping
VLAN Hopping: VLAN hopping attacks allow an attacking host on a VLAN to gain access to resources on other VLANs that would normally be restricted. There are two primary methods of VLAN hopping: switch spoofing and double tagging.
In a switch spoofing attack, an attacking host impersonates a trunking switch responding to the tagging and trunking protocols. The attacker now succeeds in accessing traffic for multiple VLANs. Vendors mitigate these attacks by proper switch configuration.
In a double tagging attack, an attacker succeeds in sending its frame to more than one VLAN by inserting two VLAN tags into a frame it transmits. Mitigation of both types of attacks is proper switch configuration and hardening.
