（華為認證網(wǎng)絡(luò)安全專家）培訓(xùn)教材 HC13031054 二層攻擊防范技術(shù)應(yīng)用

1、Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 0修訂記錄課程編碼課程編碼適用產(chǎn)品適用產(chǎn)品產(chǎn)品版本產(chǎn)品版本課程版本課程版本ISSUEHC13031054USG6000V1R1V1.0開發(fā)開發(fā)/優(yōu)化者優(yōu)化者時間時間審核人審核人開發(fā)類型（新開發(fā)開發(fā)類型（新開發(fā)/優(yōu)化）優(yōu)化）王銳2014-08-15姚傳哲開發(fā)本頁不打印Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. HC13031054二層攻擊防范技術(shù)應(yīng)用Copyright

2、2014 Huawei Technologies Co., Ltd. All rights reserved. Page 2 前言l在企業(yè)網(wǎng)絡(luò)中有多種基于二層的攻擊手段，防火墻針對這些二層攻擊手段都有其相應(yīng)的防御手段。l在本課中，介紹一些常見的二層攻擊及防范方法。Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 3 目標l學完本課程后，您將能夠:p了解DCHP Snooping技術(shù)p了解ARP Spoofing攻擊及其防御原理p了解IPSG技術(shù)p了解DAI技術(shù)p了解端口安全技術(shù)Copyright 201

3、4 Huawei Technologies Co., Ltd. All rights reserved. Page 4 目錄lDHCP SnoopinglARP SpoofinglIPSGlDAIl端口安全Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 5DHCP Snooping 概述lDHCP Snooping功能用于防止pDHCP Server仿冒者攻擊；p中間人攻擊與IP/MAC Spoofing攻擊；p改變CHADDR值的DoS攻擊。pOption82IP地址地址MAC地址地址地址租約地址租

4、約綁定類型綁定類型VLAN ID1 12 23 34 45 5接口信息接口信息6 6主要目的DHCP DoSDHCP 仿冒中間人攻擊SpoofingCopyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 6DHCP Server 仿冒者攻擊Page 6DHCP DHCP 服務(wù)器服務(wù)器偽造偽造DHCPDHCP服務(wù)器服務(wù)器使能使能DHCP SnoopingDHCP SnoopingDHCP RequestDHCP RequestDHCP ACKDHCP ACK1 12 23 31 12 23 3不信任不信任接接口

5、口信任接口信任接口偽造偽造DHCPDHCP服務(wù)器的危害服務(wù)器的危害Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 7中間人與IP/MAC Spoofing 攻擊l動態(tài)動態(tài)IPIP與與MACMAC綁定表綁定表l 靜態(tài)靜態(tài)IPIP與與MACMAC綁定表綁定表IPIP與與MACMAC綁定表綁定表Im really Im really 10.0.0.2 10.0.0.2 我是服務(wù)器我是服務(wù)器10.0.0.110.0.0.1IP: 10.0.0.1IP: 10.0.0.1IP: IP: 10.1.0.210.1

6、.0.2我是客戶端我是客戶端10.1.0.210.1.0.2Im really Im really 10.0.0.1 10.0.0.1 Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 8改變CHADDR 值的DoS 攻擊lCHADDR：Client Hardware Address；l攻擊者改變的不是數(shù)據(jù)幀頭部的源MAC 地址，而是改變DHCP 報文中的CHADDR；l檢查DHCP Request 報文中CHADDR 字段。L2 NetworkFWDHCP RelayServerDHCP Client

7、AttackerL3 NetworkCopyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 9Option82（仿冒DHCP續(xù)租報文攻擊）l應(yīng)用場景：當網(wǎng)絡(luò)中存在攻擊者時，攻擊者通過不斷發(fā)送DHCP Request報文來冒充用戶續(xù)租IP。l 防范原理：可以在設(shè)備上配置DHCP Snooping功能，檢查DHCP Request報文和使用DHCP Snooping綁定功能.L2 NetworkFWDHCP RelayServerDHCP ClientAttackerL3 NetworkUntrusttrustC

8、opyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 10DHCP Snooping配置舉例項目項目數(shù)據(jù)數(shù)據(jù)（1）接口：GigabitEthernet 0/0/0IP地址：10.1.1.254/24（2）接口：GigabitEthernet 0/0/1IP地址：100.1.1.1/24DHCP服務(wù)器地址100.1.1.2/24USGDHCP ReplayFWDHCP RelayServerDHCP Client 1DHCP Client 2IP 10.1.1.1/24Mac: 00e0-fc5e-008aL3

9、 NetworktrustedSwitchUntrusted（1）（2）Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 11配置配置DHCP RelayDHCP Relay的基本功能的基本功能DHCP Snooping配置步驟（1）l配置接口GigabitEthernet 0/0/1接口地址。 system-viewUSG sysname DHCP-RelayDHCP-Relay interface GigabitEthernet 0/0/1DHCP-Relay-GigabitEthernet0/0/

10、1 ip address 100.1.1.1 24 l配置DHCP中繼功能接口。DHCP-Relay interface GigabitEthernet 0/0/0 DHCP-Relay-GigabitEthernet0/0/0 ip address 10.1.1.254 24 DHCP-Relay-GigabitEthernet0/0/0 dhcp select relayDHCP-Relay-GigabitEthernet0/0/0 ip relay address 100.1.1.2 Copyright 2014 Huawei Technologies Co., Ltd. All rig

11、hts reserved. Page 12開啟開啟DHCP SnoopingDHCP Snooping功能，配置功能，配置TrustedTrusted接口接口DHCP Snooping配置步驟（2）l啟用全局和接口的DHCP Snooping功能。DHCP-Relay dhcp snooping enableDHCP-Relay interface GigabitEthernet 0/0/0DHCP-Relay-GigabitEthernet0/0/0dhcp snooping enableDHCP-Relay interface GigabitEthernet 0/0/1DHCP-Relay

12、-GigabitEthernet0/0/1dhcp snooping enable l配置DHCP Server側(cè)接口配置為“Trusted” 。DHCP-Relay-GigabitEthernet0/0/1dhcp snooping trusted Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 13DHCP Snooping配置步驟（3）l配置對特定報文的檢查和DHCP Snooping綁定表DHCP-Relay interface GigabitEthernet 0/0/0DHCP-Relay-

13、GigabitEthernet0/0/0 dhcp snooping check arp enable DHCP-Relay-GigabitEthernet0/0/0 dhcp snooping check ip enableDHCP-Relay-GigabitEthernet0/0/0 dhcp snooping check dhcp-request enable DHCP-Relay-GigabitEthernet0/0/0 dhcp snooping check dhcp-chaddr enableDHCP-Relay-GigabitEthernet0/0/0 dhcp snooping

14、 bind-table static ip-address 10.1.1.1 mac-address 00e0-fc5e-008aCopyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 14DHCP Snooping配置步驟（4）l配置DHCP上送速率限制和配置Option82 DHCP-Relay dhcp snooping check dhcp-rate 90DHCP-Relay dhcp snooping check dhcp-rate enable DHCP-Relay interface Gigab

15、itEthernet 0/0/0 DHCP-Relay-GigabitEthernet0/0/0 dhcp option82 insert enablel顯示DHCP Snooping綁定表的靜態(tài)表項信息。 display dhcp snooping bind-table static bind-table: ifname vrf vsi p/cvlan mac-address ip-address tp leaseVlanif1 0000 - 0000/0000 0011-0022-0034 1.2.3.0 S 0 Copyright 2014 Huawei Technologies Co.

16、, Ltd. All rights reserved. Page 15 目錄lDHCP SnoopinglARP SpoofinglIPSGlDAIl端口安全Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 16ARP Spoofing原理InternetRouterUserAUserBAttackerIP: 10.1.1.1MAC: A-A-AIP: 10.1.1.2MAC: B-B-BIP: 10.1.1.3MAC: C-C-CIP地址MAC地址Type10.1.1.3C-C-CDynamicIP地

17、址MAC地址Type10.1.1.3D-D-DDynamicUserA的ARP表項攻擊者回應(yīng)欺騙報文Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 17ARP Spoofing配置l執(zhí)行命令firewall defend arp-spoofing enable，開啟ARP欺騙攻擊防范功能。Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 18 目錄lDHCP SnoopinglARP SpoofinglIPSG

18、lDAIl端口安全Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 19IPSG背景l(fā)隨著網(wǎng)絡(luò)規(guī)模越來越大，基于源IP 的攻擊也逐漸增多，一些攻擊者利用欺騙的手段獲取到網(wǎng)絡(luò)資源，取得合法使用網(wǎng)絡(luò)的能力，甚至造成被欺騙者無法訪問網(wǎng)絡(luò)，或者信息泄露，造成不可估量的損失。lIP Source Guard 是指設(shè)備在作為二層設(shè)備使用時，利用綁定表來防御IP 源欺騙的攻擊。當設(shè)備在轉(zhuǎn)發(fā)IP 報文時，將此IP 報文中的源IP、源MAC、端口、VLAN 信息和綁定表的信息進行比較，如果信息匹配，說明是合法用戶，則允許

19、此用戶正常轉(zhuǎn)發(fā)，否則認為是攻擊者，丟棄該用戶發(fā)送的IP 報文。Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 20IP/MAC欺騙攻擊典型場景IP: 1.1.1.2/24MAC: 2-2-2IP: 1.1.1.3/24MAC: 3-3-3IP: 1.1.1.1/24MAC: 1-1-1IP: 1.1.1.3/24MAC: 3-3-3AttackerDHCP ClientDHCP Server收到一個用戶的IP和MAC，我要刷新MAC信息到我的端口下SwitchCopyright 2014 Huawei

20、 Technologies Co., Ltd. All rights reserved. Page 21IPSG防御原理IP: 1.1.1.2/24MAC: 2-2-2IP: 1.1.1.3/24MAC: 3-3-3IP: 1.1.1.1/24MAC: 1-1-1IP: 1.1.1.3/24MAC: 3-3-3AttackerDHCP ClientDHCP Server在接口或VLAN上配置了IPSGSwitchIP地址包括IPv4地址和IPv6地址，即使能IPSG功能后，設(shè)備將對用戶IP報文的源IPv4地址和源IPv6地址都進行檢查。IPSG功能只對IP類型的報文有效。對其他類型的報文，如P

21、PPoE（Point-to-Point Protocol over Ethernet）報文無法生效。Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 22IPSG防御原理IP: 1.1.1.2/24MAC: 2-2-2IP: 1.1.1.3/24MAC: 3-3-3IP: 1.1.1.1/24MAC: 1-1-1IP: 1.1.1.3/24MAC: 3-3-3AttackerDHCP ClientDHCP Server在接口或VLAN上配置了IPSGSwitchIP地址包括IPv4地址和IPv6地址，即

22、使能IPSG功能后，設(shè)備將對用戶IP報文的源IPv4地址和源IPv6地址都進行檢查。IPSG功能只對IP類型的報文有效。對其他類型的報文，如PPPoE（Point-to-Point Protocol over Ethernet）報文無法生效。Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 23IPSG配置舉例l組網(wǎng)需求pHostA與HostB分別與Switch的GE1/0/1和GE1/0/2接口相連。要求使HostB不能仿冒HostA的IP和MAC欺騙Server，保證HostA的IP報文能正常上送。

23、Host AIP: 10.0.0.1/24MAC: 1-1-1Host B (Attacker)IP: 10.0.0.2/24MAC: 2-2-2SwitchServerGE1/0/1GE1/0/2Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 24IPSG配置舉例1.配置IP報文檢查功能。2.配置HostA為靜態(tài)綁定表項。interface gigabitethernet 1/0/1 ip source check user-bind enable ip source check user-bind

24、 alarm enable ip source check user-bind alarm threshold 200interface gigabitethernet 1/0/2 ip source check user-bind enable ip source check user-bind alarm enable ip source check user-bind alarm threshold 200user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet 1/

25、0/1 Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 25IPSG配置舉例-驗證配置結(jié)果l在Switch上執(zhí)行display dhcp static user-bind all命令可以查看綁定表信息。l從顯示信息可知，HostA已經(jīng)配置為靜態(tài)綁定表項。Switch display dhcp static user-bind all DHCP static Bind-table: Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping IP Add

26、ress MAC Address VSI/VLAN(O/I/P) Interface -10.0.0.1 0001-0001-0001 - /- /- GE1/0/1 -Print count: 1 Total count: 1 Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 26 目錄lDHCP SnoopinglARP SpoofinglIPSGlDAIl端口安全Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Pa

27、ge 27ARP中間人攻擊 InternetRouterUserAUserBAttackerIP: 10.1.1.1MAC: 1-1-1IP: 10.1.1.2MAC: 2-2-2IP: 10.1.1.3MAC: 3-3-3Attacker向UserA發(fā)送偽造UserB的ARP報文Attacker向UserB發(fā)送偽造UserA的ARP報文IP地址MAC地址Type10.1.1.33-3-3DynamicIP地址MAC地址Type10.1.1.32-2-2DynamicIP地址MAC地址Type10.1.1.11-1-1DynamicIP地址MAC地址Type10.1.1.22-2-2Dynam

28、icUserA的ARP表項ARP表項更新為UserB的ARP表項ARP表項更新為Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 28動態(tài)ARP檢測lDAI（Dynamic ARP Inspection）InternetRouterUserAUserBAttackerIP: 10.1.1.1MAC: 1-1-1IP: 10.1.1.2MAC: 2-2-2IP: 10.1.1.3MAC: 3-3-3Enable DAI查找DHCP Snooping 綁定表Copyright 2014 Huawei Tec

29、hnologies Co., Ltd. All rights reserved. Page 29DAI配置ldai enable 用于使能動態(tài)ARP檢測功能。l配置舉例： system-view Huawei wlan ac Huawei-wlan-view service-set name test Huawei-wlan-service-set-test dai enable Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 30 目錄lDHCP SnoopinglARP SpoofinglIPSGlDAIl端口安全端口安全Copyright 2014 Huawei Technologies Co., Ltd. All rights reserved. Page 31端口安全l端口安全（Port Security）功能將交換機接口學習到的MAC地址變?yōu)榘踩玀AC地址（包括安全動態(tài)MAC和Sticky MAC），可以阻止除安全MAC和靜態(tài)MAC之外的主機通過本接口和交換機通信，從而增強設(shè)備安全性。Host AHost BSwitchAGE0/0/1