Sunday, March 25, 2018

Storm Control

Rate limiting of layer 2 traffic is needed in port level of a switch to overcome some of the worst nightmare attacks in networking. Storms can be unicast, multicast or broadcast..

Controlling storms can be done by setting rising & falling thresholds based on followings..

1) Packet rate
2) Percentage of the interface bandwidth


When any of the configured threshold is passed, the switch can take following actions..

1) Discarding excess traffic according to the configured commands
2) Shut down the port or send an SNMP trap

Let's see a real world configuration requirement..

(1) Limit broadcast traffic to 100 packets per second. When broadcast traffic drops back to 50 packets per second, begin forwarding broadcast traffic again.
(2) Limit multicast traffic to 0.5% of the interface. When multicast traffic traffic drops to 0.4% begin forwarding multicast traffic again.
(3) Limit unicast traffic to 80% of the interface, forward all unicast traffic upto this limit.
(4) Send an SNMP trap for above conditions.







Following show commands will confirm the configurations..

















As you can see in the 3rd task, if you haven't configured a falling threshold switch will not wait to forward traffic until a lower threshold.

Note:- Storm control can be done in physical ports only. Though the commands are visible in etherchannel interfaces they don't work..

Here is a good post I found online explaining how the traffic limiting is done with poling intervals
http://packetlife.net/blog/2008/nov/27/storm-control/

Saturday, February 3, 2018

DHCP Traffic through Transparent ASA

Transparent firewall only allows broadcast traffic of ARP to pass through. All other broadcast traffic will blocked. Which means DHCP traffic will not flow through. Here are the essential ACLs which are needed to allow DHCP traffic through Transparent mode of Cisco ASA.


ZONE-1 and ZONE-2 are in same security level & the traffic between same security levels are enabled.

To understand what really happened at the back end of DHCP protocol please go here. This post explains it with Wireshark captures.



According to the packet capture, Discover and Request packets are sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255 & destination port is udp 67 (bootps). So this requires an ACL on ZONE-2 interface.

Also the Offer & Ack packets have the source IP of the DHCP server and the destination can be any, & destination port is udp 68 (bootpc). This also requires an ACL on ZONE-1 interface.

(click on the images to view in full size)

Deep into DHCP Protocol

Let's analyze DHCP packets using Wireshark and see what's really going inside the wire..

(click on the images to view in full size)




You can see the DORA (Discover, Offer, Request, Acknowledgement) packets going through.


Discover

This packet is sent by the client as a broadcast with a source IP address of 0.0.0.0 and a destination IP address of 255.255.255.255
Source MAC address is the client's MAC address and the destination MAC address is FF:FF:FF:FF:FF:FF
Source Port is udp 68 (bootpc) & destination port is udp 67 (bootps)


Offer

This packet is sent by the server as a unicast with a source IP address of the DHCP server and the destination IP address of the client which the server is going to offer in the future.
Source MAC address is the DHCP server's MAC address and the destination MAC address is the client's MAC address
Source Port is udp 67 (bootps) & destination port is udp 68 (bootpc)

If you analyze further in Bootstrap information, it shows the IP address to be given which is equal to the destination IP address of the packet.





























Request

This packet's source & destination IPs, MACs & port numbers are same as the Discover packet. But in the Bootstrap information it shows the requested IP. In this case it is same as the offered IP.
































Acknowledgement

This packet's source & destination IPs, MACs & port numbers are same as the Offer packet which confirms the lease.

Note:- When the client is down and come up again within the lease time, the client sends only the Request and the DHCP server sends only the Ack.

Cyber Security Project for ICS SCADA Systems at Muscat, Oman

More experiences with Cisco Next Generation Firewalls, Firepower products including FMC, FTD, IDSes IPSes. Project was to secure MEDC (Muscat Electricity Distribution Company) monitoring system implemented by PSI, Malaysia.