Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-40
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Integrated Security Features
Figure 4-32
Using Port Security
Effectiveness of Port Security
Even when port security is not a viable option to stop this attack (as explained), a MAC flooding attack
does not succeed if it is launched by a wireless user. The reason for this is the 802.11 protocol itself.
Association with an AP is MAC-based; this means that the AP bridges (translational bridge) traffic
coming from or going to known users (known MACs). If a MAC flooding attack is launched from a
wireless user, all the 802.11 frames with random source MAC addresses that are not associated to the
AP are dropped. The only frame allowed is the one with the MAC address of the malicious user, which
the switch has probably already learned. Thus, the fundamental behavior of the access point itself
prevents the switch from being susceptible to MAC flooding attacks.
does not succeed if it is launched by a wireless user. The reason for this is the 802.11 protocol itself.
Association with an AP is MAC-based; this means that the AP bridges (translational bridge) traffic
coming from or going to known users (known MACs). If a MAC flooding attack is launched from a
wireless user, all the 802.11 frames with random source MAC addresses that are not associated to the
AP are dropped. The only frame allowed is the one with the MAC address of the malicious user, which
the switch has probably already learned. Thus, the fundamental behavior of the access point itself
prevents the switch from being susceptible to MAC flooding attacks.
Using Port Security to Mitigate a DHCP Starvation Attack
For wired access, port security can currently prevent a DHCP starvation attack launched from a PC
connected to a switch that is using a tool such as Gobbler. The inability of the attack to succeed is due
more to a limitation of the tool than the mitigation offered by port security. The only reason such an
attack fails is that Gobbler uses a different source MAC address to generate a different DHCP request
and can be mitigated by port protection.
connected to a switch that is using a tool such as Gobbler. The inability of the attack to succeed is due
more to a limitation of the tool than the mitigation offered by port security. The only reason such an
attack fails is that Gobbler uses a different source MAC address to generate a different DHCP request
and can be mitigated by port protection.
However, if an attacker is able to use their MAC address in the Ethernet packet and simply changes the
MAC address in the DHCP payload (the field is called chaddr), port security would not stop the attack.
In this case, all that can currently be done is to try to slow down the attack using a DHCP rate limiter on
the switch port.
MAC address in the DHCP payload (the field is called chaddr), port security would not stop the attack.
In this case, all that can currently be done is to try to slow down the attack using a DHCP rate limiter on
the switch port.
Wireless DHCP Starvation Attack
In a Unified Wireless deployment, the vulnerability to a DHCP starvation attack depends on whether the
WLC terminates the user traffic or an H-REAP terminates the user traffic.
WLC terminates the user traffic or an H-REAP terminates the user traffic.
The WLC protects the network from DHCP starvation attacks because it examines DHCP requests to
ensure that the client MAC address matches the chaddr. If the addresses do not match, the DHCP request
is dropped.
ensure that the client MAC address matches the chaddr. If the addresses do not match, the DHCP request
is dropped.
190374
Only 3 MAC
Addresses
Allowed on
the Port:
Shutdown