网络安全学习第一天:生成树攻击与防御策略
1.原理及概念:
STP协议:任意一交换机中,如果到达根交换机有两条或以上的链路,生成树协议都会根据算法,仅保留一条链路,其他链路都会被阻塞,从而保证任意两个交换机之间只有一条单一的活动链路,生成的这种拓扑结构很像以根交换机为树干的树形结构。
STP选举过程:1.选举根桥(根交换机),2.没有选举为根桥的都是非跟交换机,在非根交换机上要选举根端口,3.根端口选举完后在每个物理段都要选举指定交换机,4.指定交换机所连物理段接口为指定端口,5.既不是根端口又不是指定端口的阻塞。
STP欺骗原理:当攻击者想要获取信息,但不是根桥时,通过攻击发送最优根选举信息,成为根桥,数据流量经过本地,可以进行截取。
2.任务介绍
3.任务步骤
我们选用两个路由器,AR1220(AR1,AR2),三个接入层交换机S3700(LSW1,LSW2,和LSW hacker),一个汇聚层交换机S5700(LSW3),四台主机。
配置各个交换机保持连接,拓扑图如下:
各设备配置如下:
AR1:
[V200R003C00]
#
sysname R1
#
board add 0/2 2SA
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
undo info-center enable
#
set cpu-usage threshold 80 restore 75
#
acl number 2000
rule 5 permit source 192.168.0.0 0.0.255.255
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Serial2/0/0
link-protocol ppp
ip address 202.116.64.1 255.255.255.0
nat outbound 2000
#
interface Serial2/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 192.168.4.2 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 192.168.4.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 202.116.64.2
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
AR2:
[V200R003C00]
#
sysname R2
#
board add 0/2 2SA
#
snmp-agent local-engineid 800007DB03000000000000
snmp-agent
#
clock timezone China-Standard-Time minus 08:00:00
#
portal local-server load portalpage.zip
#
drop illegal-mac alarm
#
set cpu-usage threshold 80 restore 75
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password cipher %$%$K8m.Nt84DZ}e#<0`8bmE3Uw}%$%$
local-user admin service-type http
#
firewall zone Local
priority 15
#
interface Ethernet0/0/0
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Serial2/0/0
link-protocol ppp
ip address 202.116.64.2 255.255.255.0
#
interface Serial2/0/1
link-protocol ppp
#
interface GigabitEthernet0/0/0
ip address 116.64.100.1 255.255.255.0
#
interface GigabitEthernet0/0/1
#
interface NULL0
#
user-interface con 0
authentication-mode password
user-interface vty 0 4
user-interface vty 16 20
#
wlan ac
#
return
LSW1:
#
sysname LSW1
#
undo info-center enable
#
vlan batch 10 20
#
stp mode rstp
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface Ethernet0/0/4
port link-type access
port default vlan 10
#
interface Ethernet0/0/5
port link-type access
port default vlan 10
#
interface Ethernet0/0/6
port link-type access
port default vlan 10
#
interface Ethernet0/0/7
port link-type access
port default vlan 10
#
interface Ethernet0/0/8
port link-type access
port default vlan 10
#
interface Ethernet0/0/9
port link-type access
port default vlan 10
#
interface Ethernet0/0/10
port link-type access
port default vlan 10
#
interface Ethernet0/0/11
port link-type access
port default vlan 20
#
interface Ethernet0/0/12
port link-type access
port default vlan 20
#
interface Ethernet0/0/13
port link-type access
port default vlan 20
#
interface Ethernet0/0/14
port link-type access
port default vlan 20
#
interface Ethernet0/0/15
port link-type access
port default vlan 20
#
interface Ethernet0/0/16
port link-type access
port default vlan 20
#
interface Ethernet0/0/17
port link-type access
port default vlan 20
#
interface Ethernet0/0/18
port link-type access
port default vlan 20
#
interface Ethernet0/0/19
port link-type access
port default vlan 20
#
interface Ethernet0/0/20
port link-type access
port default vlan 20
#
interface Ethernet0/0/21
port link-type access
port default vlan 20
#
interface Ethernet0/0/22
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
port-group 1
group-member Ethernet0/0/1
group-member Ethernet0/0/2
group-member Ethernet0/0/3
group-member Ethernet0/0/4
group-member Ethernet0/0/5
group-member Ethernet0/0/6
group-member Ethernet0/0/7
group-member Ethernet0/0/8
group-member Ethernet0/0/9
group-member Ethernet0/0/10
#
port-group 2
group-member Ethernet0/0/11
group-member Ethernet0/0/12
group-member Ethernet0/0/13
group-member Ethernet0/0/14
group-member Ethernet0/0/15
group-member Ethernet0/0/16
group-member Ethernet0/0/17
group-member Ethernet0/0/18
group-member Ethernet0/0/19
group-member Ethernet0/0/20
group-member Ethernet0/0/21
group-member Ethernet0/0/22
#
port-group 3
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
#
return
LSW2:
#
sysname LSW2
#
undo info-center enable
#
vlan batch 10 20
#
stp mode rstp
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
port link-type access
port default vlan 10
#
interface Ethernet0/0/2
port link-type access
port default vlan 10
#
interface Ethernet0/0/3
port link-type access
port default vlan 10
#
interface Ethernet0/0/4
port link-type access
port default vlan 10
#
interface Ethernet0/0/5
port link-type access
port default vlan 10
#
interface Ethernet0/0/6
port link-type access
port default vlan 10
#
interface Ethernet0/0/7
port link-type access
port default vlan 10
#
interface Ethernet0/0/8
port link-type access
port default vlan 10
#
interface Ethernet0/0/9
port link-type access
port default vlan 10
#
interface Ethernet0/0/10
port link-type access
port default vlan 10
#
interface Ethernet0/0/11
port link-type access
port default vlan 20
#
interface Ethernet0/0/12
port link-type access
port default vlan 20
#
interface Ethernet0/0/13
port link-type access
port default vlan 20
#
interface Ethernet0/0/14
port link-type access
port default vlan 20
#
interface Ethernet0/0/15
port link-type access
port default vlan 20
#
interface Ethernet0/0/16
port link-type access
port default vlan 20
#
interface Ethernet0/0/17
port link-type access
port default vlan 20
#
interface Ethernet0/0/18
port link-type access
port default vlan 20
#
interface Ethernet0/0/19
port link-type access
port default vlan 20
#
interface Ethernet0/0/20
port link-type access
port default vlan 20
#
interface Ethernet0/0/21
port link-type access
port default vlan 20
#
interface Ethernet0/0/22
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
port-group 1
group-member Ethernet0/0/1
group-member Ethernet0/0/2
group-member Ethernet0/0/3
group-member Ethernet0/0/4
group-member Ethernet0/0/5
group-member Ethernet0/0/6
group-member Ethernet0/0/7
group-member Ethernet0/0/8
group-member Ethernet0/0/9
group-member Ethernet0/0/10
#
port-group 2
group-member Ethernet0/0/11
group-member Ethernet0/0/12
group-member Ethernet0/0/13
group-member Ethernet0/0/14
group-member Ethernet0/0/15
group-member Ethernet0/0/16
group-member Ethernet0/0/17
group-member Ethernet0/0/18
group-member Ethernet0/0/19
group-member Ethernet0/0/20
group-member Ethernet0/0/21
group-member Ethernet0/0/22
#
port-group 3
group-member GigabitEthernet0/0/1
group-member GigabitEthernet0/0/2
#
return
LSW3:
#
sysname LSW3
#
undo info-center enable
#
vlan batch 10 20 30 40
#
stp mode rstp
stp instance 0 root primary
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 30
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk pvid vlan 40
port trunk allow-pass vlan 2 to 4094
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
ip route-static 0.0.0.0 0.0.0.0 192.168.4.2
#
user-interface con 0
user-interface vty 0 4
#
return
hacker:
#
sysname hacker
#
undo info-center enable
#
stp mode rstp
stp instance 0 priority 0
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface MEth0/0/1
#
interface Ethernet0/0/1
#
interface Ethernet0/0/2
#
interface Ethernet0/0/3
#
interface Ethernet0/0/4
#
interface Ethernet0/0/5
#
interface Ethernet0/0/6
#
interface Ethernet0/0/7
#
interface Ethernet0/0/8
#
interface Ethernet0/0/9
#
interface Ethernet0/0/10
#
interface Ethernet0/0/11
#
interface Ethernet0/0/12
#
interface Ethernet0/0/13
#
interface Ethernet0/0/14
#
interface Ethernet0/0/15
#
interface Ethernet0/0/16
#
interface Ethernet0/0/17
#
interface Ethernet0/0/18
#
interface Ethernet0/0/19
#
interface Ethernet0/0/20
#
interface Ethernet0/0/21
#
interface Ethernet0/0/22
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
我们要使Hacker交换机的mac地址小于LSW3的mac地址,因为在相同的优先级下(priority 0)使Hacker交换机选举为根交换机,黑客交换机配置如下:
[Huawei]sysname Hacker
[Hacker]stp enable
[Hacker]stp mode rstp
[Hacker]stp priority 0 //优先级设置和LSW3相同
(1)验证黑客交换机选举为根交换机,由于黑客交换机mac地址小,从而选举为根网桥:
CIST Bridge :0 .4c1f-cc0f-328f
hacker交换机的优先级和mac地址。
CIST Root/ERPC :0 .4c1f-cc0f-328f / 0
CIST RegRoot/IRPC :0 .4c1f-cc0f-328f / 0
生成树选举的根网桥优先级和mac地址,从而判断hacker交换机为根网桥。
(2)验证LSW3交换机为非根网桥:
(3)验证SW3阻塞端口与备份链路。进入LSW3中,查看生成树接口简要信息,由于没有配置GE接口优先级,其默认都为128,下一步比较端口号,GE0/0/1端口号小于GE0/0/2端口,因此GE0/0/1选举为指定端口,GE0/0/2选为替换端口,处于阻塞,LSW3和LSW2之间链路为备份链路。
(4)验证LSW2阻塞端口与备份链路,
根据“根网桥对角线为备份链路”准则,LSW1和LSW2之间链路也应为备份链路,进入LSW2查看,发现GE0/0/1选举为替换端口,处于阻塞DISCARDING状态。
(5)生成树新拓扑结构,
黑客交换机接入后,生成树重新选举,阻塞备份端口,生成树选举过程会导致丢包现象,此时,LSW2流量必须经过黑客交换机转发,从而引起安全事件。