Man-in-the-Middle Attack

A man-in-the-middle attack, an advanced version of MAC spoofing, also lets the attacker receive data intended for the victim. The attacker simultaneously relays the messages to the victim, so the victim does not know anyone else is listening. The beauty of this type of attack is that all users can access the network as usual and neither the source nor the destination node have any indication of the attack. If an attacker pretends to be an Internet gateway, all traffic flows through the attacker's device; he or she can observe every connection, look into the packet contents, and analyze users' behaviors. Even with SSL encryption, commonly used in Internet connections, attackers have found ways to work around the protection through social engineering. For example, the attacker could send phishing email to the victim that appears to come from a familiar website.

In addition to enabling surveillance, this kind of attack allows the attacker to change the network's entire traffic pattern (Figure 8). Changes in the traffic path can also bypass the enterprise firewalls and causes LAN hosts to lose virus and malware protection. The attacker may also redirect the traffic by using a rogue DNS server to a fake web server that will collect private information.

Figure 8: The attacker spoofs the gateway's MAC address to cheat the switch sending all Internet traffic. Ettercap can support this type of attack.

Port Security

To protect the MAC address table from attack, you can enable the port security feature [4] on a switch so that only authorized MAC addresses are allowed to attach to the switch. I will use Cisco IOS as an example here.

To change the switch port to access mode and enable the port security feature, you use the following commands:

Switch(config)#interface FastEthernet 0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security

Then, statically add the authorized MAC address to the port.

Switch(config-if)#switchport port-security mac-address ABCD.EF00.0001

From now on, only the host with a MAC address equal to ABCD.EF00.0001 can attach to the switch port FastEthernet 0/1. If any hosts with unauthorized MAC addresses are plugged in to the port, an error message appears, and the port will be put into an errdisable state. No traffic is allowed to pass through until the network administrator resets the port.

However, an enterprise network may have thousands of network ports. The network administrator will be late for lunch logging in to the switch and resetting the port every time someone plugs in an unauthorized device. You can tell the switch to reset the port automatically after some predefined time:

Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#errdisable recovery interval 600

sticky

Configuring MAC address entries may be another reason why a network administrator is late for lunch. Compared with one-by-one manual input, sticky is a more scalable setting. By enabling the port security sticky feature at the switch port, the switch will automatically add the first MAC address that connects the port to the configuration file. Use the following command to enable sticky:

Switch(config-if)#switchport port-security mac-address sticky

In some situations, you may need to configure port security to allow more than one MAC address to connect to a port. For example, you may need to add a small switch temporarily for a group of users to share a port. If so, you'll need to increase the maximum accepted MAC addresses for the port that will connect to this new switch from a default value of 1 to the number of connected devices. Remember that the switch itself will need to communicate with other switches, so the total number of new MAC addresses should be the number of hosts plus one.

Switch(config-if)#switchport port-security maximum 5