Friday, November 30, 2012

Ethernet filtering fun in hexa with D-Link DES-3250

Most network admins in education know that the source of the most evil is the dormitory. Mostly ignorance with just a touch of malice for the flavor. Rogue DHCP servers, IPv6 router advertisements, IP collisions and the occasional ARP spoofing.

The D-Link DES-3250 series is our choice of switch for our dormitory, as it's cheap and fairly reliable. It can't perform proper DHCP snooping, dymanic-ARP-inspection or even the ARP protection the DES-3526 can, but it can do some filtering, based on IP, MAC or raw ethernet packets.

Credits for the first two go to Gavin McCullagh, not me.

You can filter DHCP replies easily:

create access_profile ip udp src_port_mask 0xFFFF port 1-48 profile_id 1 
config access_profile profile_id 1 add access_id 1 ip udp src_port 67 deny 

Now this one is a thing of beauty: filtering IPv6 Router advertisements:

create access_profile packet_content_mask offset_0-15  0x0  0x0  0x0  0xFFFF0000 offset_16-31  0x0  0xFF000000  0x0  0x0 offset_48-63  0x0  0xFF00  0x0  0x0 port 1-48 profile_id 2 
config access_profile profile_id 2 add access_id 1 packet_content offset_0-15  0x0  0x0  0x0  0x86DD0000 offset_16-31  0x0  0x3A000000  0x0  0x0 offset_48-63  0x0  0x8600  0x0  0x0 deny 

IPv6 uses ethertype 0x86dd, and the type for RA in ICMPv6 is 0x86

Yesterday I had 4 TP-Link APs configured as This wouldn't be a big issue normally, but these ones were dead-set on sending gratuitous ARPs against each other at speeds of 10Mpps...
The DES-3250 has broadcast control, which was set at 8pps, but something went wrong, as the switches still forwarded around 4kpps of ARPs on all ports.
So next up is IPv4 ARP filtering for anything with the source

create access_profile packet_content_mask offset_0-15  0x0  0x0  0x0  0xFFFF0000 offset_16-31  0x0  0x0  0x0  0xFFFF0000 port 1-48 profile_id 3 
config access_profile profile_id 3 add access_id 1 packet_content offset_0-15  0x0  0x0  0x0  0x08060000 offset_16-31  0x0  0x0  0x0  0xC0A80000 deny 

The ethertype for ARP is 0x8060, and 192.168 is 0xc0a8.

ARP spoofing of the gateway is not that popular on this subnet, but next time it happens, I'll do an entry with that.

Edit: 19/02/2013 - fixed ethertype value in ARP filter

No comments:

Post a Comment