Approaches for a Stand-alone Network Attack
and Defense Platform Using Yersinia Toolkits
Liangbin Zhang
1, Yuanming Wang
2, Ran Jin
3, Kun Gao
41,2,3
School of Electronics and Computer Science, Zhejiang Wanli University, Ningbo, China 4
Intelligent Electronic Institute, Zhejiang Business Technology Institute, Ningbo, China.
ABSTRACT
Network attack and defense is the research hotspot of Internet information security technology. Making use of VMware workstation and GNS3 virtualization technology, this paper builds a network attack and defense experimental platform according to typical three tier network architecture within a single computer. Firstly computer builds classical three tier network topology with GNS3 and creates multiple virtual machines bridged to the corresponding GNS3 topology node. Secondly hack uses Yersinia attack toolkits in the operating system of Ubuntu to rogue deceiving the real DHCP Server and Aggregated Switch with hot standby routing protocol (HSRP) through detailed experimental demonstration. Finally effective defensive measures is given and obtained valid experimental test. The experiment platform provides an effective way to combat exercises for learning and research of network attack and defense technology.
Keywords: Network attack and defense, Yersinia, Stand-alone platform..
I. INTRODUCTION
To learn network professional knowledge and skills, we must rely on a lot of hands-on network experiments which need for good network hardware equipment and tools. Because of the restrictions of funds, venues and equipment, as well as the network technology and equipment upgrading and other reasons, many colleges of the network laboratory is difficult to build complex network architecture of the training environment. However, some network experimental environment can be effectively solved through the virtual simulation software, and also can get a good realistic effect [1-3].
The virtual simulation software can be divided into four classes, such as network sniffer capture software including Wireshark and Sniffer, network structured software including Cisco Packet Tracer and GNS3,virtualization software including VMware workstation and Virtual Box, and protocol development software such as NS2, etc[4]. Network structured software has the advantages of the flexible network configuration and experimental result is convenient to verify, but for Packet Tracer as an example, there are also some defects as follows. (1) IOS of the real network device cannot be loaded; (2) communication is limited to its own platform, and cannot communicate with the real running operating system [5]. However, GNS3 connects the topology host node through bridging to the virtual machine network card of VMware workstation, which provides the possibility for build a network training platform of virtual and real combination [6-7].
II. SIMULATIONSOFTWAREINTRODUCTION
GNS3 of the network equipment simulation
GNS3 is a Cisco network equipment simulator with a graphical user interface running on multi operating system (Windows, linux and MacOS) and it tightly integrates Dynamips, PIX Firewall and winpcap software. According to the demand of flexible structures of a variety of network topology, GNS3 can be loaded with Cisco IOS to simulate routers, switches and firewall [8]. Its biggest feature is to connect the virtual network card with the real network operating system for communication. GNS3 occupies higher CPU resources and it needs loading the IOS through the calculation of the IDLE value of the equipment to reduce the utilization rate of CPU, which optimizes the running environment of GNS3.
VMware workstation of the host simulation
VMware workstation is a standalone version of virtualization software, which can simulate several independent operating systems on a physical computer [9]. Each independent system can run its own operating system and applications. Moreover, it can add virtual hardware such as the network card, CD-ROM, hard disk, USB and other equipment to exchange files or build new virtual network with other virtual machine or the host computer itself. The fatal flaw of VMware workstation is that the memory resources occupied by the host computer are so much, which is bound to require the host computer to have a greater physical memory capacity.
GNS3 simulates network equipment running the main consumption of CPU resources, while VMware workstation simulates independent computer running the main consumption of physical memory resources, the combination of these two kinds of simulation software is perfect and powerful within the single machine. Thus effective use of GNS3 and VMware workstation within the single machine to build a complex network of training platform has become possible..
Yersinia toolkits of the Ubuntu OS
Ubuntu is a popular Linux desktop version of the open source operating system, a large number of built-in procedures for the user to provide a simple and convenient operation platform, suitable for the computer and even mobile devices running [10]. Yersinia is an open source toolkit running in the Ubuntu operating system, which can implement layer-2 protocol attacks such as CDP, 802.1X,802.1Q,DTP,ISL,STP and VTP protocol, but also can implement layer-3 protocol attacks such as DHCP and HSRP protocol. Virtual machine of Ubuntu operating system using the Yersinia toolkit acts as an attacker in the attack and defense platform and all attacks can be easily done with a visual interface.
III. EXPERIMENTALCASEOFATTACKANDDEFENSEPLATFORMWITHINASINGLEMACHINE
Network topology of experimental case
A classic network topology of dual core and layer-3 architecture is built using GNS3 and VMware workstation within a single machine, as shown in figure.1. The whole network is composed of three parts: access, aggregation and core. The access layer is responsible for user access and two computers simulate test node and attack node each; the aggregation layer provides access strategy and the aggregation switch running hot standby routing protocol (HSRP) provides redundant gateway to ensure the reliable transmission of user data; the core layer provides high speed forwarding of user data. DMZ area is composed of DHCP, DNS and WWW servers.
Fig.1 A stand-alone attack and defense platform of the classic layer-3 network architecture
Main experimental procedure
(1)Building attack and defense platform within a Single computer
In our experimental environment, Lenovo notebook G480 is a single computer and main hardware configurations are including Intel I5-3230 CPU,2.6Ghz main frequency and 16G random memory. Preparation work of building the experimental environment is described as follows.
Step1: Cisco GNS3 software is needed to download, install and load router IOS with the recalculated IDLE value to reduce CPU utilization. Then network topology of the fig.1 is constructed using GNS3.
Step2: VMware workstation is needed to download, install and create three virtual computers including DHCP Server of win2003, Window XP and Ubuntu. “sudo apt-get install Yersinia” is the online install command of the Yersinia attack toolkits in the Ubuntu.
Step3: Win2003 Server, Window XP and Ubuntu of GNS3 topology nodes are bridged to the three virtual machine network card of VMware workstation respectively. Thus attack and defense platform within a single computer has been initially built up.
(2) IP planning, network equipment and servers configuration
The main configuration of the access layer switch is VLAN division, access security authentication and multi spanning tree. The main configuration of the aggregation layer switch is VLAN strategy,HSRP routing back, switching and routing. The main configuration of the core layer switch is just switching and routing. As to the needs of proposition and the limitations of coverage, fig.2 shows main configuration of the distributed switch including set of vlan1 manage address, DHCP relay, high HSRP priority as activated router, set of the virtual gateway address, preempt mode and track of the uplink interface, etc. Fig.3 provides the specific path from test computer to the outside host under normal circumstances.
(3) Implementation of DHCP and HSRP attack
Fig.4 shows that attacker uses Yersinia toolkits to attack the real DHCP Server of Win2003 and detailed procedure is divided three steps as follows.
Step2: Attacker sends a large number of fake DHCP release packets to the real DHCP Server and test computers are forced to passive release their original IP address.
Step3: Attacker creates a new rogue Server DHCP itself and offers the test computer with fake IP address.
Fig.5 shows that attacker uses Yersinia toolkits to attack the aggregation switch of HSRP protocol. The attacker has become a member of HSRP group and increases its HSRP priority adjustment to 255 as an active router immediately.
Fig.6 shows that the real DHCP Server pool is instantly exhausted. Fig.7 shows that distributed switch1 has been attacked and become a backup HSRP router.
Fig.2 Main configuration of distributed switch Fig.3 Specific path from test host to the outside host
Fig.4 DHCP attack using Yersinia toolkits Fig.5 HSRP attack using Yersinia toolkits
Fig.6Exhaustedpoolof thereal DHCP server Fig.7 Distributed switch1 of a backup HSRP router inter fastEthernet0/0
ip address 192.168.2.2 255.255.255.0 inter vlan 1
ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.4.2 standby 100 ip 192.168.1.254 standby 100 priority 101
standby 100 preempt standby 100 track FastEthernet0/0 router ospf 1
Thus, attacker has become a middleman between the test computer and real distributed gateway device, which can capture all important and sensitive data packet from the test computer to the outside host. Meanwhile, the test computer is not aware of being attacked.
IV. EFFECTIVEDEFENSEMEASURE
DHCP monitor and HSRP authentication can effectively prevent attacks from cheating DHCP and HSRP network equipment [11-13], this method is also suitable for our experimental case in the attack and defense platform.
Effective defense measure is elaborated as follows. Firstly, access switch is configured with DHCP monitoring function as shown in the Fig.8. Switching ports connected with the real DHCP Server are configured for the trust while other ports are untrusted with the original configuration that can filter and discard the DHCP offer packet from the rogue DHCP servers. Then, distributed switches of HSRP group are configured with plain text or MD5 authentication as shown in the Fig.9, which can prevent deceptive router from joining the HSRP group to replace the active HSRP router. Finally two defense measures are taken in our attack and defense platform, attacker has nothing to do with Yersinia toolkits and network defense has effectively protected.
Fig.8 DHCP monitor of the access switchFig.9 HSRP MD5 authentication configuration
CONCLUSIONS
A attack and defense experimental platform on the typical dual core of three layer network architecture is built up within a single computer using GNS3 and VMware workstation simulation software. Attacker achieves the attack effect using the Yersinia toolkits to implement cheating the real DHCP Server and the distributed-layer switch of HSRP, meanwhile corresponding effective defense measure is put forward and obtained the experimental validation. This experimental method can greatly satisfy the students’ demand of complex network structures, configuration, testing, and even offensive and defensive combat, which not only saves laboratory equipment investment but also helps students creatively carry out network experimental research and finally improves the students' practical ability and network engineering research ability.
ACKNOWLEDGMENT
This work was supported by the Zhejiang Province Natural Science Foundation under grant LY16F020012 and by the National Undergraduate Training Programs for Innovation and Entrepreneurship under grant No. 201510876020.
REFERENCES
[1]. Cao XF, “Experimental design of tcp principle based on virtual experiments”, Experimental Technology and Management, vol.30,2013, pp.90-93.
[2]. Peng G, Wang FN, et al,“A configuration method for network attack and defense simulation platform ”, Electronics Optics &Control, vol.20,2013,pp.78-86.
[3]. Tang DP, Zhu YQ, et al, “Design of virtual simulation experiment platform of computer network management”, Laboratory Science, vol.19,2016,pp.76-80.
[4]. Zhang LB, Gao K, Liang SB, “Simulation experiment of small enterprise network application infrastructure based on packet tracer”, Research and Exploration in Laboratory,vol.31,2012,pp.372-376.
[5]. Long YJ, Ou YJ, et al, “Research on virtual network system integration laboratory based on gns3 and vmware”, Experimental Technology and Management,vol.30,2013,pp.90-93.
[6]. Gu CF, Li WB, Lan XF,“A virtual network laboratory based on vmware and gns3”, Research and Exploration in Laboratory,vol.31, 2014, pp.73-76.
ipdhcp snooping ip dhcp snooping vlan 1 ip dhcp snooping verfity mac-address
interface range f0/23- 24 ip dhcp snooping trust interface range f0/1 -22 ip dhcp snooping limit rate 15
Key chain hsrp1 Key 1
Key-string 543210 interface range f0/1 -5
[7]. Di XQ, Zhang YX, et al,“ Exploration of experimental teaching platform for computer network attack and defense based on cloud technology and virtualization”, Experimental Technology and Management,vol.32,2015,pp.147-151.
[8]. Li LL, Sun LC, et al, “Research on virtual network engineering laboratory based on gns3 and virtual box”, Experimental Technology and Management, vol.32,2015,pp.144-148.
[9]. Huang SL, “V Mwaresoftware applied in the experiment teaching of computer” , Experiment Science and Technology,vol.10,2012,pp.44-46.
[10]. Zhang DL, Sun GY, “Building Education Teaching Platform Based on Open Source System Linux in the case of Ubuntu ”, Journal of Huainan Normal University, vol.14,2012,pp.135-137.
[11]. Tang DP, “Integration of hsrp and natto realize network load balancing with export group ”,Research and Exploration In Laboratory,vol.31, 2012,pp.66-69.
[12]. Gao GJ,“DHCP exhaustion attack and prevention”, Science & Technology Information,vol.10,2011,pp.59-61.
