The development trend of Ethernet switch technology In recent years, with the rapid development of enterprise data communication services and related converged services, Ethernet switches, as indispensable key equipment, have not only been greatly improved in quantity, but also in quality, Performance and other aspects are constantly improved. With the rapid popularity of Ethernet switches, its security issues have received increasing attention. We currently have to deal with the following aspects. Next, let's follow the editor of Feichang Technology to take a look!
(1) Broadcast storm attack
When the switch receives a large flow of broadcast data, multicast data, or unicast data whose destination MAC address is randomly constructed, it will forward it by broadcast. If the switch does not support the flow of flooded data Control, then the bandwidth of the network may be filled with these junk data, so that other users on the network cannot access the Internet normally. Therefore, the switch needs to support rate limiting on the flooded data received from each port.
(2) Data attacks the network.
When a malicious user sends a very large amount of data to the router, the data is sent to the router through the switch and at the same time, it also occupies most of the bandwidth of the uplink interface, so other users will also rush to the Internet. Very slow. Therefore, the switch needs to limit the inbound rate of each port, otherwise a malicious user can attack his network, thereby affecting all other users in the network.
(3) Massive MAC address attacks
Because the switch uses the MAC address as an index when forwarding data, if the destination MAC address of the datagram is unknown, it will be flooded in the network. Therefore, malicious users can send a large amount of junk data to the network. The source MAC address of these data keeps changing, because the switch needs to continuously learn the MAC address, and the capacity of the switch's MAC table is limited. When the switch's MAC table When it is full, the original MAC address will be overwritten by the newly learned MAC address. In this way, when the switch receives the data sent by the router to a normal customer, it will forward it in the network in a flooding manner because it cannot find the record of the customer's MAC, which greatly reduces the forwarding performance of the network. Therefore, the switch needs to be able to limit the number of MAC addresses that each port can learn, otherwise the entire network will degenerate into a network similar to a HUB.
(4) MAC spoofing attacks.
Malicious users can attack the network to paralyze them. They can also change their MAC address to the router's MAC address, and then continuously send it to the switch. In this way, the switch will update the MAC-X record and think MAC-X is located on the port connected to the malicious user. At this time, when other users have data to send to the router, the switch will send these data to the malicious user, so that the user who sends normal data cannot access the Internet normally. Therefore, the switch should have the function of binding MAC and port, otherwise malicious users can simply cause the network to crash; or the switch needs to bind the source MAC address of the data allowed to enter the network on each port, so that malicious users cannot spoof through MAC To attack the network.
(5) ARP spoofing attack.
Malicious users can perform ARP spoofing attacks, that is, no matter which IP address they receive, they will immediately send an ARP response, so that the data sent by other users will also be sent to the MAC address of the malicious user. , These users can't access the Internet normally. Therefore, the switch should implement the binding function of the port and the IP address, that is, if the received ARP request, ARP response, and port data are different from the bound IP, the data can be discarded, otherwise the network will be paralyzed.
Well, the above content is the detailed introduction of Feichang Technology on the safety of industrial switches, I hope it can be helpful to everyone! Feichang Technology , a professional manufacturer of optical transceivers, optical fiber transceivers, industrial switches, and protocol converters, independently researches and develops brands, welcome to come to understand and communicate.