What Are Layer 2 Network Attacks?
Layer 2 network attacks target the Data Link layer (Layer 2) of the OSI (Open Systems Interconnection) model. This layer is responsible for node-to-node data transfer and controls the flow of data between two directly connected nodes. It also handles error checking and frames synchronization. Common Layer 2 network components include switches, bridges, and wireless access points.
As a network administrator, understanding Layer 2 attacks is essential as they can be particularly disruptive and difficult to detect. These attacks exploit vulnerabilities in the Data Link layer protocols, such as Ethernet and the ARP (Address Resolution Protocol).
Here are some of the primary Layer 2 network and recommended methods to reduce the effects of these attacks:
ARP Spoofing (ARP Poisoning): This attack involves sending fake ARP messages over a local area network. The attacker aims to link their MAC address with the IP address of another host (such as the default gateway), causing the network traffic to be sent through the attacker instead of the intended target.
MAC Flooding: In this attack, the attacker floods the switch with a large number of Ethernet frames, each containing different MAC addresses. This can overwhelm the switch’s MAC address table, causing it to enter a state known as a “fail-open mode”, where it starts acting like a hub, broadcasting packets to all connected devices. This allows the attacker to intercept data.
VLAN Hopping: This attack exploits the handling of traffic between VLANs (Virtual Local Area Networks). An attacker can send packets to a switch, tricking it into believing that the packets are part of a different VLAN, thus gaining access to a VLAN that the attacker should not have access to.
DHCP Spoofing: Here, the attacker sets up a rogue DHCP server and responds to DHCP requests from clients. The attacker’s DHCP server can provide clients with IP addresses and other network settings, allowing the attacker to redirect traffic through their device for interception and analysis.
STP (Spanning Tree Protocol) Attacks: Attackers can manipulate STP, which is used to prevent network loops in networks with redundant paths. By crafting specific STP configurations, an attacker can force a network topology change, causing denial of service or allowing the attacker to become the root bridge in the network topology.
Port Stealing: By mimicking the MAC address of a legitimate client, an attacker can “steal” a port on the switch. This allows the attacker to receive traffic intended for the legitimate client.
MAC Spoofing: The attacker changes the MAC address of their network interface to match another device’s MAC address, allowing them to impersonate that device on the network.
Double Tagging VLAN Hopping: In this sophisticated attack, an attacker on a VLAN can encapsulate a packet with two VLAN tags. The first tag is stripped by the first switch (making it look like it’s meant for another VLAN), and the packet is forwarded accordingly.
CAM Table Overflow Attacks
You may be aware that switches store information on the (CAM) table, these include MAC addresses and associated VLAN parameters. The switch CAM table can be likened to a router’s routing table.CAM tables have a fixed-size
On receiving a frame, the Layer 2 switch searches in the CAM table for a corresponding destination MAC address. If one is found for that MAC address, the switch forwards the frame to the port identified in the CAM table configured for that MAC address.
If the MAC address is not in the CAM table, the switch forwards the frame out through all ports on the switch. If the switch receives a response as a result of the forwarded frame, it updates the CAM table with the port on which the communication was received.
The size of a switch CAM table is limited. Cisco Catalyst switches use the 63 bits of the source (MAC, VLAN, and so on) and create a 14-bit hash value. If the value is the same, there are eight buckets in which to place CAM entries.
These entries expire after a certain inactivity period. (The default on the Cisco Catalyst switch is 5 minutes.) If enough MAC addresses are flooded to a switch before existing entries expire, the CAM table fills up, and new entries are not accepted. When the CAM table is full, the switch starts flooding the packets out of all ports. This scenario is called a CAM table overflow.
In a CAM table overflow attack, an attacker /Unauthorised user sends thousands of fake MAC addresses from one port, which looks like valid hosts’ communication, to the switch. One of the more popular tools used for launching this type of attack is called Macof, which was written using PERL code, ported to C language, and bundled into the Dsniff suite.
Dsniff is a collection of tools for network auditing and penetration testing. Macof can generate 155,000 MAC entries on a switch per minute. The goal is to flood the switch with traffic by filling the CAM table with false entries. When flooded, the switch broadcasts traffic without a CAM entry out on its local VLAN, thus allowing the attacker to see other VLAN traffic that would not otherwise display.
How To Stop/ Prevent CAM Table Overflow Attacks
One of the several ways you can prevent CAM table overflow attacks is to configure your switch port security on the switch. You can apply port security in three ways
Static secure MAC addresses— A switch port may be manually configured with the specific MAC address of the device that connects to it.
Dynamic secure MAC addresses—The maximum number of MAC addresses to be learned on a single switch port is specified. These MAC addresses are dynamically learned, stored only in the address table, and removed when the switch restarts.
Sticky secure MAC addresses—The maximum number of MAC addresses on a given port may be dynamically learned or manually configured. The manual configuration is not an ideally recommended method because of the high administrative overhead. The sticky addresses will be stored in the MAC address table and added to the running configuration. If the addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.
The type of action taken when a port security violation occurs falls into the following three
categories:
Protect— As mentioned above if the number of secure MAC addresses reaches the limit allowed on the port, traffic with unknown source addresses is dropped until the size of the MAC addresses table is increased or by removing old MAC addresses.
Restrict— In this mode, a security notification is sent to the Simple Network Management Protocol (SNMP) server (if configured) and a Syslog message is logged. The violation counter is also incremented.
Shutdown—If a port security violation occurs, the interface changes to error-disabled, and the LED is turned off. It sends an SNMP trap, logs to a Syslog message, and increments the violation counter.
How to configure switch port security
Switch#configure terminal
Switch(config)#interface fastethernet0/0
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 30
Switch(config-if)#switchport port-security mac-address sticky
The above example configures a switch port as an access port and sets dynamic port security with the maximum number of addresses learned to 30. The violation mode is the default shutdown mode, sticky learning is enabled, and no static MAC addresses are configured. In the scenario where a twenty-first computer tries to connect, the port will be placed in an error-disabled state and will send out an SNMP trap notification.
In summary, Layer 2 attacks are particularly dangerous because they occur within the internal network, often bypassing external security measures like firewalls and intrusion detection systems.
Defending against these attacks requires a combination of proper network design, VLAN segmentation, robust security policies, and continuous monitoring of network traffic.