LINK LAYER ATTACKS

01 ARP Attacks
ARP (Address Resolution Protocol) is a protocol and it is used for mapping IP network address to hardware address.
ARP Poisoning is to map by spoofing some one’s IP address to attackers mac address.

Tools: ettercap, dsniff

02 MAC Flooding Attack / CAM Table overflow Attacks
The CAM (Content Addressable Memory) table is the internal structure that is used to store MAC addresses for lookup. The problem with CAM is that it can only do exact matches on one’s and zero’s (binary CAMs), and here comes TCAM.

The TCAM (Ternary Content Addressable Memory) which can match any values, this makes TCAM a very important role in layer 3 switches and modern routers. Since they can store their routing table in the TCAMs, allowing for very fast lookups TCAM provides three results: 0, 1, and "don't care."

CAM Table Overflows occur when an influx of MAC addresses are flooded into the table and the CAM table threshold is reached. This causes the switch to act like a hub, flooding the network with traffic out all ports. The flooding caused by a CAM Table Overflow is limited to the source VLAN, thus does not affect other VLANs on the network.

Tools: macof, dsniff

Remediation:  Set a limit to the maximum number of concurrent MAC addresses that can be learned and allocated to the individual switch port.

03 MAC Spoofing
MAC spoofing are attackers spoof their MAC address to perform a man-in-the-middle (MiTM) attack. In one common attack, the attacker pretends to be the default gateway and sends out a gratuitous Address Resolution Protocol (ARP) to the network so that users send their traffic through the attacker rather than the default gateway. The attacker then forwards user traffic to the real default gateway.

Tools: ettercap

Remediation: One way to mitigate this threat is to use Port Security. For this to work, however, the maximum MAC address setting must be 1.

04 DHCP Starvation Attack
DHCP Starvation is an attack that targets DHCP servers whereby forged DHCP requests are crafted by an attacker with the intent of exhausting all available IP addresses that can be allocated by the DHCP server.

Tool: gobbler, Yersinia

Remediation: Restrict the number of MAC addresses on port thus will not be able to lease more IP address then MAC address allowed on port

05 Rogue DHCP Server Attack
Rogue DHCP server is a DHCP server set up on a network by an attacker, or by an unaware user, and is not under the control of network administrators. Rogue DHCP servers are also commonly used by attackers for the purpose of network attacks such as Man in the middle, Sniffing, and Reconnaissance attacks. The Rogue DHCP reply will offer an IP address and information that may designate the attacker’s machine as the default gateway or Domain Name System (DNS) server.

Tools: Yersinia

Mitigation: DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, which is also referred to as a DHCP snooping binding table.

06 CDP Attack
Cisco Discovery Protocol, this proprietary service allows Cisco devices to dynamically find each other. CDP works at layer-2 allowing neighboring routers and switches to share configuration information via multicast layer-2 frames. CDP contains information about the network device, such as the software version, IP address, platform, capabilities, and the native VLAN. CDP shares the information in plain text.

Attacker will send RAW CDP packet to the cisco device for getting the information about the device and the adjacent device.

Tools: Yersinia

Mitigation: Disabling the CDP Protocol

07 STP Attack
Spanning Tree Protocol, Redundant links are always welcome in switch topology as they are increasing the network’s availability. Redundant links if we look at them from layer 2 perspective can cause Layer 2 loops. This is simply because TTL (Time to Live) field of the packet is found in Layer 3 header. In networking technology this means that TTL number will be diminished only when the packet is passing through the router. There is no way to “kill” a packet that is stuck in layer 2 loop. This situation can result in broadcast storms. Fortunately, Spanning Tree Protocol (STP) can allow you to have redundant links while having a loop-free topology, thus preventing the potential for broadcast storms.

STP achieves this loop-free topology by electing one switch as the root bridge. This is done by manipulating a switch priority, lowest bridge priority means the root bridge. Every other switch in the network picks a root port. The switches are making arrangements for election of the root bridge through the exchange of Bridge Protocol Data Units (BPDU). If the root bridge goes down, the STP topology must find a new root bridge.

If an attacker has access to switch ports that are able to become trunk ports, he can introduce a rogue switch into the network. Remember that Cisco switches have all they ports in “dynamic desirable” mode by default. This means if the ports are still in that mode, the attacker can connect rouge switch in his cubicle network wall jack and the switch will form trunk link with switch in the company. Attacker is able to manipulate rouge switch priority so that is less than any other switch in the company. Rogue switch with e.g. priority 0 announces its “superior BPDUs,” and the STP topology reconverts. His rouge switch will become Root Bridge and all the traffic will cross this switch. This gives him the possibility to sniff all traffic in the company but it will also redirect traffic from high bandwidth links between real switch to 100 Mbps link on the rouge switch.

Tools: Yersinia

Mitigation: Two main protection mechanisms against attack on STP process, Protecting with Root Guard and Layer 2 Protecting with BPDU Guard.

The Root Guard can be enabled on all switch ports that should not become root ports. Just to remind you, root port on each switch is the port considered to be closest to the root bridge switch. If a port configured for Root Guard receives a superior BPDU, he will not believe the BPDU, and then instead of becoming the new root port the port goes into a root-inconsistent state. While a port is in the root-inconsistent state he is completely blocked for user data, no user data is sent across it. However, there is some hope for him, after the superior BPDUs stop, the port returns to the forwarding state.

The BPDU Guard must be enabled on all ports that have the Cisco PortFast feature configured. The PortFast feature is enabled on ports that connect to host devices, such as end-user PCs. It makes possible to skip almost all waiting time required for the port to go into forwarding state after being connected. The logic of PortFast is that a port that connects to an end-user device does not have the potential to create a topology loop. For this reason the port can go active sooner by skipping STP’s listening and learning states. Because these PortFast ports are connected to end-user devices, they should never receive a BPDU (BPDU is sent only by switches). Therefore, if a port enabled for BPDU Guard receives a BPDU, the port is disabled and the violation of that policy is reported and stopped in that way.

08 PVLAN Attack
A broadcast storm occurs when a network system is overwhelmed by continuous multicast or broadcast traffic. When different nodes are sending/broadcasting data over a network link, and the other network devices are rebroadcasting the data back to the network link in response, this will eventually cause the whole network to melt down and lead to the failure of network communication.

Even though Private Virtual LANs are a common mechanism to restrict communications between systems on the same logical IP subnet, they are not always 100 percent secure. PVLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing the network security of PVLANs involves the use of a proxy to bypass access restrictions to a PVLAN.

In this network attack against private VLANs, frames are forwarded to a host on the network connected to a promiscuous port such as a router. The network attacker sends a packet with the source IP and MAC address of attacker device, a destination IP address of the target system, but a destination MAC address of the router. The switch forwards the frame to the switch port of the router. The router routes the traffic, rewrites the destination MAC address as that of the target, and sends the packet back out. Now the packet has the proper format and is forwarded to the target system. This network attack allows only for unidirectional traffic because any attempt by the target to send traffic back will be blocked by the PVLAN configuration. If both hosts are compromised, static Address Resolution Protocol (ARP) entries could be used to allow bidirectional traffic.

Mitigation: Configure access control lists (ACLs) on the router port to mitigate PVLAN attacks. An example of using ACLs on the router port is if a server farm segment existed on subnet 172.16.1.0/24 and target A was in the server farm, then configuring the ACL (Figure 1) on the default gateway would mitigate the PVLAN proxy attack.

09 VLAN Hooping Attack
A VLAN is a group of devices on one or more LANs that are configured to communicate because VLANs are based on logical instead of physical connections, they are extremely flexible.

VLAN hopping is where a user can gain access to a VLAN not assigned to the switch port. Normally users connect to access ports that are members of a VLAN as specified in the switch configuration. A user can achieve this in two ways against the default configuration of a Cisco switch port.

The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port. Most switches, in the default configuration, need only one side of a connection to announce themselves as a trunk; then the switch automatically trunks all available VLANs over the switch port. This results in the attacker seeing all traffic across all VLANs.

The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag.

Remediation: To ensure you do not fall foul of a VLAN hopping attack, you must ensure that all your user ports are assigned as access mode ports. Any unused ports should be disabled and set as access mode ports by default. Set a switch port to access mode, this port can never become a trunk port. When configuring a trunk port, the native VLAN need to be set to a unique VLAN, which is not routable or used elsewhere.