Skip to content

Data Link Layer

links: SPA TOC - Layered Security - Index


  • Sends and receives frames between adjacent stations on the link
  • Frames and addresses data
    • Encapsulates data packets into frames
    • Adds MAC address in frame header
  • Provide error-free node-to-node connections and flow control
  • Mapping between network layer and data link layer
  • Network component: Switch
  • Relevant topics: Ethernet, Switches (vs. Hubs), Spanning Tree, VLAN, ARP

Vulnerabilities

  • MAC address spoofing
    • NIC configured to use MAC address of another device
  • VLAN circumvention
    • Configure NIC to tag traffic with a different VLAN ID to access different VLAN
  • Spanning tree errors
    • Misconfiguration causing switch to be elected as root bridge leading to suboptimal traffic flow or loops
  • Free connection or weak authentication and encryption to access links
    • Open wifi network allowing anyone to connect without password
  • Wrong behaviour of network devices in overload situations
    • Switch dropping packets or providing inconsistent connectivity when at capacity

Attacks

  • Content-Addressable Memory (CAM) table overflow
    • CAM table contains MAC \(\leftrightarrow\) Port Mapping and VLAN parameters
    • Attacker floods the switch with invalid-source MAC addresses
    • When the CAM table is full the switch starts behaving like a hub \(\rightarrow\) incoming packets are sent to all parts
  • VLAN hopping
    • Attacker in VLAN 1 sending packets to VLAN 2
    • Tagging packets with different VLAN ID or behave like a switch and negotiate trunking
  • Spanning-Tree Protocol manipulation
    • Spam network with topology change bridge protocol data units to force spanning-tree recalculation
    • Goal: Attacker becomes root bridge
  • MAC address spoofing
    • Attacker sends packet with MAC address of attacked host to make switch overwrite CAM table
    • Attacker will receive data destined for attacked host until the attacked host sends a packet to the switch to rewrite CAM table again
  • ARP attack
    • Attacker sends unsolicited ARP reply packets to attacked device
    • Attacked device updates ARP table which results in data being sent to the wrong device \(\rightarrow\) attacker
  • Private VLAN
    • Promiscuous port: can communicate with all interfaces in VLAN
    • Community port: can communicate with all interface in community VLAN
    • Proxy can be used to circumvent restrictions

Controls

  • Disable / Shutdown unused switch ports
    • Prevent attacker from connecting to network
  • Implement MAC address filtering
    • Restrict access to network to devices with approved MAC addresses
    • Counters CAM table overflow attack
  • Do not use VLAN assignments to enforce secure design
    • to achieve secure isolation the networks should be physically isolated with policy engines (firewalls) in between
    • Mitigates VLAN hopping attack
  • Use security enhanced network devices
    • IEEE 802.1X-2010 with port-based network access control
    • IEEE 802.11i-2004 WiFi protected access with WPA2
    • WPA3 with AES-GCM
  • Use device built-in security features (encryption, authentication, MAC filtering)
  • Use ARP / broadcast monitoring software
    • Identify unknown devices
    • Identify spoofed MAC addresses
  • Use IPv6 secure neighbor discovery (SEND)

links: SPA TOC - Layered Security - Index