Cisco® CCNA Security Exam Notes : Common Layer 2 Attacks


Go to latest CCNA Exam Cram

4. Secure Routing and Switching

4.4 Common Layer 2 attacks

1. Disable IP Source Route: Disables the ability of an attacker to control the path that a packet will take to reach its destination.

2. Disable Finger Service: Disables an attacker from knowing who is logged in to a device.

3. Disabling IP Identification Service: Support denies an attacker from querying a TCP port for identification. If enabled, one can learn the routers make, model, and the IOS version. This information may be used to design attacks against the router.

4. Disabling CDP: CDP provides make, model number and the Cisco IOS software version being run. This information may be used to design attacks against the router.


ARP Poisoning and DHCP snooping are layer-2 attacks, where as IP Snooping, ICMP attack, and DoS attack with fake IPs are layer-3 attacks.

IP address spoofing: IP address spoofing is a technique that involves replacing the IP address of an IP packet's sender with another machine's IP address. The IP address spoofing technique can enable an attacker to send packets on a network without having them be intercepted by the packet filtering system (firewall). Firewall systems are usually based on filtering rules indicating the IP addresses that are authorized to communicate with the network's internal machines.

IP Spoofing attack: IP Spoofing is a technique used to gain unauthorized access to machines, whereby an attacker illicitly impersonate another machine by manipulating IP packets. IP Spoofing involves modifying the packet header with a forged (spoofed) source IP address, a checksum, and the order value.

A hacker may attack a computer in a number of ways. Given below are brief descriptions of some important attacks types from exam point of view:

a. Man-in-the-middle attack: A man-in-the-middle attack occurs when an attacker reroutes communication between two users without the knowledge of the two communicating users. The attacker can monitor and read the traffic before sending it on to the intended recipient. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all while thinking they are communicating only with the intended user.

This could happen at layer-2, where in the attacker spoofs the Layer 2 MAC addresses to make the communicating hosts on a LAN believe that the Layer 2 address of the attacker is the Layer 2 address of default gateway. You could use techniques such as dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.

A man-in-the-middle attack can occur at Layer 3 by a rogue router being placed on the network and then tricking the other routers into believing that the new router has a better path. You can mitigate attacks such as these by using routing authentication protocols.

Best way is to use encryption such as ssh or https to ensure that the data in motion is not plain text data.

b. Denial-of-service attack: In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting your computer and its network connection, or the computers and network of the sites you are trying to use, an attacker may be able to prevent you from accessing email, websites, online accounts (banking, etc.), or other services that rely on the affected computer.

A more advanced type of DDoS attack is called a reflected DDoS (RDDoS) attack. An RDDoS takes place when the source of the initial (query) packets is actually spoofed by the attacker. The response packets are then "reflected" back from the unknowing participant to the victim of the attack; that is, the original (spoofed) source of the initial (query) packets.

c. Spoofing attack: Spoofing is an impersonation of a user, device or client on the Internet. It's often used during a cyber attack to disguise the source of attack traffic.

The most common forms of spoofing are:

  • DNS server spoofing - Modifies a DNS server in order to redirect a domain name to a different IP address. It's typically used to spread viruses.
  • ARP spoofing - Links a perpetrator's MAC address to a legitimate IP address through spoofed ARP messages. It's typically used in denial of service (DoS) and man-in-the-middle assaults.
  • IP address spoofing - Disguises an attacker's origin IP. It's typically used in DoS assaults.

d. Reconnaissance attack: In computer security reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities.

The attacker first discovers any vulnerable ports by using software's like port scanning. After a port scan, an attacker usually exploits known vulnerabilities of services associated with open ports that were detected.

To prevent most port scan attacks or reconnaissance attacks is to use a good firewall and intrusion prevention system (IPS). The firewall controls which ports are exposed and to whom they are visible. The IPS can detect port scans in progress and shut them down before the attacker can gain a full map of your network

e. STP attack: An attacker who is physically connected to the network and who has the ability to create BPDU frames with specific characteristics can use the STP to cause various kinds of havoc, from stealing data to disrupting the network.

There are a couple of simple methods to prevent the exploitation of the STP vulnerability in your network. For any STP attack to be feasible, the switch must accept BPDUs on a port that the attacker has access to. It is therefore possible to make such an attack impossible by denying access to STP enabled ports to ordinary users. This can be done by disabling STP on access ports, having port security enabled on all user ports, and restricting physical access to network equipment.

With disabled STP on user ports, the attacker would have to access the switch physically and use a switch-to-switch port to connect his computer to (assuming all non-used ports are either disabled or have STP disabled). If you cannot restrict physical access to your network devices, other measures must be taken to ensure network security. Port security is a feature that allows the switch to accept frames from only a given number (usually the first learned) of source MAC addresses. Enabling port security on user ports will make the attack unfeasible without prior network sniffing or hijacking a user's workstation.

ICMP Attack: There are several types of ICMP attacks.

1. ICMP tunnel attack: This is a form of covert channel that is created wherein the information flow is not controlled by any security mechanism. An ICMP tunnel establishes a channel between the client and server, forcing a firewall not to trigger an alarm if data are sent via ICMP.

2. Smurf attack: The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.

3. DoS attack: DoS and DDoS attacks are form of attacks wherein the attacker spoofs the source address and attack the victims computer. DDoS, the attack is distributed. Several computers are compromised in DDoS attack and the attacker may plan to carry out the attack in a co-ordinated way to impart maximum damage to the the network availability. The main damage caused by DoS and DDoS is that they severely limit the access to network resources to the victim computers by spreading fake IP packets.

The Internet architecture provides an unregulated network path to attack innocent hosts. Denial-of-service (DoS) attacks exploit this to target mission-critical services. DoS attacks, are explicit attempts to block legitimate users system access by reducing system availability. Any physical or host-based intrusions are generally addressed through hardened security policies and authentication mechanisms. Although software patching defends against some attacks, it fails to safeguard against DoS flooding attacks, which exploit the unregulated forwarding of Internet packets.

DHCP Spoofing attack: In DHCP Spoofing attack, an attacker broadcasts large number of DHCP REQUEST messages with spoofed source MAC addresses. If the legitimate DHCP Server in the network start responding to all these bogus DHCP REQUEST messages, available IP Addresses in the DHCP server scope will be depleted within a very short span of time. DHCP snooping is a mechanism that provides protection to clients from DHCP spoofing attack.

The security features implemented on routers (Layer-3 devices) include the following:

  • Reflexive access lists
  • Context based access lists (CBAC)
  • Zone based firewall
  • ACLs
  • AAA
  • Routing protocols authentication
  • Secure management protocols (https, ssh, etc)

A CAM overflow attack happens when an attacker connects to one or more switch ports and then runs on any program that mimics the existence of thousands of random MAC addresses on that switch port(s). The switch writes MAC addresses into the CAM table, and eventually the CAM table fills to capacity. When a switch is in this state, no more new MAC addresses can be learned; therefore, the switch starts to flood any traffic from new hosts out of all ports on the switch. A CAM overflow attack turns a switch into a hub, which enables the attacker to eavesdrop on a conversation and perform man-in-the-middle attacks.

VLAN hopping attack:

VLAN hopping attack can be possible by two different approaches, Switch Spoofing or Double tagging.

Switch Spoofing : Trunks on switches carry traffic for all VLANs. If an attacker can convince a switch to go into trunking mode for connected port to the attacker PC, the attacker could then see traffic for all VLANs. This can be then simply used for "sniffing" all the traffic on all VLANs. Cisco Catalyst switch ports default to auto mode for trunking. This means that the ports are in "dynamic desirable" mode and they will automatically become trunk ports if they receive Dynamic Trunking Protocol (DTP) frames. Disable DTP on switch ports where it is not necessary.

Double tagging: For this kind of attack to work, the following conditions must exist in the network configuration:

  • The attacker is connected to an access switch port.
  • The switch must have an 802.1Q trunk.
  • The trunk must have the attacker's access VLAN as its native VLAN

The attacker, for example, situated on VLAN 10, sends frames that are double tagged as if an 802.1Q trunk is being used. Naturally, the attacker is not connected to a trunk; he is using switch spoofing to turn his switch interface to trunking mode. He is using trunk encapsulation to trick the switch into making the frames hop over to another VLAN.

The real frame maybe with some malicious data is first given an 802.1Q tag with the VLAN ID of the target VLAN, in this case VLAN 20. Then a second bogus 802.1Q tag is added with the attacker's access VLAN ID - the VLAN 10 in our example.

When the local switch on the left receives a double tagged frame, it decides to forward it out the trunk interface. This is because the first "VLAN 10? tag has the same VLAN ID as the trunk's native VLAN. The "VLAN 10? tag is removed as the frame is sent on the trunk. The switch sends all frames from the native VLAN untagged that is normal. Now the second "VLAN 20? tag is posted on the trunk. When switch on the right side receives the frame, it finds second 802.1Q tag. The spoofed tag for VLAN 20 is found and the tag is then removed and the frame is forwarded to VLAN 20. In that moment the attacker has successfully sent a frame from VLAN 10 and gotten the frame injected onto VLAN 20 by not using the router. He made it all through Layer 2 switching.

Botnet: A botnet, also known as zombie army, is a group of computers connected in a coordinated fashion for malicious purposes. Each computer in a botnet is called a bot. These bots form a network of compromised computers, which is controlled by a third party and used to transmit malware or spam, or to launch attacks. DDoS is an example of attack where botnet computers attack a resource, making the resource unavailable to its users.

Exploitation: The goal of a trust exploitation attacker is to compromise a trusted host, using it to stage attacks on other hosts in a network. If a host in a network of a company is protected by a firewall (inside host), but is accessible to a trusted host outside the firewall (outside host), the inside host can be attacked through the trusted outside host. For example, if a host in a DMZ is compromised, an attacker may use the compromised host to attack inside hosts (hosts within the organizations internal network).

Reconnaissance: This is the discovery process used to find information such as IP addresses used, open ports, etc. about a computer network. This is usually the first step taken, to discover what is on the network and to determine potential vulnerabilities.

ARP Poisoning: The Address Resolution Protocol (ARP) is used to resolve IP addresses into MAC addresses (hardware addresses). Computers in a network send messages to each other through MAC addresses. ARP cache poisoning involves poisoning the ARP cache of a victim user by flooding it with ARP replies containing MAC addresses to a proxy host.

Previous   Contents   Next