In the world of Network Security, we have the most expensive and advanced security devices which act as a strong defense and help to prevent cyberattacks. Nowadays, most of the network administrators are just fulfilling their duties with respect to their network configuration but still, some of them are smart because they use Layer 2 Security as well to prevent Layer-2 common attacks. I strongly recommend you to not skip this because it is also crucial for your network.
In this blog, we will learn about L2 attacks and how to mitigate them. The L-2 attacks are as follows:
- MAC Attacks
- VLAN Hopping Attacks
- DHCP Attacks
- GARP Attacks
- Spoofing Attacks
- MAC Spoofing
- IP Spoofing
We will cover only MAC Attacks and VLAN Hopping Attacks in this part-1 and the rest of the attacks will cover in part-2.
MAC Attacks – Layer 2 Security
The CAM (Content Addressable Memory) table stores information such as MAC addresses available on physical ports with their associated VLAN parameters. Content Addressable Memory table has fixed size, and an attacker uses this weakness by exploiting the size limit on the CAM table.
Attackers have multiple tools to send MAC addresses in bulk per second to full the size limit of the CAM table.
So, here is the main question, what will happen if the CAM table is full?
- When the CAM table is full, traffic without a CAM entry floods out on every port in the VLAN but not existing traffic with existing CAM entries.
- It basically turns a VLAN into a hub.
Defending Against MAC Attacks
We can use Port Security to limit the number of MAC addresses on an interface. The port security feature restricts MAC flooding attacks, locks down the port, and sends an SNMP trap.
We can configure a secure MAC address on a specific switchport. If other devices plug into this interface that does not have the same MAC address, the port will go into an err-disabled state.
Port-Security Configuration CLI Commands
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security mac-address 1234.56BB.9ABC
We have already a blog, in which we explained VLAN Hopping in detail, so, I am giving you an overview of that. Please refer VLAN Hopping Attack for a better understanding.
VLAN Hopping is an attack in which an attacker can send traffic from one VLAN to another. There are 2 different methods to accomplish this:
Double Tags: – In this attack, the attacker connects to an interface in access mode that shares the same VLAN as the native untagged VLAN on the trunk. The attacker sends a frame with two 802.1Q tags, one for the VLAN we want to reach, and one for the native VLAN.
After receiving the frame, the switch discards the first (native VLAN) 802.1Q tag and forwards the frame with the second 802.1Q tag on one or more of its trunk interfaces.
Now the attacker has jumped from the native VLAN to the victim’s VLAN. This is a one-way trip, but it could be used for a DOS attack.
Switch Spoofing: – When you use a default “dynamic auto” or “dynamic desirable” switchport mode, the attacker will send DTP packets and negotiate a trunk with the switch. The attacker can gain access to all VLANs on the trunk port by tricking the switch into thinking another switch is trying to form a trunk.
For the best protection, disable trunking on all ports except for those that require trunking. If you need trunking on a port, disable DTP and manually enable trunking.
Layer 2 Security Best Practices for VLANs and Trunking
- Ensure all trunk ports have a dedicated VLAN ID
- Active VLAN unused ports should be disabled and put into unused VLAN
- VLAN 1 should not be used for anything
- Deactivate auto-trunking on ports that are accessible to users (DTP off)
- Explicitly configure trunking on infrastructure ports
- Use all tagged modes for the native VLAN on trunks
- Use PC voice VLAN Access on phones that support it
I hope you learned about 2 main Layer-2 attacks, but others are also important and will cover in the upcoming part. I recommend you implement the above-mentioned methods in your network. Stay Tuned. Call us on +91 9773973971.
Senior Network Security Consultant