Layer 2 Attacks

Optional Spanning-Tree Features for

Security
• Port fast
• Uplink fast
• Backbone fast
• BPDU Guard
• Root Guard
• BPDU Filter
• UDLD
• LOOP Guard
• Ether channel guard
Definitions
• Port fast- Cisco proprietary, only on access layer switch, insignificant
topology change.
• Uplink fast- direct topology change, not on core layer switch
• Backbone fast- indirect topology change,
• Loop guard is used to prevent alternate or root ports from becoming
designated ports because of a failure that leads to a unidirectional link.
• UDLD is a protocol used to discover if communication over a link is one-
way only.
• Ether Channel guard is used to detect an Ether Channel misconfiguration
between the switch and a connected device.
Port Fast
Uplink Fast
Backbone Fast
Difference b/w
Root Guard Vs BPDU Guard:
Root Guard block Superior BPDUs.
whereas,
BPDU Guard block both Superior as well as Inferior BPDUs.

BPDU Guard Vs BPDU Filters:

BPDU Guard block only incoming BPDUs.
whereas,
BPDU Filter block both incoming as well as outgoing BPDUs.
Terminologies
• Control plane
• Data plane
• Management plane
• Man in the middle attack
• Dos
• Ddos
• Smurf Attack
• Fraggle Attack
• Active attack
• Passive attack
Smurf & Fraggle Attack
• The Smurf Attack is a distributed denial-of-service attack in which
large numbers of Internet Control Message Protocol (ICMP) packets
with the intended victim's spoofed source IP are broadcast to a
computer network using an IP Broadcast address. Most devices on a
network will, by default, respond to this by sending a reply to the
source IP address. If the number of machines on the network that
receive and respond to these packets is very large, the victim's
computer will be flooded with traffic. This can slow down the victim's
computer to the point where it becomes impossible to work on.
Attacks
CAM Flooding
CDP Attack
ARP Spoofing
DHCP Starvation
DHCP Server spoofing
LAN Storm
Switch Spoofing
MAC Spoofing
Conti..
VLAN Hopping
STP Spoofing
Multicast Brute Force
Private VLAN Attack
VTP Attack
VMPS/VQP Attack
MAC Duplicating
1.CAM Flooding
• Switches having limited CAM table memory.
• Attacker will be sending packets with different mac addresses and it
will be stored in CAM tables.
• Once the CAM table is fill at that time switch will act like a hub.
Flood the packets to every port within THAT VLAN.
 6000-7000/sec.
Mitigation
• Port security
• Restrict number of mac add to be learned at the port.
• Use static or sticky.
2.CDP Attack
• The Cisco Discovery Protocol is a proprietary protocol
• Most Cisco routers and switches have CDP enabled in the default
configuration.
• CDP information is sent in periodic broadcasts that are updated locally
in each device’s CDP database.
• CDP contains information about the network device, such as the
software version, IP address, platform, capabilities, and the native VLAN.
• When this information is available to an attacker computer, the attacker
from that computer can use it to find exploits to attack your network,
usually in the form of a Denial of Service (DoS) attack.
3.VMPS/VQP Attack
• VLAN Management Policy server & VLAN Query Protocol.
• This is a slightly unlikely attack as it requires the network to use
VMPS.
• significant load on the administrative resources of a company.
• moving towards 802.1X for the same functionality.
• However, if implemented, VMPS allows VLANs to be assigned based
on the MAC address of the host and these relationships are stored in
a database.
• This database is usually downloaded to the VMPS and then queried
using VQP, an unauthenticated protocol that uses UDP (User
Datagram Protocol), making it very easy to manipulate by an attacker.
• As a result, by using VQP, it is very easy to impersonate hosts as there
is no authentication, which allows the attacker to join a VLAN that he
or she is not authorised to access.
• The mitigation is to either monitor the network for misbehaviour,
send VQP queries out of band or to disable it the protocol.
4.LAN Storm
• A LAN storm typically occurs when hostile packets are flooded on the
LAN segment, creating unnecessary and excessive traffic resulting in
network performance degradation.
To enable the traffic storm-control feature:
storm-control {broadcast | multicast | unicast} command from the global
configuration mode.
The command used to specify the action to be taken when a storm is
detected:
storm-control action {shutdown | trap}
• By default, storm-control is disabled.
To verify the storm-control suppression levels configured on an interface, use
the
show storm-control [interface] [broadcast | multicast | unicast] command.
Protection
Storm Control
It monitors inbound packets over a 1-second interval and compares it
to the configured storm-control suppression level by using one of the
following methods to measure activity:
• The percentage of total available bandwidth of the port allocated for
the broadcast, multicast, or unicast traffic.
• Traffic rate over a 1-second interval in packets per second at which
broadcast, multicast, or unicast packets are received on an interface.
5.Switch Spoofing
DTP Modes:-
• Access — Puts the LAN port into permanent nontrunking mode and negotiates to convert the link into a
nontrunk link. The LAN port becomes a nontrunk port even if the neighboring LAN port does not agree to the
change.
• Trunk — Puts the LAN port into permanent trunking mode and negotiates to convert the link into a trunk link.
The LAN port becomes a trunk port even if the neighboring port does not agree to the change.
• Dynamic Auto — Makes the LAN port willing to convert the link to a trunk link. The LAN port becomes a trunk
port if the neighboring LAN port is set to trunk or dynamic desirable mode.
• Dynamic Desirable — Makes the LAN port actively attempt to convert the link to a trunk link. The LAN port
becomes a trunk port if the neighboring LAN port is set to trunk,dynamic desirable, or dynamic auto mode.
This is the default mode for all LAN ports.
• Nonegotiate — Puts the LAN port into permanent trunking mode but prevents the port from generating DTP
frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.

Catalyst 2950 and 3550 Series ->DD

• spoofing the switch: pc will negotiate for trunk
DTP Negotiated Interface Modes

Dynamic Auto Dynamic Trunk ACCESS

Desirable

Dynamic Auto Access Trunk Trunk Access

Dynamic Trunk Trunk Trunk Access

Desirable

Trunk Trunk Trunk Trunk Limited

connectivity

Access Access Access Limited Access

connectivity
Protection
• Instead of leaving an end-user switch port set to use DTP in auto
mode, configure it to
• static access mode with the following commands:
Switch(config)# interface type <>
Switch(config-if)# switchport host [to make it access port]
6.ARP Spoofing
ARPL3-L2 Resolution.
Gratitude ARP: A host can claim to be the owner of any ip/mac address he
likes.
To prevent the ip conflicts.
Other hosts on the same subnet can store this info in their ARP Table.
• Attacker will claim to be owner of some victim’s ip address.
• Traffic will be forwarded to the attacker because of poisoning the arp
table
• ARP ATTACK CLEANUP: After the attack, the attacker corrects the ARP
table entries.
Protection
• dynamic ARP inspection
• DAI works much like DHCP snooping. All switch ports are classified as
trusted or untrusted. If an ARP reply contains invalid information or
values that conflict with entries in the trusted database, it is
dropped and a log message is generated.
• We can configure DAI by first enabling it on one or more client VLANs
with the following
• configuration command:
• Switch(config)# ip arp inspection vlan vlan-range
7.Multicast Brute Force
• The multicast brute force attack proceeds when a switch receives a
number of multicast frames in rapid succession. This causes the
frames to leak into other VLAN instead of containing it on original
VLAN. This might also cause a scenario similar to denial of service.
• The multicast brute force attack can be stopped by a well-equipped
switch which prevents the frames from leaking into other VLAN and
therefore containing them in the original VLAN.
8.DHCP Starvation Attack
1. Requesting for the ip addresses again and again.
2. Obtains all the ip address and makes the DHCP pool empty.
3. So that legitimate user cannot get the ip address.
9.DHCP Server Spoofing
• After the DCHP starvation attack , the attacker will attack as DHCP
Rogue Server.
• The default gateway will be set as attacker itself and all the traffic will
go via the attacker.
Protection
• DHCP snooping.
• When DHCP snooping is enabled, switch ports are categorized as
trusted or untrusted.
• Legitimate DHCP servers can be found on trusted ports, whereas all
other hosts sit behind untrusted ports. A switch intercepts all DHCP
requests coming from untrusted ports before flooding them
throughout the VLAN. Any DHCP replies coming from an untrusted
port are discarded because they must have come from a rogue DHCP
server. In addition, the offending switch port automatically is shut
down in the Errdisable state.
10.MAC Duplicating
• Attacker updates its own MAC address with the victim MAC address.
• Switch forwards traffic to both hosts.
• In a MAC Duplicating attack, we actually confuse the switch itself into
thinking two ports have the same MAC address.
• This differs from ARP Spoofing because, in ARP Spoofing, we are
'confusing' the host by poisoning it's ARP cache.
11.MAC Spoofing
Changing the source MAC address.
Can redirect the traffic from any MAC to itself.

Protection:
Port security- statically assign port to 1 mac add device.
12.VLAN Hopping
Double tagging

• For this exploit to work, the following conditions must exist in the
network configuration:
■ The attacker is connected to an access switch port.
■ The same switch must have an 802.1Q trunk.
■ The trunk must have the attacker’s access VLAN as its native VLAN.
• Therefore, to avoid VLAN hopping, you always should carefully
configure trunk links with the following steps:
• Step 1. Set the native VLAN of a trunk to a bogus or unused VLAN ID.
• Step 2. Prune the native VLAN off both ends of the trunk.
• One alternative is to force all 802.1Q trunks to add tags to frames for
the native VLAN, too. To force a switch to tag the native VLAN on all
its 802.1Q
• trunks, you can use the following command:
• Switch(config)# vlan dot1q tag native
13.STP Spoofing
• Negotiate for re-election process by sending superior BPDUs.
• Attacker can act as a root bridge also ; in that time all the traffic will
be forwarded via the attacker.
14.Private VLAN Attack
• A Private VLAN is a feature in Layer 2 which is used to isolate the
traffic only at layer2. When a layer 3,device such as a router is
connected to a Private VLAN, it supposed to forward all the traffic
received by the router to whatever destination it’s meant for.
Sometimes a malicious user might use it for his advantage.
• This can be prevented by configuring the VLAN access list.
• # vlan access-mapmap_name [0-65535]
15.VTP Attack
• The VLAN Trunking Protocol (VTP) is a proprietary Cisco protocol.
• The VTP attack involves a station sending VTP messages through the
network, advertising that there are no VLANs on the network.
• Thus, all client VTP switches erase their valid VLAN information
databases.
Mitigation
• Use Authentication for all VTP messages to ensure no VTP message is
processed by the client switches if the password contained in the
message is not correct.
The commands used to set the VTP password for your VTP Domain are:
Switch#vlan database
Switch(vlan)# vtp domain
password
Switch(vlan)#
Switch(vlan)#exit
Thank you!!