OSI Level 2 security

OSI Levels

The Open Systems Interconnection model (OSI model) is a conceptual model that characterises and standardises the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols. The model partitions a communication system into abstraction layers.

OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each Other Unfortunately this means if one layer is hacked, communications are compromised without the other layers being aware of the problem Security is only as strong as the weakest link When it comes to networking, layer 2 can be a VERY weak link

Examples of Level 2 attacks:

ARP spoofing

ARP spoofing is a type of attack and it is a major problem in the local area network (LAN) and can lead to many other attacks. ARP spoofing is a malicious attack that sends falsified ARP messages over a LAN that leads to associated linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network. ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.

ARP poisoning

An ARP poisoning is a kind of hacking technique and is perpetrated when an attacker sends a forged ARP request or ARP reply onto LAN. This leads to a change in the ARP cache table that associated the host IP address to attacker's MAC address. This enables the attacker to receive all packets destined between target host and attacker in the LAN, and then the attacker can read and modify packets flowing in the LAN.

Spanning Tree Protocol (STP) Attacks

The Spanning Tree Protocol (STP) is used on LAN-switched networks. Its primary function is removing potential loops within the network. Without STP, Layer 2 LANs simply would stop functioning, because the loops created within the network would flood the switches with traffic. The optimized operation and configuration of STP ensures that the LAN remains stable and that traffic takes the most optimized path through the network. If an attacker inserts a new STP device onto the network and attempts to alter the operation of STP, this attack has the potential to affect how traffic flows through the LAN, greatly affecting the usability and security of the traffic flowing through the network.

Media Access Control (MAC) Spoofing

In a MAC spoofing attack, one device on a network uses the MAC address of another device. The goal of the attacker is to redirect all of the traffic for the targeted device to the attacking device. If you think about a telephone network, this attack is the equivalent of someone taking over your phone number and having future calls rerouted to them. This rerouting could be used to disguise one device as another for multiple purposes, including to act as that device (possibly a server), or to perform a denial-of-service attack on that device.

Content Addressable Memory (CAM) Table Overflows

The Content Addressable Memory (CAM) tables, also called MAC address tables, on switches are used to track where to send traffic for specific learned MAC addresses. To grasp the true effect of this attack, you need to understand the basic operation of the CAM table and how it optimizes the forwarding behavior of the switch.

When a switch is turned on, it has a blank CAM table. It doesn’t know which devices are connected to which interfaces, and therefore it initially sends received traffic out to all interfaces (flooding). As the CAM table receives traffic in each interface, it creates entries for each of the MAC addresses it sees, linking each address with its specific interface.

Once the switch has an entry for a specific destination MAC address in its CAM table, it doesn’t forward the traffic out to all interfaces; instead, it sends the traffic for that address to its specific learned interface. Once all of the connected device MAC addresses are learned, almost no traffic will be flooded; traffic will be sent out to each destination’s learned interface. This result greatly optimizes the forwarding behavior of the switch, and it increases the amount of bandwidth available through the switch (assuming that it’s a busy switch).

Every switch limits the number of MAC addresses that the CAM address table can hold. If the table limit is reached, all traffic from unknown MAC addresses will be flooded. A CAM table overflow attack works by having a single device (or a few devices) spoof a large number of MAC addresses and send traffic through the switch. The switch’s CAM table will be filled, and all other traffic (typically the traffic from legitimate devices) will be flooded, causing the switch to become very busy and potentially overloaded. As a result, the network rapidly slows down and eventually becomes unusable.

Dynamic Host Configuration Protocol (DHCP) Spoofing

Similar to the other types of spoofing attacks, Dynamic Host Configuration Protocol (DHCP) spoofing involves an attacker pretending to be someone else; in this case, acting as the legitimate DHCP server. Since DHCP is used on most networks to provide addressing and other information to clients, losing control of this part of the network can be dangerous.

In DHCP spoofing attacks, the attacker places a rogue DHCP server on the network. As clients are turned on and request an address, the server with the fastest response is used. If the device receives a response from the rogue server first, the rogue server can assign any address as well as control which device it uses as a gateway. A well-designed attack can funnel traffic from local hosts to a rogue server that logs all traffic and then forwards the traffic out to the “correct” gateway; to the device, this action would be almost transparent. Thus, the attacker can steal information almost invisibly.