Attacking the Link Layer - credit to JJ Ying

Attacking the Link Layer


The Transmission Control Protocol/Internet Protocol (TCP/IP) model serves as a foundational concept for standardizing communication protocols on the internet.

This is the first blog post in a four-part series focusing on common attacks and countermeasures using the TCP/IP model as a guide. We’ll start by covering security threats which target the Link Layer, also known as the Network Interface layer.

A Brief Overview of the TCP/IP Model
The TCP/IP model is composed of fours layers, each with distinct responsibilities:

  1. Link Layer: responsible for establishing, maintaining, and terminating the physical and logical connections between devices on a network.
  2. Network Layer: Oversees addressing and routing of data packets across networks to ensure they reach their intended destinations.
  3. Transport Layer: Ensures reliable and efficient transfer of data segments between applications running on different hosts. It provides error control, flow control, and multiplexing services.
  4. Application Layer: Supports email, file transfers, web browsing, and other network applications by providing interfaces for users to interact with the lower layers.

Compared to the the comprehensive seven-layer Open Systems Interconnection (OSI) model, the TCP/IP model is considered a more streamlined approach that better aligns with the practical implementation of networking protocols in real-world scenarios.

Next we’ll investigate the bottom layer of TCP/IP.

The Link Layer

This article covers common attacks and defense strategies at the lowest layer of the TCP/IP model — the link layer, which consists of both the physical and logical components used for connecting nodes (hosts) within a network.

The physical aspect of the link layer includes standard hardware such as:

  • Network Interface Cards (NICs)
  • Switches
  • Bridges
  • Physical mediums of transmission: Ethernet cables, fiber optics, and wireless frequencies, etc.

The logical aspect of the link layer encompasses the protocols that govern how data interacts with the physical transmission medium. These protocols depend upon the hardware used in a given network.

The most common protocol found at this layer is the Address Resolution Protocol (ARP), which we’ll cover more in the sections below.

Note that protocol packets at the link layer do not get forwarded to other networks; instead, they are only processed by nodes on the local network segment. Routing of packets between network segments is reserved for higher layers of TCP/IP.

Let’s take a look at the most common attack techniques and countermeasures found at this layer.

Offense and Defense at the Link Layer

MAC Address Spoofing

Overview and Description
The Media Access Control (MAC) address is a unique identifier assigned to network interfaces for communication on the physical layer. MAC address spoofing is a malicious activity where an attacker manipulates the MAC address of a device to impersonate a legitimate host on the network.

MAC address spoofing is often a technique employed as part of a broader attack, such as in ARP spoofing (see below), eavesdropping, man-in-the-middle (MitM) attacks, and more.

The attacker uses scripts or applications to alter the apparent MAC address, thus enabling various extended attacks covered in more detail in the following sections.

This form of attack can be executed through exploitation of weaknesses in protocols that manage or report MAC addresses. Alternatively, an attacker may manipulate packet headers to impersonate other devices on the network.

After successfully spoofing a MAC address, an attacker gains access to numerous possibilities:

  • By setting a new MAC address on a device, they can gain access into networks with MAC address restrictions.
  • The spoofed MAC address can be used to conceal an attacker’s device, or mask it as a target device, making it harder for security solutions to detect an intrusion.
  • An attacker can intercept or redirect data sent to a target device by spoofing its MAC address — this is used to execute session hijacking, for example.

Prevention Measures

  • Configure Port Security: This feature of network switches restricts the number of MAC addresses allowed per port, preventing unauthorized devices from connecting to the network.
  • Implement Dynamic ARP Inspection (DAI): As a security feature in certain switches, DAI inspects and validates ARP packets, ensuring only legitimate and authorized ARP traffic is permitted on the network.
  • Configure Switch Access Controls: Set up access controls to allow specific MAC addresses on your network, while disallowing dynamic MAC address assignment. Enforcing static MAC address assignment protects the network from unknown devices.
  • Encrypt network traffic: Although this doesn’t specifically mitigate link layer threats, implementing IPsec at the network layer and employing Transport Layer Security (TLS) can help in reduce the potential damage of a MAC address spoofing attack.

MAC Address Flooding

Overview and Description
Unlike MAC address spoofing, which targets devices on the network through impersonation, MAC address flooding is an attack that aims to overload a switch’s MAC table to gain unauthorized access to a targeted host machine.

MAC flooding is also known as a Content Address Memory (CAM) table exhaustion attack. The adversary sends an enormous number of Ethernet frames to the target switch, causing it to fill its limited CAM table with these fraudulent entries as quickly as possible. With the CAM table overloaded, the switch becomes overwhelmed and begins broadcasting all incoming traffic to every port on the network, reducing it to a hub.

The attacker intercepts this data using a packet analyzer like Wireshark or Tcpdump, allowing them to capture sensitive information and potentially carry out further attacks.

Successful MAC address flooding leads to:

  • Network downtime due to the switch’s inability to process legitimate traffic while recovering from the flood.
  • Unauthorized access to targeted host machines and their data through ARP spoofing or other attacks initiated after the MAC table has been flooded.
  • Denial of Service (DoS) attacks that consume network resources, causing damage and disruptions in normal business operations.

Prevention Measures
To protect against MAC address flooding attacks, consider implementing the following security measures:

  • Port Security: Limit the number of allowed MAC addresses per port on your switches to restrict unauthorized access.
  • Authentication using an Authentication, Authorization, and Accounting (AAA) server: Require authentication for access to specific ports or network segments to prevent unauthenticated devices from connecting and flooding the switch’s MAC table.
  • Security measures against ARP Spoofing and IP Spoofing: Implement techniques such as Dynamic ARP Inspection (DAI), Gratuitous ARPs, or IEEE 802.1D STP (Spanning Tree Protocol) to prevent spoofed MAC addresses from being accepted by the switch.
  • IEEE 802.1X suites: Use these protocols for port-based network access control and secure communication between switches, devices, and authentication servers.

ARP Spoofing / Poisoning

Overview and Description
ARP is a fundamental protocol in the Internet Protocol (IP) suite, responsible for translating IP addresses to a MAC address, and vice versa. Devices on a network typically use ARP to identify routers or gateways and establish connections to the internet.

Due to its importance in the network communication process, ARP is also a frequent target for attack or exploitation by malicious actors.

When an attacker gains access to the network — often through methods such as MAC spoofing or flooding attacks — they can exploit ARP for malicious purposes by foreign ARP responses. ARP spoofing (a.k.a. ARP poisoning) enables the attacker to impersonate the MAC address of legitimate endpoints on the network, enabling a MitM attack.

Using dedicated scripts or tools to forge ARP responses, an attacker can manipulate devices on the network into believing their machine is a trusted endpoint:

  • The attacker poses as the router: devices on the network connect to the attacker’s machine instead of the actual router.
  • The attacker poses as a server: the router communicates with the attacker, thinking it’s interacting with the legitimate server.

As devices update their ARP caches with false information, and exclusively communicate with the attacker’s device rather than their intended recipients, the result is an “arp-poisoned” network. The hidden attacker is now “in the middle” of communications on the network — quite a powerful position.

With the attacker’s tools transparently sending and receiving network communication through their device as an intermediary, they may employ a number of techniques to exploit this capability:

  • Eavesdropping: The attacker silently monitors and intercepts sensitive data transmitted over the network.
  • Session Hijacking: The attacker takes control of ongoing communication sessions, potentially altering or stealing data.
  • DoS attacks: The attacker can execute further attacks to manipulate or disrupt network services, causing downtime.
  • Spoofed DNS records (see below): An attacker can redirect internet traffic to malicious websites by manipulating Domain Name System (DNS) records.

Prevention Measures

  • Use a Virtual Private Network (VPN): A secure, encrypted connection provided by a VPN shields communications on the network from eavesdropping and session hijacking attempts.
  • Static ARP: Static ARP entries can prevent automatic updates of ARP caches on devices in your network. This involves manually configuring static IP-to-MAC address mappings for each device on the network, making it harder for an attacker to successfully execute ARP spoofing.
  • Packet Filtering: Certain firewalls, Intrusion Prevention Systems (IPS), and other security tools implement packet filtering rules to mitigate the scope of an ARP spoofing attack. These security tools may inspect any packets entering or leaving the network, and may block it if it is suspicious.

DNS Spoofing

Overview and Description
DNS spoofing is a type of cyber attack where an adversary manipulates the Domain Name System (DNS) records to redirect users to a fraudulent, malicious website that appears like it’s their intended destination. This technique often follows successful ARP spoofing attacks against routers or name servers on a network.

Once an attacker has achieved ARP spoofing of a router, they may use this privileged position to intercept and manipulate DNS requests. For instance:

  • The attacker could ARP spoof a name server and perform a MitM attack. Their device poses as the DNS server, modifying the response of requests for specific destinations to the fraudulent site.
  • The attacker may directly compromise a DNS server and alter its DNS records to promote the fraudulent site. The Time To Live (TTL) of a modified DNS entry can be adjusted to persist redirections to the malicious site, expanding the duration and scope of the attack.

The motivation of DNS spoofing is often financial. The consequences of a successful DNS spoofing attack include:

  • Data exfiltration or manipulation as users unknowingly communicate with the fraudulent website.
  • Installation of malware like viruses or ransomware on unsuspecting devices that visit the fake site.
  • Phishing attacks designed to extract sensitive information like login credentials or financial information from victims.

Prevention Measures

  • DNSSEC: Implement Domain Name System Security Extensions (DNSSEC) on your network to digitally sign and validate DNS records, ensuring authenticity and integrity.
  • Trusted DNS Servers: Use trusted DNS servers provided by reputable third-party security companies.
  • DNSCrypt or DNS over TLS: Implement encrypted communications between devices and DNS servers to prevent eavesdropping or manipulation of DNS requests on the network.
  • Web App Firewalls (WAF), IDS, IPS: Install security systems on the network, or in front of sensitive websites, which can identify and block DNS spoofing attacks.
  • IPSec: Encrypting network traffic can reduce the potential for an attacker to lay the groundwork to pull off a successful DNS spoofing attack.

DHCP Starvation

Overview and Description
Dynamic Host Configuration Protocol (DHCP) is a protocol used to automatically assign IP addresses to devices on a network. With a DHCP starvation attack, an attacker manipulates this process by flooding the network with false DHCP Discover messages using a device with a spoofed MAC address.

Once the DHCP starvation attack begins, the DHCP server attempts to respond to this excessive number of messages. The DHCP server responds as best as it can to this flood of messages, attempting to assign IP addresses until the pool is exhausted.

The objectives of a successful DHCP starvation attack can vary:

  • Execution of DoS: The pool of available IP addresses is exhausted, preventing legitimate users from obtaining IPs via DHCP and thus denying them access to the network.
  • MitM attack: The attacker could set up a counterfeit DHCP server, assigning rogue IP addresses along with malicious router or DNS server information to unsuspecting users. This allows the attacker to set up a MitM, such as DNS spoofing mentioned above.

Prevention Measures
To protect against DHCP starvation attacks, consider implementing these security measures:

  • Port Security: Configure port security on your switches to restrict access to specific MAC addresses or limit the number of allowed devices per port. This can help prevent unauthorized devices from connecting and launching a DHCP starvation attack.
  • DHCP Snooping Protection: Implement DHCP snooping protection features on network devices such as switches, routers, and firewalls to restrict or monitor DHCP communications, preventing an attacker from flooding the network with false DHCP messages. This can be achieved through various methods like DHCP Guarding, DHCP Snooping, or IEEE 802.1X port security.

While the the above are the most commonly known attacks at the link layer, it’s important to know about less common but equally dangerous attacks:

  • Spanning Tree Protocol (STP) attacks: STP is a network protocol that prevents loops from forming in Ethernet networks. However, the attacker can manipulate STP to intentionally create network loops, disrupting the flow of traffic on the network, and potentially enables a DoS attack with excessive configuration messages.
  • Link Layer Discovery Protocol (LLDP) spoofing: LLDP is a protocol used to exchange device information between neighboring devices on a LAN. An attack on LLDP occurs when an attacker sends altered LLDP frames which deceive devices about the network’s topology. This can mislead devices into forming incorrect network neighbor relationships, enabling establishment of unauthorized connections with malicious devices, or even flooding the network with excessive LLDP traffic.
  • VLAN hopping: This is an attack where malicious actors can manipulate frames in VLAN trunking protocols to gain unauthorized access to VLANs other than their own. By “hopping” between VLANs to potentially access sensitive data or launch further attacks on the targeted network segment. As with many other attacks at the link layer, MAC address filtering, port security, IDS / IPS, and 802.1X security measures can mitigate this attack.

Physical Layer Attacks

The TCP/IP model’s Link Layer is commonly considered a combination of both the OSI Model’s data link layer and physical layer, so it’s natural to recognize attacks targeting the physical layer. These attacks can facilitate the various link layer exploits mentioned above:

  • Physical layer impersonation: With direct access to a network, an attacker may connect a malicious device by physically connecting to the switch or router, enabling them to disrupt, manipulate, or intercept network traffic.
  • Sniffing: Eavesdropping on the network is typically done with a packet sniffing tool, which allow the attacker to read or manipulate sensitive information transmitted over the network. This can enable further attacks against the infrastructure.
  • Port Stealing: In a port stealing attack, unauthorized machine is connected to an open port on a network device like a switch. The attacker gains access to the network where they can launch attacks or intercept and manipulate traffic.
  • Cable Tapping: Physically tapping into Ethernet network cables themselves can allow an attacker to intercept communications between devices, potentially leading to a wide range of attacks.
  • Destruction of Physical Assets: With physical access to the network, an attacker may launch a sort of DoS attack against network infrastructure by physically damaging critical assets resulting in disruption or complete network failure.

To mitigate physical layer attacks:

  • Implement physical access controls. Use biometric authentication, smart cards, multi-factor authentication, or other access control mechanisms to restrict unauthorized individuals from physically connecting devices to the network.
  • Further protect the physical infrastructure by implementing cable management systems to protect against undetected connection of physical devices.
  • Consider implementing secure cabling (Fiber Distributed Data Interface, Secure Digital Interface) which offer built-in security features like encryption and access control.
  • Enable Port Security on switches to limit the potential for port stealing.
  • Deploy security cameras, motion detectors, or other surveillance systems around critical network infrastructure to monitor for unauthorized access or intrusions.
  • Implement redundant networking equipment and backup power sources to minimize the impact of physical attacks. A redundant / failover datacenter can protect the business from destructive events such as physical attack, natural disaster, or other forms of infrastructure failure.


In this blog post, we’ve explored the significance of securing the Link Layer within the TCP/IP model – a critical aspect for maintaining a robust and secure communication infrastructure. We discussed various components of the link layer, including its physical and logical aspects, and delved into common attacks targeting the Link Layer.

To counteract threats at the Link Layer, it’s essential to employ a multi-layered, adversary-focused security stance incorporating various defensive measures and best practices. This includes enabling a variety of network infrastructure security features such as Port Security and DAI, implementation of encryption technologies like IPsec and DNSSEC, deployment of network security monitoring systems like IDS and IPS, strict configuration of firewalls, and implementation of physical security measures.

By integrating these countermeasures into your network infrastructure, you’ll be well-equipped to safeguard against various attacks targeting the link layer and ensure a secure communication environment for your organization.

Similar Posts

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *