Network Attack and Defense techniques - Data Link Layer

Paulo Bazzo

Better protecting our assets

Understanding the traffic on our network is essential in order to build a secure environment. Having visibility of what protocols are being used will give us information if any computer is running a cryptocurency mining activity or maybe an instant message app.

Tools for Network Sniffing

  • Wireshark
  • TCPDump
  • Ettercap
  • Dsniff

Tapping into wireless will act like a hub and allow to see all traffic
Tapping into a wired network we will likely hit a switch a only see our own traffic, broadcast and multicast traffic.

Vulnerable Layer 2 Protocols

Firewall and IDS services normally work on the network layer (layer 3 - IPs) or above, leaving the data layer, (layer 2 - MACs) exposed.

Below are some layer 2 protocols that are vulnerable, and many are related to CISCO devices
Vulnerable Layer 2 Protocols

  • STP - Spanning Tree Procol
  • CDP - Cisco Discovery Protocol
  • DTP - Dynamic Trunking Protocol
  • DHCP - Dynamic Host Configuration Protocol
  • HSRP - Hot Standby Router Protocol
  • ISL - Inter-Switch Link
  • VTP - VLAN Trunking Protocol
  • 802.1Q - Vlan Tagging protocol
  • 802.1X - Authentication WiFi


A build in tool on Kali we can use to perform this type of attack on layer 2 protocols is Yersinia

sudo yersinia -G

Legal and Illegal capture

First we need to understand that are two methods of capturing traffic over the network, that is the Legal method and Illegal method

The legal method is either configure by the System Administrator on the switch and will forward or send a copy of the traffic for analysis into a different administration port.

Methods include:

  • SPAN - Switch Port Analysis
  • Port Mirroring

How Attackers Sniff Traffic

Sniffing can also be done by other methods of capture, like MAC spoofing, or IRDP Spoofing, or applications like WireShark, below we will look at some of these attack methods deployed by threat actors and how to defend against them.

Spoofing Attacks

MacOf Attack

MacOf is an MAC overflow This attack floods the CAM table of the switch, so the switch start behaving like a hub sending data to all ports.

mac of attack


Kali Linux has a build in tool for this type of attack

sudo macof

The attack must continue to flood the switch for it to work, When the attack stops the switch will revert back to being a switch.

If attack is successful

  • Switch will behave like a hub
  • Do nothing - has protection enabled
  • Crash and reboot


On a switch, use switchport security, this limits the number of MAC Address connecting to a single port on a switch.

Arp Spoof Attack

Over a LAN network, a device is identified by its MAC address. Changing the MAC address will allow an attacker to intercep traffic.

On linux we can perform this action by using the tool MACCHANGE

sudo macchanger -m 11:22:33:aa:bb:cc interface_name  

Using another build in toll on Kali Linus we can spoof the ARP table

If attack is successful

Attacker will be able to launch a MitM attack and capture all traffic that the victim is sending to the router.

Nowdays most websites are encryoted with HTTPs, however, the attacker after capturing the traffic could decide to go a step further by decrypting the communication using methods like: SSLStripping , or SSL Downgrade in order to decrypt the attack.


Enable source guard on Cisco Switches. In order for the attack to bypass source guard, the attacker will have to spoof both MAC and IP addresses.

  • Enable source guard on Cisco switches devices
  • Consider using encrypted protocols always like HTTPS and SSH
  • Avoid using file transfers like FTP and browsing websites on HTTP

CPD Attacks

This is the Cisco Discovery Protocol that advertise other cisco devices, making it easier to find information on cisco devices likely IP Address,MAC,ports,OS, and running version.

If attack is successful

Attacker will be able to gather information about the network topology, device model #, version#, ports, switches, and more.


Consider disabling CPD Protocol, or turn it off on devices that are not needed, specially at the edge of your network.

STP Attacks

STP is a network protocol that ensures a loop-free topology for Ethernet networks. It prevents the formation of loops in the network by blocking redundant paths between switches, thus avoiding broadcast storms and network instability.

If attack is successful

Spanning Tree Protocol can be a target of DOS(Denial of Service) using BPDU flood, take over the root bridge or claim another role.


Enable PortFast, then configure BPDU guard. If we do have Spanning Tree active we can configure the port to stop receiving BPDU units (Bridge Protocol Data Units)

Do not disable completely spanning Tree or you will get a looping effect on your network causing a network storm.

VLAN Hoping Attack

User will spoof a swtich making his end device act as a trunk port

This can happen if the switch is set to auto-trunking or dynamic trunkig mode which is the default

If the port senses that is attach to a trunk line, it will change mode to trunk, this way letting the attacker see all traffic across all VLANs

If attack is successful

Attacker will be able to steal passwords, deployed malicuos software across all network.


Disable dynamic trunking protocol on switches and configure the port to be an access port on a CISCO switch type the following

(config)#switchport nonegotiate

Verify configuration by running

(config)# interfce interface-id switchport

IRDP Spoofing

IRDP Protocol is similar to ICMP, and its used by routers for host discovery. Its used by routers to discover information abot other routers, it uses to discover informaton about other routers and learning about its configuration


Attacker sends spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router to whatever the attacker chooses. Attacker is able to re-direct traffic from the router to his device, he can then itnercept, read, or modify the traffic or launch a more serious attack


  • Configure routers to only accept packets from trusted sources
  • Secure
  • Consider disable router discovery
  • Keep Router's software updated


These are some of the attacks that can be launched on Layer 2, there are more but we will have to leave them for another time. Hopefully this should give you some insight on what other methods we can implement to protect our network, stay tuned for more security tips


Bharadwaj D J - Lisa Bock