TCP Layer 2 Security Threats and attacks

Sarath Pillai's picture
Data link layer threats and attacks

All layers of TCP/IP has got its own security threats and vulnerabilities. We will be discussing security threats and vulnerabilities in each and every layer in TCP/IP separately in different posts as each one requires special attention.

In this post we will discuss vulnerabilities that pose security threats at the second layer of TCP/IP. So our topic of interest for this post is Data Link Layer. Although data link layer comes below most of the other layers, a security breach in this layer can cause service disruptions to upper layers.

Some protocol's of Data link Layer:


  • Ethernet
  • Frame Relay
  • ATM
  • PPP

Ethernet was first developed @ Xerox PARC (Palo Alto Research Center Incorporated), the place from where Steve jobs and Bill gates got the idea of a Mousecheeky(that reminds me of a statement from the legendary Steve jobs."Good artists copy; Great artists steal!!")

We will be concentrating more on the vulnerabilities associated with Ethernet, as it is the most popular protocol of this layer.

MAC Address related Attacks

Mac address is a 48 bit long address assigned to a network host. In fact i must say that, a network frame reaches its destination host by using the destination mac address. Its a hexadecimal number like 08-00-27-00-20-D0.

Mac address is devided into two parts(first 24 bits is manufacture specific, and the rest is interface specific).

A mac address of FF-FF-FF-FF-FF-FF is used only for broadcast(which means send it to all).

A major security threat found in Data link layer is CAM table overflow attack. You can find the complete details of CAM table overflow attack by going to my below post.

A switch is a commonly used device in the network,(the main difference between switch and a hub, is that switch does not send all packets to all the machine's, but will send to the specified target, with the help of the CAM table).

In short, CAM table is simply a table of MAC address and its connected port number's in the switch.Unfortunately you cant really do anything against CAM table attack from a Linux machine, but some switch security measures can be used to prevent it from happening, which i have mentioned in the above post.

MAC address spoofing is another major threat to data link layer. Through MAC address spoofing an attacker can change his mac address to the mac address of a different machine in the network. Due to which the switch will start sending frames to the attackers machine. Mac address spoofing can also be used to bypass several security measures, taken by ISP's to block users.

In Linux Mac address spoofing can be done very easily through command line. Mac address spoofing can also be done in windows, refer my below post for that.

Another vulnerable protocol which can be compromised using Data Link layer is DHCP.

DHCP stands for Dynamic Host Configuration protocol. I have explained the complete dhcp protocol working in my post about dhcp, which can provide some interesting details about the protocol.

DHCP is mainly used to automatically obtain the network configuration details, for a host. The details are like Ip address,gateway,dns server details etc.

Normally the ip address provided by the dhcp server, is on a lease basis, which will expire after a certain period of time, during this period the dhcp server will not allocate the same address to any other clients. DHCP server's maintain a list of ip's that are already allocated,and the ip's that are not allocated. So this poses a denial of service attack risk, if an attacker sends large number of dhcp request with spoofed mac address to the dhcp server to consume all the available ip addresses.

Such kind of a denial of service attack against DHCP server is called ip pool starvation attack.

At this point of time, the DHCP server cannot allocate any ip address to the new hosts in the network(becuase all the ip pool addresses are consumed by the attacker's spoofed dhcp requests). So the attacker will change himself to a dhcp server(if you have read my post on dhcp prototcol , you will come to know that , a network can have multiple dhcp servers), and will allot ip's and gateway as per his wish, to monitor the entire network traffic.

DHCP ip pool starvation attack can be prevented by using switch's port security features.

ARP Attacks:

Similar to the switch's CAM table, each and every machine contain's an ARP table. ARP stands for Address Resolution Protocol. This table consists of ip to mac address mapping.

Whenever you try to reach a computer on your network, the first thing that your computer does is to look its ARP table to find, the destination MAC address corresponding to the destination IP address.

In Linux you can view your ARP table as shown below.

[root@myvm1 ~]# arp -a
? ( at 00:50:56:F9:F6:5D [ether] on eth0
? ( at 00:50:56:C0:00:08 [ether] on eth0
[root@myvm1 ~]#

An attacker can send broadcasts with spoofed mac and ip address's, so that the machine's in the network will update their arp table entry with the attacker's spoofed address and MAC.

dsniff package contains mac spoofing and arp attack functionalities.

VLAN Attacks:

The method of Dividing a single layer 2 network to multiple broadcast domains so that traffic of those different broadcast domain's flow independently without colliding each other in that same layer 2 network is called Virtual Local Area Networks(VLAN).

Previously switches and router's only supported multiple vlan's by using separate ports. But these days due to advancement in network technology, VLAN's can be configured in a single port by using tagging facility in the switch.

As i told vlan's are used to separate traffic of two virtually created broadcast domains. So the main aim of the attacker will be to access traffic of other vlan for which he does not have access to.

VLAN Hopping:

Using vlan hopping an attacker can send data to computer's belonging to other vlan's. This is achieved by tagging the data packets with the remote required vlan ID. This ability of tag data packet's with vlan id's are available in Linux, as well as other operating system's.

Network loops

looping in network's occurs whenever there are more than one path available between two endpoints.

this kind of loops can be created by having two links between ports in the same vlan. when loop appears in the network, network broadcast packets travel in the network endlessly, which will result in bringing the network down. (since TTL or time to live header is not there in a frame, the frame's does not die on its own)

Spanning Tree Protocol provides a mechanism to keep the alternate path available as a backup path.


Rate this article: 
Average: 3.6 (415 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.