Layer 2 Security: Threats and Vulnerabilities in Ethernet Networks

The Data Link Layer (Layer 2) of the OSI model is crucial for local network communication, handling frame transmission, MAC addressing, and switching. However, its protocols—such as Ethernet, ARP, VLANs, and STP—were designed for efficiency, not security. This leaves networks vulnerable to attacks like MAC spoofing, ARP poisoning, VLAN hopping, and STP abuse, which can compromise confidentiality, integrity, and availability.

Key Points

Layer 2 protocols lack built-in authentication or encryption, making them susceptible to exploitation.
Switches dynamically learn MAC addresses, enabling attacks like MAC flooding and spoofing.
ARP’s stateless, trust-based design allows ARP poisoning, leading to man-in-the-middle (MITM) attacks.
VLANs provide logical segmentation but can be bypassed via DTP attacks or double-tagging.
STP and LLDP, while useful for network stability and discovery, can be abused for DoS or reconnaissance.

Core Concepts

The Data Link Layer and Ethernet

The Data Link Layer (Layer 2) is divided into two sublayers:

MAC (Media Access Control): Handles framing, addressing (EtherType), and error detection (CRC).
LLC (Logical Link Control): Provides multiplexing and interfaces with Layer 3 (Network Layer).

Key Ethernet Properties:

Property	Description
MTU	1500 bytes (standard Ethernet frame size)
Minimum Frame	64 bytes (to detect collisions)
VLAN Tagging	IEEE 802.1Q adds a 4-byte tag for VLAN identification
CRC	Detects transmission errors (not malicious tampering)

⚠️ Critical Limitation: Ethernet has no authentication or encryption by default.

How Switches Work

Switches forward frames based on MAC address tables, which map:

MAC Address → Switch Port

Behavior:

Unknown destination: Floods the frame to all ports (except the source).
Known destination: Forwards the frame directly to the correct port.

This behavior is exploited in MAC flooding and spoofing attacks.

Layer 2 Threats and Attacks

MAC Spoofing

Problem: MAC addresses are not authenticated; any device can forge them.

Attack:

Attacker sends frames with a spoofed source MAC address (e.g., a victim’s MAC).
The switch updates its MAC table, associating the victim’s MAC with the attacker’s port.

Impact:

Traffic interception (MITM).
Denial of Service (DoS) due to MAC table conflicts.

MAC Flooding

Problem: Switch MAC tables have limited capacity.

Attack:

Attacker floods the switch with frames containing random source MAC addresses.
The MAC table overflows, forcing the switch into hub-like behavior (flooding all frames).

Impact:

Loss of confidentiality (traffic sniffing).
DoS (network congestion).

ARP Poisoning (ARP Spoofing)

Problem: ARP is stateless and unauthenticated, relying on trust.

Normal ARP Operation:

ARP Request: Broadcast (FF:FF:FF:FF:FF:FF) to resolve an IP to a MAC.
ARP Reply: Unicast response with the MAC-IP mapping.
ARP Cache: Devices store mappings locally.

Attack:

Attacker sends fake ARP replies (e.g., claiming to be the gateway).
Victims update their ARP caches with the attacker’s MAC.

Techniques:

Faster replies: Override legitimate responses.
Gratuitous ARP: Unsolicited replies to update caches.

Impact:

MITM attacks (intercept/modify traffic).
DoS (redirect traffic to a black hole).

VLAN Hopping

VLANs logically segment networks, but misconfigurations enable bypass attacks.

DTP Attack

Problem: Dynamic Trunking Protocol (DTP) auto-negotiates trunk links.

Attack:

Attacker sends DTP frames advertising dynamic desirable mode.
The switch converts the port to a trunk, granting access to all VLANs.

Impact:

Traffic sniffing across VLANs.
MITM attacks on inter-VLAN traffic.

Double-Tagging

Problem: Misconfigured native VLAN (untagged traffic).

Attack:

Attacker sends a frame with two VLAN tags:
- Outer tag: Native VLAN (removed by first switch).
- Inner tag: Target VLAN (forwarded by second switch).
The frame reaches the target VLAN.

Impact:

One-way traffic injection into another VLAN.
Limited to specific switch configurations.

STP Abuse

Problem: Spanning Tree Protocol (STP) prevents loops but is vulnerable to manipulation.

Attack:

Attacker announces a switch with lowest priority (e.g., priority 0).
The attacker’s device becomes the root bridge, controlling traffic flow.

Impact:

Traffic interception (MITM).
Network instability (frequent topology changes).
DoS (disrupting STP convergence).

LLDP Abuse

Problem: Link Layer Discovery Protocol (LLDP) advertises device details without authentication.

Attack:

Attacker sends fake LLDP advertisements with spoofed data.
Network monitoring tools receive false topology information.

Impact:

Information leakage (IPs, hostnames, software versions).
Reconnaissance for targeted attacks.
DoS (disrupting network management).

Common Misconfigurations and Pitfalls

Avoid these critical mistakes to harden Layer 2 security:

Misconfiguration	Risk	Mitigation
DTP enabled on access ports	VLAN hopping via DTP attacks	Disable DTP (`switchport nonegotiate`)
Default native VLAN (VLAN 1)	Double-tagging attacks	Use an unused VLAN for native traffic
ARP trust model	ARP poisoning	Enable Dynamic ARP Inspection (DAI)
No MAC address limits	MAC flooding	Configure port security
STP without BPDU Guard	STP root bridge hijacking	Enable BPDU Guard
LLDP enabled on untrusted ports	Information leakage	Disable LLDP on access ports

Practical Attack Scenario

Scenario: Attacker gains access to an unused Ethernet port in an enterprise LAN.

MAC Flooding: Overwhelms the switch’s MAC table, forcing hub-like behavior.
ARP Poisoning: Intercepts traffic between a victim and the gateway.
DTP Attack: Converts the port to a trunk, accessing all VLANs.
LLDP Abuse: Maps the network topology for further attacks.

Result:

Confidentiality breach (sniffed credentials, emails).
Integrity compromise (modified traffic).
Availability loss (network congestion, DoS).

Mitigation Strategies

Port Security

Static MAC binding: Assign MAC addresses to specific ports.
MAC address limits: Restrict the number of MACs per port.
Violation actions: Shut down or restrict ports on violations.

ARP Protection

Dynamic ARP Inspection (DAI): Validates ARP packets against DHCP snooping bindings.
ARP rate limiting: Prevents ARP flooding.

VLAN Hardening

Disable DTP: Use switchport mode access or switchport nonegotiate.
Change native VLAN: Use an unused VLAN (e.g., VLAN 999).
VLAN ACLs: Restrict traffic between VLANs.

STP Protection

BPDU Guard: Disables ports receiving BPDUs (prevents rogue switches).
Root Guard: Ensures the root bridge cannot be hijacked.
Loop Guard: Prevents alternate/root port failures.

LLDP Hardening

Disable LLDP on access ports: Limit to trusted trunk ports.
LLDP-MED: Use for VoIP devices with authentication.

Encryption

MACsec (IEEE 802.1AE): Encrypts Layer 2 traffic between switches.
IPsec: Encrypts traffic at Layer 3 for end-to-end security.

Key Takeaways

Layer 2 is not inherently secure: Protocols like Ethernet, ARP, and STP were designed for functionality, not security.
Switches are vulnerable: MAC tables, ARP caches, and VLAN configurations can be exploited.
Misconfigurations enable attacks: DTP, native VLANs, and STP settings are common weak points.
Defense in depth is critical: Combine port security, DAI, VLAN hardening, and encryption.
Monitoring is essential: Detect anomalies like MAC flooding or ARP spoofing with SIEM tools.

Learn More

Advanced Topics

MACsec (IEEE 802.1AE): Encrypting Layer 2 traffic.
Private VLANs (PVLANs): Isolating devices within the same VLAN.
802.1X Authentication: Port-based network access control.
Network Segmentation: Micro-segmentation with SDN.

Tools for Testing Layer 2 Security

Tool	Purpose
Wireshark	Packet analysis (ARP, VLAN tags, STP).
Ettercap	ARP poisoning and MITM attacks.
Yersinia	Exploits Layer 2 protocols (STP, DTP, VLAN hopping).
Scapy	Custom packet crafting (MAC flooding, ARP spoofing).
Cisco Packet Tracer	Simulate attacks and mitigations in a lab environment.

References

Standards:
- IEEE 802.3 (Ethernet)
- IEEE 802.1Q (VLAN Tagging)
- IEEE 802.1D (STP)
- IEEE 802.1AB (LLDP)
- RFC 826 (ARP)
Best Practices:
- Cisco Layer 2 Security Best Practices
- NIST SP 800-41 (Firewall Guidelines)
- CIS Benchmarks for Network Devices

Key Points

Layer 2 protocols lack built-in authentication or encryption, making them susceptible to exploitation.
Switches dynamically learn MAC addresses, enabling attacks like MAC flooding and spoofing.
ARP’s stateless, trust-based design allows ARP poisoning, leading to man-in-the-middle (MITM) attacks.
VLANs provide logical segmentation but can be bypassed via DTP attacks or double-tagging.
STP and LLDP, while useful for network stability and discovery, can be abused for DoS or reconnaissance.

Core Concepts

The Data Link Layer and Ethernet

The Data Link Layer (Layer 2) is divided into two sublayers:

MAC (Media Access Control): Handles framing, addressing (EtherType), and error detection (CRC).
LLC (Logical Link Control): Provides multiplexing and interfaces with Layer 3 (Network Layer).

Key Ethernet Properties:

Property	Description
MTU	1500 bytes (standard Ethernet frame size)
Minimum Frame	64 bytes (to detect collisions)
VLAN Tagging	IEEE 802.1Q adds a 4-byte tag for VLAN identification
CRC	Detects transmission errors (not malicious tampering)

⚠️ Critical Limitation: Ethernet has no authentication or encryption by default.

How Switches Work

Switches forward frames based on MAC address tables, which map:

MAC Address → Switch Port

Behavior:

Unknown destination: Floods the frame to all ports (except the source).
Known destination: Forwards the frame directly to the correct port.

This behavior is exploited in MAC flooding and spoofing attacks.

Layer 2 Threats and Attacks

MAC Spoofing

Problem: MAC addresses are not authenticated; any device can forge them.

Attack:

Attacker sends frames with a spoofed source MAC address (e.g., a victim’s MAC).
The switch updates its MAC table, associating the victim’s MAC with the attacker’s port.

Impact:

Traffic interception (MITM).
Denial of Service (DoS) due to MAC table conflicts.

MAC Flooding

Problem: Switch MAC tables have limited capacity.

Attack:

Attacker floods the switch with frames containing random source MAC addresses.
The MAC table overflows, forcing the switch into hub-like behavior (flooding all frames).

Impact:

Loss of confidentiality (traffic sniffing).
DoS (network congestion).

ARP Poisoning (ARP Spoofing)

Problem: ARP is stateless and unauthenticated, relying on trust.

Normal ARP Operation:

ARP Request: Broadcast (FF:FF:FF:FF:FF:FF) to resolve an IP to a MAC.
ARP Reply: Unicast response with the MAC-IP mapping.
ARP Cache: Devices store mappings locally.

Attack:

Attacker sends fake ARP replies (e.g., claiming to be the gateway).
Victims update their ARP caches with the attacker’s MAC.

Techniques:

Faster replies: Override legitimate responses.
Gratuitous ARP: Unsolicited replies to update caches.

Impact:

MITM attacks (intercept/modify traffic).
DoS (redirect traffic to a black hole).

VLAN Hopping

VLANs logically segment networks, but misconfigurations enable bypass attacks.

DTP Attack

Problem: Dynamic Trunking Protocol (DTP) auto-negotiates trunk links.

Attack:

Attacker sends DTP frames advertising dynamic desirable mode.
The switch converts the port to a trunk, granting access to all VLANs.

Impact:

Traffic sniffing across VLANs.
MITM attacks on inter-VLAN traffic.

Double-Tagging

Problem: Misconfigured native VLAN (untagged traffic).

Attack:

Attacker sends a frame with two VLAN tags:
- Outer tag: Native VLAN (removed by first switch).
- Inner tag: Target VLAN (forwarded by second switch).
The frame reaches the target VLAN.

Impact:

One-way traffic injection into another VLAN.
Limited to specific switch configurations.

STP Abuse

Problem: Spanning Tree Protocol (STP) prevents loops but is vulnerable to manipulation.

Attack:

Attacker announces a switch with lowest priority (e.g., priority 0).
The attacker’s device becomes the root bridge, controlling traffic flow.

Impact:

Traffic interception (MITM).
Network instability (frequent topology changes).
DoS (disrupting STP convergence).

LLDP Abuse

Problem: Link Layer Discovery Protocol (LLDP) advertises device details without authentication.

Attack:

Attacker sends fake LLDP advertisements with spoofed data.
Network monitoring tools receive false topology information.

Impact:

Information leakage (IPs, hostnames, software versions).
Reconnaissance for targeted attacks.
DoS (disrupting network management).

Common Misconfigurations and Pitfalls

Avoid these critical mistakes to harden Layer 2 security:

Misconfiguration	Risk	Mitigation
DTP enabled on access ports	VLAN hopping via DTP attacks	Disable DTP (`switchport nonegotiate`)
Default native VLAN (VLAN 1)	Double-tagging attacks	Use an unused VLAN for native traffic
ARP trust model	ARP poisoning	Enable Dynamic ARP Inspection (DAI)
No MAC address limits	MAC flooding	Configure port security
STP without BPDU Guard	STP root bridge hijacking	Enable BPDU Guard
LLDP enabled on untrusted ports	Information leakage	Disable LLDP on access ports

Practical Attack Scenario

Scenario: Attacker gains access to an unused Ethernet port in an enterprise LAN.

MAC Flooding: Overwhelms the switch’s MAC table, forcing hub-like behavior.
ARP Poisoning: Intercepts traffic between a victim and the gateway.
DTP Attack: Converts the port to a trunk, accessing all VLANs.
LLDP Abuse: Maps the network topology for further attacks.

Result:

Confidentiality breach (sniffed credentials, emails).
Integrity compromise (modified traffic).
Availability loss (network congestion, DoS).

Mitigation Strategies

Port Security

Static MAC binding: Assign MAC addresses to specific ports.
MAC address limits: Restrict the number of MACs per port.
Violation actions: Shut down or restrict ports on violations.

ARP Protection

Dynamic ARP Inspection (DAI): Validates ARP packets against DHCP snooping bindings.
ARP rate limiting: Prevents ARP flooding.

VLAN Hardening

Disable DTP: Use switchport mode access or switchport nonegotiate.
Change native VLAN: Use an unused VLAN (e.g., VLAN 999).
VLAN ACLs: Restrict traffic between VLANs.

STP Protection

BPDU Guard: Disables ports receiving BPDUs (prevents rogue switches).
Root Guard: Ensures the root bridge cannot be hijacked.
Loop Guard: Prevents alternate/root port failures.

LLDP Hardening

Disable LLDP on access ports: Limit to trusted trunk ports.
LLDP-MED: Use for VoIP devices with authentication.

Encryption

MACsec (IEEE 802.1AE): Encrypts Layer 2 traffic between switches.
IPsec: Encrypts traffic at Layer 3 for end-to-end security.

Key Takeaways

Layer 2 is not inherently secure: Protocols like Ethernet, ARP, and STP were designed for functionality, not security.
Switches are vulnerable: MAC tables, ARP caches, and VLAN configurations can be exploited.
Misconfigurations enable attacks: DTP, native VLANs, and STP settings are common weak points.
Defense in depth is critical: Combine port security, DAI, VLAN hardening, and encryption.
Monitoring is essential: Detect anomalies like MAC flooding or ARP spoofing with SIEM tools.

Learn More

Advanced Topics

MACsec (IEEE 802.1AE): Encrypting Layer 2 traffic.
Private VLANs (PVLANs): Isolating devices within the same VLAN.
802.1X Authentication: Port-based network access control.
Network Segmentation: Micro-segmentation with SDN.

Tools for Testing Layer 2 Security

Tool	Purpose
Wireshark	Packet analysis (ARP, VLAN tags, STP).
Ettercap	ARP poisoning and MITM attacks.
Yersinia	Exploits Layer 2 protocols (STP, DTP, VLAN hopping).
Scapy	Custom packet crafting (MAC flooding, ARP spoofing).
Cisco Packet Tracer	Simulate attacks and mitigations in a lab environment.

References

Standards:
- IEEE 802.3 (Ethernet)
- IEEE 802.1Q (VLAN Tagging)
- IEEE 802.1D (STP)
- IEEE 802.1AB (LLDP)
- RFC 826 (ARP)
Best Practices:
- Cisco Layer 2 Security Best Practices
- NIST SP 800-41 (Firewall Guidelines)
- CIS Benchmarks for Network Devices