Understanding and Preventing L2 Attacks Series Index
Part 3 - More Attacks and Mitigation One of the most overlooked aspects of network security is at Layer 2. Frequently security engineers consider the “inside” network trusted. In other words, there is no reason to spend time and potentially money ensuring the internal network is secure. Here are a few reasons why this is not the best strategy:
According to Verizon (https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf), 34% of all network attacks came from internal actors. In other words, a bit over 1/3 of all attacks on businesses, did not involve the traditional network edge. Having a perfectly configured, up to date, and monitored edge firewall would not prevent over 1/3 of attacks.
Ease of Attack
Unlike what you see on TV, it is extremely difficult and frequently impossible to breach a properly configured firewall. The proverbial high school dropout in his mom’s basement banging away at a keyboard and causing global chaos is simply not feasible. However, the caveat to the previous statement is the key word “properly” as in “properly configured firewall”. In fact, you would have an extremely hard time finding a news story about a cyber-attack that does not include the word “misconfigured”, “outdated”, or “user error”.
On the other hand, launching an internal attack on an unsecured switching network is shockingly easy. It is easy to siphon data, but even easier to bring down the entire LAN in an enterprise. What makes this even more insidious is many attacks are nearly impossible to discover. A successful attack would bring you back to the days of chasing down network loops. You can’t login to the switch to see what’s going on, the general-purpose CPU is too overwhelmed to send syslog traffic, and the only possible solution is a hard reboot. Of course, once it is back up you have 19 seconds to fix the problem before the outage returns. Ug.
The easiest way to describe this is with a few stories; I’m thinking a made-for-tv movie. 😊
Large Medical Services Company
Periodically, the entire LAN at the HQ would slow down to the point all work had to stop. There was no rhyme or reason, every few weeks the entire network would just crash. The network and security engineers were convinced it was an external attack and used firewall logs of dropped traffic to justify their hypothesis. They were so convinced, they determined it was an extremely sophisticated attack and the attacker obviously deleted the “success” log entries to mask the activity.
I was asked to audit their edge firewall, find the leak, and obviously plug it. Sure enough, on my second day onsite, the problem occurred. From within the network we couldn’t get to the firewall or any of the internal switches. On a whim I consoled into a switch with the intention of seeing what the firewall was sending. After a few basic commands to map out the network (there was no documentation), the problem was clear as day. I looked at spanning-tree and found the root bridge was “Bob’s Router”, Bob is a fictitious name to protect the innocent. A manager had a one-on-one meeting with an employee once per month, when they meet, Bob plugs in an old 10Mbps switch so both the manager and employee can be on the network at the same time. All traffic in the internal network was traversing this single slow, broken, switch. +1 for Occam’s Razor. The point is, the most successful attack against this company, wasn’t an attack at all.
Large Manufacturing Company
A production line at a plant would completely crash, all network traffic was dropped, and nothing network related worked. Again, it is nearly impossible to troubleshoot a network you cannot attach to. Of course, the only move available was to completely power cycle all network equipment. Everything would be fine for a few minutes, and then the network would go off the rails again.
I was asked to help troubleshoot on Day 2 of this outage. The frustration level was off the charts and I quickly decided to take a very aggressive step to help narrow it down. Basically, I shut down all ports in the entire L2 infrastructure, and brought them back up, 12 at a time, until the problem came back. From there it was trivial to find the single port that caused all the problems. Simply, it was a broken PLC that simply started replying to all ARP traffic, regardless of source or destination. There is not a network engineer on the planet that would have seen this coming. The point here is, a major outage was due to a bad piece of hardware, not an attack, not user error, and not anything anyone would have guessed.
A Different Large Manufacturing Company
At a satellite office, PCs would periodically get kicked off the network. This happened over the course of months and even included multiple trips to the site to try to figure out the problem. The desktop engineer would simply reboot the PCs and half the time they would come back up. If it didn’t, the engineer figured out they would all come back up after a few reboots.
After some time passed, I was asked to take a look at the network side to see if there was any explanation. Simply, one of the office workers was studying for an IT exam and built a Linux Server, complete with a DHCP Server. That’s it.
All of these problems and the cost associated with them could have been avoided with very basic Layer 2 network security.
Layer 2 Attacks
VLAN Hopping is an attack which allows the attacker access to all VLAN's within your organization. There are two main flavors of this type of attack:
Switch Spoofing: By default, a Cisco switch will always attempt to form a trunk with any other switch you plug in. This makes Cisco switches very easy to work with, but also opens a massive security concern. The attacker can simply plug in a real switch or a PC masquerading as a switch, form a trunk with your production network, and gain access to everything in every VLAN.
Double Tagging: This type of attack takes advantage of a default setting in switches. When a switch sees traffic that is tagged with the Native VLAN, it strips the tag prior to sending across a trunk to the next switch in the path. In other words, when the traffic hits the second switch, it would be untagged traffic. Double tagging is a process where two VLAN tags are put in the frame. The first one is the Native VLAN and the second is the “real” destination VLAN. When traffic leaves the access layer, the Native VLAN is stripped, leaving only the VLAN tag that is being attacked.
Spanning Tree Attacks
Typically used with Switch Spoofing. The attacker plugs in their switch, forms a trunk with production equipment, and manipulates their Spanning Tree Priority to a value lower than the production switch. Now all traffic on the L2 network flows through the attacker device.
So, I’m on a PC with a default gateway of 10.0.0.254. The first thing my PC will do is send an ARP request for 10.0.0.254, the router will respond, and I can then address my traffic to the MAC Address of the Router.
An attacker can simply configure their PC to respond to my initial ARP request. Once done, I address my traffic to the attacker MAC Address where all non-encrypted traffic can be viewed. To make this even more difficult to track down, the attacker will frequently actually send the data to the legitimate router after it takes a copy of it. The victim doesn’t know any of this took place.
Very similar to an ARP attack – Instead of responding to your ARP request, the attacker simply configures the attacker PC to use your MAC Address. From there, they can constantly send data to the switch to keep the CAM Table updated with the source port of the attacker PC.
All switches have a limit to the number of MAC Addresses that can be stored at any given time. When this table reaches its capacity, the switch effectively acts as a hub and begins flooding all traffic out of all connected ports. The attacker simply changes the MAC Address of their PC programmatically several hundred times per second. The CAM Table reaches capacity and all L2 security is thrown out the window.
Can’t get much simpler, the attacker simply plugs in their own DHCP Server and issues IP Addresses to your end users. Typically, the attacker will use the end of a specific IP range which makes detection very difficult.
Issue IPs to endpoints and point the default gateway to the attacker PC.
Capture the traffic and forward to the original destination to avoid detection.
Can be combined with a CAM overflow attack which would consume all available IPs on the legitimate DHCP Server, leaving the rogue DHCP Server the only one working.
This is just a sample of what is possible and frequently these attacks are used in combination with disastrous results. A good layer 2 security policy or a NAC Solution such as Cisco ISE can reduce or eliminate these and other similar attacks at Layer 2, and as a byproduct, also prevent several Layer 3 attacks. If you'd like to continue the conversation, contact us today! Understanding and Preventing L2 Attacks Series Index