Layer2 Attacks and Preventive Controls

SECHARD generates Security Audit Reports of network devices, takes action and eliminates security vulnerabilities. Sechard detects whether the network devices it supports are protected against layer 2 attacks and can take action to prevent layer 2 attacks. All Security actions taken are recorded in detail. Moreover, it constantly checks and warns when changes occur. These actions are displayed via Historical or System Event. SECHARD constantly checks the Security status of Network devices. In case of a change, it makes the necessary arrangements and notifications. SECHARD is the only product on the world who can find and remediate these unsecure configurations.

• Flooding Attacks: Controls and closes Flooding Attacks variants.

• Inspection Attacks: Controls and closes Inspection Attacks types.

• Manipulation Attacks: Controls and closes the types of Manipulation Attacks.

• Spoofing Attacks: Controls and closes the types of Spoofing Attacks.

• Starvation Attacks: Controls and turns off Starvation Attacks variants.

• Smurf Attacks: Controls and closes Smurf Attacks types.

• Automated and Manual Hardening Actions: Closes vulnerabilities manually or automatically.

• Auditing Layer 2 Network Attacks: Continuous Configuration Audit and Layer 2 Attack control.

• Tracking Security Score History: Continuously monitors Security Score status and shows changes on Score History.

• Security Detail Reporting: Generates detailed Security Report.

• Security Summary Reporting: Generates Summary Security Report.

Open

Physical Security / Physical Attack 

Often unactivated and unused ports are left unconfigured.  These ports allow attackers to access anywhere.  Shutting down unused free ports and assigning them to an unused VLAN in the environment eliminates this risk.

MAC Flooding Attack / Flooding Attack

Mac Flooding is a type of DoS attack on the Glass Table of Switches in local networks. Thousands of Mac addresses are sent to the Switch by the attacker in a very short time and the Switch saves these Mac addresses. It fills the Cam Table and becomes unable to respond to other incoming requests, sending incoming requests to the entire network to which it is connected with Hub logic. In this case, there is a serious slowdown in the network and the attacker can listen to the whole network.

TCDP Attack / Flooding Attack

Cisco Discovery Protocol (CDP), tüm Cisco cihazlarının varsayılan olarak kullanabileceği tescilli bir protokoldür. CDP, doğrudan bağlı olan diğer Cisco cihazları keşfeder. Cihazların bazı durumlarda bağlantılarını otomatik olarak yapılandırmasını sağlayarak yapılandırma ve bağlantıyı basitleştirir. CDP mesajları şifrelenmez.

CDP, ağ sürümü hakkında yazılım sürümü, IP adresi, platform, yetenekler ve yerel VLAN gibi bilgiler içerir. Bu bilgiler bir saldırgan bilgisayar tarafından kullanılabilir olduğunda, o bilgisayardaki saldırgan ağınıza saldırmak için genellikle Hizmet Reddi (DoS) saldırısı biçiminde istismarlar bulmak için kullanabilir.

An attacker can easily use Wireshark or other network analyzer software to access information about devices that CDP sends over the network in a broadcast message. In particular, the Cisco IOS software version found through CDP allows the attacker to investigate and determine if there are any vulnerabilities specific to that particular code version. Furthermore, because CDP is not authenticated, an attacker can create fake CDP packets and have them received by the attacker's directly connected Cisco device. If the attacker can access the router via Telnet or SNMP, they can use CDP information to discover the entire topology of your network at Layer 2 and Layer 3, including all IOS levels, router and switch model types, and IP addressing.

 LLDP Attack / Inspection Attack 

Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) are used for similar purposes. Both provide a way to see what types of devices are connected on a link and some device configuration (IP address, software version, etc.). Often this information is used by network engineers to improve troubleshooting efficiency in large networks. However, this information is also generally available to anyone who is "listening", which means that an attacker would need to listen on the same connection to learn a large amount of information about connected devices.

ISDP Attack / Inspection Attack

 Cisco Discovery Protocol (CDP) and Industry Standard Discovery Protocol (ISDP) are used for similar purposes. Both provide a way to see what types of devices are connected on a link and some device configuration (IP address, software version, etc.). Often this information is used by network engineers to improve troubleshooting efficiency in large networks. However, this information is typically also available to anyone who is "listening", which means that an attacker would need to listen on the same connection to learn a large amount of information about connected devices.

STP Manipulation Attack / Manipulation Attack

 This attack uses Spanning Tree Protocol (STP) and the attacker connects to a port on the switch, either directly or through another switch. STP parameters are manipulated to reach the state of a root bridge, which helps the attacker to see various frames that would otherwise be invisible.

 DHCP Starvation Attack / Starvation Attack

 Another type of network attack targeting DHCP servers is known as a DHCP Starvation Attack. In a DHCP starvation attack, an attacker broadcasts a large number of DHCP REQUEST messages with forged source MAC addresses. If the legitimate DHCP Server on the network starts responding to all these fake DHCP REQUEST messages, the available IP Addresses within the DHCP server scope will be exhausted in a very short time. This attack is a Service attack to take the DHCP server out of service.

After a DHCP starvation attack and setting up a fake DHCP server, the attacker can start distributing IP addresses and other TCP/IP configuration settings to network DHCP clients. TCP/IP configuration settings include Default Gateway and DNS Server IP addresses. Network attackers can now replace the original legitimate Default Gateway IP Address and DNS Server IP Address with their own IP Addresses.

1.1.1.8.ARP Spoofing Attack / Spoofing Attack

 An ARP spoofing attack (MITM) occurs when forged ARP messages are sent over the LAN. The attackers MAC address is then mapped to a computer's IP address. At this point, the attacker will start receiving any data for that IP address. ARP spoofing allows attackers to capture, modify and intercept data.

Dynamic ARP inspection (DAI) rejects invalid ARP packets. DAI is based on DHCP snooping because DHCP snooping creates a connection database with MAC address and IP addresses. The switch drops any ARP packet if the sending MAC address and sending IP address do not match the corresponding table entry in the DHCP snooping bindings database.

Telnet Attack / Manipulation Attack

 Many protocols are used to transport sensitive network management data. Secure protocols should be used whenever possible. A secure protocol option includes using SSH instead of Telnet so that both authentication data and management information are encrypted.

If Telnet is used, all traffic flows in plain text and can be subject to Telnet Communication Sniffing, Telnet Brute Force Attack and Telnet DoS - Denial of Service attacks. 

Vlan Hopping Attack / Spoofing Attack

 VLAN Hopping is a type of network attack where an attacker connected to an access port (which is connected to a specific VLAN) can access network traffic from other VLANs. Normally, a computer connected to a switch access port (connected to a specific VLAN) can only receive traffic from the VLAN associated with that switch port.

Using a VLAN-hopping attack, an attacker can sniff network traffic from another VLAN using a sniffer (protocol analyzer) or send traffic from one VLAN to another VLAN. There are two types of VLAN hopping attacks. These are Key Spoofing attack and Double Tagging attack.
VLAN Hopping Switch Spoofing and VLAN Hopping Double Tagging attacks are prevented by using Nonegotiate and Native VLAN control.

ICMP Based Attack / Smurf Attack

One of the ICMP-based attack types is the Smurf attack. The name Smurf comes from the original exploit tool source code smurf.c, created in 1997 by a person named TFreak. In a Smurf attack, an attacker broadcasts a large number of ICMP packets with the victim's spoofed source IP to a network using a network IP broadcast address. This causes devices on the network to respond by sending a reply to the source IP address.