L2 Attacks and mitigation for fun and profit!

Switching Networks

So before i go into this i think it important to know the very basics of a switching network, and to protocols we will be working with as this knowledge explains how the attacks function. If you know this feel free to skip to the next section, but i will keep this as short as possible.

.:CAM Tables:

Network switches have an internal reference table to map MAC addresses to port interfaces. This Content-addressable memory or CAM table, depending on the size and grade of the switch will have table space for 1k entries and up:-
Netgear FS108 1K entries
Netgear GS108 4K entries


Cisco Catalyst 6500 1M entries

In order to not run out of table space, these entries will eventual time out, generally between 5-20mins after a specific MAC address was last seen.

The scheme is simple, but works well. The switch directs L2 unicast traffic to the exact port it needs to get to instead of all of them. This massively reduces the collision problems that used to cause problems in old style hub networks. Overall this means larger L2 collision domains are possible before the broadcast traffic becomes a limiting factor and has to be placed behind a L3 firebreak such as a router.

If you have access to a managed switch, you can view the CAM table with the following commands;

CISCO: ‘show mac-address-table’

HUAWEI: ‘display mac-address’



ARP or Address Resolution Protocol is a L3 (Network Layer) protocol. However in practise i find it easier to visualise it as a L2.5 protocol, as it acts as the bridge between L2 MAC based addressing and L3 IP based addressing on your current subnets / L2 domains.


On a IP network, you have an IP address, Subnet Mask, and a gateway IP. Your IP address and Mask describes the network (subnet) and the number of hosts directly accessible at L2 from the network interface. Any IP address outside of this is routed via the gateway address. When you need to talk to something on your subnet, but don’t have the MAC address of the device the IP stack will send out a ARP request to the network broadcast address. This request (been broadcast) is then sent to all ports/devices in the L2 domain. The device with the IP will then respond (unicast) to the requester, while simultaneously adding a IP/MAC mapping for the requester to its ARP table. The requester revives the reply and adds its own IP/MAC mapping it its ARP table. Then traffic can be sent unicast between the devices. The same traffic will also be picked up passively by the network switch, as it learns the sending devices MAC addresses from their Ethernet frames. And also by other devices on the subnet monitoring the broadcast address, although depending on their settings they may or may not add IP/MAC mappings to their ARP tables, but generally they will.



If you don’t know it, now would be a good time to read up the basics of ISO 7 OSI, Ethernet and the TCP/IP protocol.


L2 Attacks

ARP poisoning
ARP poisoning is the action of changing a devices IP/MAC addresses map for a specific IP, in general to pass the traffic to your sniffer system at L2 before redirecting it back to the original intended destination, preferably invisibly to the user.

This used to be done by sending gratuitous ARP reply’s to the network, however with the increase in the use of host IPS software, and the generally improved security posture of modern operating systems this has become harder, but not much as this is still seen as a low probability attack, as it occurs on your LAN, and lets face it if an attacker has access to your LAN, you probably have bigger problems.

This is also counter-able with no IPSĀ  installed, All a paranoid system administrator need do is hard code the MAC address they expect for a subnet (gateway + important servers) to a text file which is read as start-up and imported as static entries to the ARP table. This ty, and they will be immune to ARP Poisoning/MITM attacks.

So back to CAM flooding:

This is where CAM table flooding comes in, a network switch only sends traffic to its desired location based on its MAC address, however all switches have a CAM table, if this CAM table becomes full and can no longer add entries and the switch doest have a refer know which interface the frame should be passed too, instead of discarding the traffic it will fall back to a fail safe mode
and start working like a hub, sending the frame out of every interface.

You now longer need to be sat in the middle, you can see everything everywhere.

This does have a major downside though – mainly in that the network will grind to a halt as all the links are saturated.

On a small or quiet network, both the users and their router may not notice at all, however on a large business network everything will stop or become incredibly slow making this an effective dual headed attack;
1) You can see all the traffic.
2) Create DoS like conditions on the network.

CAM flooding implementation:
Implementing a CAM flood is in essence simple, generate a lot of packets with random source MAC addresses. The switch will revive the frame look at the source address, if it doesn’t have an entry in its
CAM table add one, then pass the traffic on to the desired host or broadcast it if the destination is set so.