Layer 2 & DNS Attacks | CompTIA Security+ SY0-601 | 1.4b

In this video you will learn about Layer 2 attacks such as: ARP poisoning, MAC flooding , & MAC cloning. You’ll also learn about DNS attacks such as: domain hijacking, DNS poisoning, URL redirection, & domain reputation.

Layer 2 Attacks

Address Resolution Protocol (ARP) Poisoning

ARP poisoning is a technique by which an attacker sends (spoofed) ARP messages onto a LAN.  Generally, the aim is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.  ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.  Often the attack is used as an opening for other attacks, such as DoS, MITM, or session hijacking attacks.[1]  The attack can only be used on networks that use ARP and requires the attacker to have direct access to the local network segment that is to be attacked.[2]

Media Access Control (MAC) Flooding

MAC flooding is a technique employed to compromise the security of network switches.  The attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go.  Switches maintain a MAC table that maps individual MAC addresses on the network to the physical ports on the switch.  This allows the switch to direct data out of the physical port where the recipient is located, as opposed to indiscriminately broadcasting the data out of all ports as an Ethernet hub does.  The advantage of this method is that data is bridged exclusively to the network segment containing the computer that the data is specifically destined for.  In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different source MAC addresses, by the attacker.  The intention is to consume the limited memory set aside in the switch to store the MAC address table.[3]  The effect of this attack may vary across implementations, however the desired effect is to force legitimate MAC addresses out of the MAC address table, causing significant quantities of incoming frames to be flooded out on all ports.  It is from this flooding behavior that the MAC flooding attack gets its name. After launching a successful MAC flooding attack, an attacker can use a packet analyzer to capture sensitive data being transmitted between other computers, which would not be accessible with the switch operating normally.  The attacker may also follow up with an ARP poisoning attack which will allow them to retain access to privileged data after the switch recovers from the initial MAC flooding attack.  Also, MAC flooding could be used as a rudimentary VLAN hopping attack.[4]

MAC Cloning

MAC cloning is a technique for changing a factory-assigned MAC address of a network interface on a networked device.  The MAC address that is hard-coded on a network interface controller (NIC) cannot be changed.  However, many drivers allow the MAC address to be changed.  Additionally, there are tools which can make an operating system believe that the NIC has the MAC address of a user’s choosing.  The process of masking a MAC address is known as MAC spoofing.  Essentially, MAC spoofing entails changing a computer’s identity, for any reason.[5]  The main purpose for changing the assigned MAC address may allow a user to bypass access control lists on servers or routers, either hiding a computer on a network or allowing it to impersonate another network device.  MAC spoofing is done for legitimate and illicit purposes alike.

Domain Name System (DNS) Attacks

Domain Hijacking

Domain hijacking is the act of changing the registration of a domain name without the permission of its original registrant, or by abuse of privileges on domain hosting and registrar software systems.[6]  This can be devastating to the original name holder, not only financially as they may have derived commercial income from a website hosted at the domain or conducted business through that domain’s email accounts,[7] but also in terms of readership and/or audience for non-profit or artistic web addresses.  After a successful hijacking, the hijacker can use the domain name to facilitate other illegal activity such as phishing, where a website is replaced by an identical website that records private information such as login passwords, spam, or may distribute malware from the perceived “trusted” domain.[8]

DNS Poisoning

DNS poisoning (spoofing) is a form of computer security hacking in which corrupt DNS data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result record, such as an IP address.  This results in traffic being diverted to the attacker’s computer (or any other computer).  A domain name system server translates a human-readable domain name into a numerical IP address that is used to route communications between nodes.  Normally if the server does not know a requested translation it will ask another server, and the process continues recursively.  To increase performance, a server will typically cache these translations for a certain amount of time.  This means if it receives another request for the same translation, it can reply without needing to ask any other servers, until that cache expires.  When a DNS server has received a false translation & caches it for performance optimization, it is considered poisoned, and it supplies the false data to clients.  If a DNS server is poisoned, it may return an incorrect IP address, diverting traffic to another computer.[9]

Uniform Resource Locator (URL) Redirection

URL redirection is a vulnerability which allows an attacker to force users of your application to an untrusted external site.  The attack is most often performed by delivering a link to the victim, who then clicks the link and is unknowingly redirected to the malicious website.  This vulnerability exploits the inherent trust that a user has in the legitimate domain.  Since the victim is generally unaware of URL redirections, they are considerably more susceptible to phishing and social engineering attacks.[10]

Domain Reputation

Domain reputation is a technique used to validate the authenticity of a domain & the services using such domain (including websites & email addresses).  Domain reputation is used to track known malicious domains that point to websites hosting malware or those that are used for spam, phishing, spear phishing, & other malicious activities.  Several technologies and standards have been created for domain authentication and validation, such as:[11]

  • Domain Keys Identified Mail (DKIM):  provides a means for gateway-based cryptographic signing of outgoing messages which allows for you to embed verification data in an email header and for email recipients to verify the integrity of the email messages.
  • Sender Policy Framework (SPF):  enables recipients to verify the sender’s IP address by looking up DNS records that list authorized mail gateways for a particular domain.
  • Domain-based Message Authentication, Reporting & Conformance (DMARC):  designed to thwart spammers from spoofing your domain to send email by preventing spammers from counterfeiting the “From” address on an email message so that it appears to come from a user in your domain.  DMARC is designed to block these emails before they appear in your email inbox and it also provides visibility and reports into who is sending email on behalf of your domain to make sure that only legitimate emails are received.

References

  1. Ramachandran, V. & Nandi, S. (2005). Detecting ARP Spoofing: An Active Technique. Information Systems Security.
  2. Lockhart, A. (2007). Network Security Hacks.
  3. VLAN Security White Paper: Cisco Catalyst 6500 Series Switches. Cisco Systems.
  4. Rouiller, S. (2003). Virtual LAN Security: Weakness and Countermeasures. SANS Institute.
  5. Cardenas, E. MAC Spoofing – An Introduction. GIAC Security Essentials Certification. SANS Institute.
  6. Joshi, S. (2021). Preventing Risks From Subdomain Takeover – Cloud Exploits. The Hack Report.
  7. Simon, R. (2016). Cybercriminals Are Misappropriating Businesses’ Web Addresses As a Result, Customers Can’t Find the Real Companies on the Web. The Wall Street Journal.
  8. Weslow, D. & Meltzer, A. (2016). Dealing with Cybersquatting: The Wisdom of Thinking Ahead. Trademarks And Brands Online.
  9. Son, S. & Shmatikov, V. (2017). The Hitchhiker’s Guide to DNS Cache Poisoning. Cornell University.
  10. URL Redirection – Attack And Defense. Virtue Security.
  11. Santos, O.; Taylor, R.; Mlodziannowski, J. CompTIA Security+ SY0-601 Cert Guide.