Security Mistakes That Leave You Vulnerable To Compromise #3: No Layer Two Protection


Address spoofing protections, collectively known as “layer two” protections, thwart malicious attempts to falsify or spoof IP or MAC addresses in order to gain unauthorized access to your network.  There are several types of attacks that use these techniques:

A malicious user (or an outside attacker who has compromised your PC) can configure a PC on your network so that it spoofs the MAC address of the gateway router, allowing him to eavesdrop on network traffic.  All traffic on his subnet will now come to him first, where he can look for passwords or other sensitive information.

Attackers can also eavesdrop on network traffic by overloading the switch’s MAC forwarding table with thousands of gratuitous ARPs.  This effectively turns a switch into a hub, forwarding all traffic out all the ports and allowing the attacker to capture sensitive information.

Attackers can spoof a PC’s IP address to send malicious data to other systems.  By using false source addresses, the attackers can bypass access lists or other security controls. They can also launch denial of service attacks against your systems.

Additionally, attackers can set up rogue DHCP servers that hand out malicious DNS server addresses to all the PCs on the network. That way, every DNS query made by those PCs can be manipulated by the attacker, directing traffic to malicious sites.

Layer two protections prevent these kinds of attacks by limiting the ability of PCs to falsify their MAC or IP addresses.  Cisco routers and switches have four features to prevent these kinds of attacks:  MAC address limiting, DHCP snooping, dynamic ARP inspection and reverse path forwarding.  Juniper and other manufacturers have similar features.  Whichever you’re using, these features should be configured on all your access switches.

MAC address limiting, as the name implies, limits the number of MAC addresses that can be associated with a single port.  While you might be tempted to limit the number of MAC addresses to one (or three if you are using IP phones), setting the value a little higher (10, for example) will prevent false positives while still protecting against attacks.

DHCP snooping protects networks in two ways:  first, it filters DHCP replies from rogue servers.  Since legitimate DHCP servers should not be connected to user ports, the switch drops DHCP responses from user ports. Only authorized ports (where your real DHCP servers are) are allowed to reply to DHCP discover messages. Second, DHCP snooping rate-limits DHCP requests so that a malicious host can’t tie up all the leases and prevent legitimate hosts from getting IP addresses.

Dynamic ARP inspection (DAI) prevents hosts from spoofing their MAC address.  Configured in conjunction with DHCP snooping, DAI associates a particular MAC address to a particular port.  If a host generates an ARP request or reply with a different MAC address than what is already associated with that port, the ARP packet is dropped.

Finally, unicast reverse path forwarding (uRPF) prevents IP address spoofing.   uRPF is configured on gateway (router) interfaces.  When the router receives an IP packet, it compares the packet’s source address to its routing table.  If the packet was received on the interface that the router would forward packets to the source address, the packet is forwarded normally.  But if the packet’s source address was received on a wrong interface (i.e., the path to the source address is a different interface), the packet is dropped.  This prevents address spoofing by insuring that packets are only sourced from valid networks.

I’ve given you only brief descriptions of these features.  If you want to learn more, especially how to configure them, here are some useful links:

MAC address limiting

Configuring the Maximum Number of Secure MAC Addresses on a Port


Understanding MAC Limiting for Port Security

DHCP Snooping

Dynamic ARP inspection

Reverse Path Forwarding

Network addressing protocols, like DHCP and ARP, were never designed to be secure. They assume hosts are benign and that they are who they say they are. All these techniques I’ve described help to ensure the validity of the IP address of all the hosts on your network by preventing hosts from falsifying their addresses.  When you use them, you limit an attacker’s ability to move about your network undetected or eavesdrop on sensitive data.  They should be a standard part of your network configurations.

One response to “Security Mistakes That Leave You Vulnerable To Compromise #3: No Layer Two Protection

  1. Well hello,
    so what could be a good protection against spoofing or a good detection to my computer (windows xp – 32bits).
    I’ve read about DNSCRYPT but i couldn’t install it so i’m looking for another solution. Plus, i installed ARP freeze to block some of the arp spoofing but i’m not sure it will work for all kind of spoofing.
    I’m sure there is a MITM (man in the middle)attack on my computer and as i’m not a pro i require your help. thank you.

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.