Design and analysis of data link impersonation attack for wired LAN application layer services

Abstract

Impersonation attack, also known as MAC spoofing, is widespread in wireless local area networks. Under this attack, the senders cannot control the device that listens to their traffic. On the other hand, the physical layer of the wired local area network is more secure, where the traffic is transmitted through cables and network nodes to the intended receivers. Each network node builds its MAC address table, which states stations that are physically connected (directly or indirectly) to each port, so traffic encryption is an unnecessary process. This paper discusses the design and testing of a new attack called a data link impersonation attack. In this attack, the attacker is considered a hardware intruder that deceives data link layer apparatus like the switches of layer two or three, taking advantage of a vulnerability in the MAC address table of the network nodes. That leads the network switches to send all the network traffic to the intruder instead of the real network device (usually a network service provider under attack). Intruder accepts all incoming requests/traffic from the service requester. If the intruder does not reply to the received requests sent by service requesters, it acts as a black hole intruder, simply causing a denial-of-service attack. If an intruder responds to these requests with fake replies to steal information from service requesters, it acts as a white hole intruder. During the attack, the intruder is transparent for the whole network and does not affect overall network performance and generally the network services, so it is so hard to be discovered by the network software running the network apparatus. Different scenarios were tested using different network simulators and physical networks (CISCO L2/L3 switches). It is demonstrated that the attacker is successfully denied the service/application under attack. The proposed attack reveals the new vulnerability of the wired local area network and opens the door for network scientists to enhance network software that runs the network apparatus immune against the proposed attack.

1 Introduction

Ethernet commonly refers to implementing physical and network layers of TCP/IP and OSI network model in the wired or wireless local area network. The well-known physical topology is a star or tree (extended star) (Mahmood et al. 2020).

When a packet is transmitted in the shared Ethernet environment, it will be distributed to all connected devices. The destination device will accept it and send an acknowledgment to the sender depending on the protocol type in higher layers (like TCP or UDP). In contrast, other devices will ignore these packets. The wireless network or wired network that uses a hub as a network node is an example of this type of network (Guven et al. 2019).

In the switched Ethernet environment, the network node (switch) maintains a MAC address table (called MAC address) containing all network devices discovered by the node, and the packets are sent only to the target device. An example of this environment is the wired Ethernet networks that use layer 2 (L2) or layer 3 (L3) switches as network nodes. It is obvious now why switches are more secure than hubs (Mahmood et al. 2020; Guven et al. 2019).

An impersonation attack (called spoofing) occurs when a computer or user identity (MAC address or IP address) is impersonated on a network by a malicious party to launch attacks against network hosts or services, steal data spread malware, or bypass access controls. Device identity refers to device MAC address or/and IP address. Typically, the network may be influenced by different attacks: (1) Service denial LAN attack, (2) Electronic transmission eavesdrop, and (3) Flow data analysis and handling (Guven et al. 2019).

Impersonation attacks are easy to launch in a wireless local area network (which is considered a shared network) rather than a wired local area network, which can cause significant network performance effects. For example, it is easy for an attacker to collect useful MAC address information during passive monitoring in a wireless LAN 802.11 and then modify their MAC address by simply issuing an IPconfig command to masquerade as another device (Rajasekharaiah et al. 2020). In addition, despite existing 802.11 security techniques, including Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), or 802.11i (WPA2), these methodologies can only protect data frames but can still be spoofed or controlled by an attacker to cause significant network impact (Regan et al. 2017).

The main contributions of our research are as follows:

1. 1.

   Presenting a new network attack in wired LAN (Data Link Impersonation attack).

2. 2.

   Designing a data link impersonation attack, a network device acting as a hardware intruder (impersonator) takes advantage of MAC address table creation and updates.

3. 3.

   Exploiting the vulnerability, consider the MAC address table entries composed of network devices MAC addresses and their physical port number, which is directly or indirectly connected to LAN nodes. LAN nodes build their MAC address tables based on received data link frames without any authentication, so the node does not make sure that the MAC address in the sender MAC address field inside the received data link frame is the authenticated device in that LAN.

4. 4.

   Datalink impersonation attack exploited the vulnerability of MAC address table creation/updating process to deceive the LAN, impersonating an eligible network service device. Then LAN nodes route all requests and traffic from the network devices to the intruder (impersonator) instead of the real eligible device.

5. 5.

   MAC address table creation and updating process frequently occur every few seconds to provide network dynamic nature and robustness, decreasing network latency and avoiding dropped traffic. However, frequent updates of the MAC address table allow an intruder (impersonator) to impersonate any device inside the network by adding itself to the MAC address entries instead of a real eligible device.

6. 6.

   Many different physical deployment scenarios for connecting the intruder (impersonator) are presented in this research to thoroughly test the network behavior.

7. 7.

   Testing different attack scenarios of the intruder device inside the network, the research also presented the attack in two modes of operation; black hole mode, where the intruder does not reply to any service request, so it simply absorbs all network service traffic. The second mode of operation is the white hole mode, where the intruder responds with fake responses to service requesters, trying to steal information from the service requester.

The rest of this work is arranged as follows. Section 2 discusses the background concepts and literature review. In Sect. 3, the details of the proposed methodology and implementation are explained. Simulation results and discussions are given in Sect. 4. Section 5 provides the concluding remarks, while Sect. 6 presents some future directions.

2 Background and literature review

The OSI seven-layer model was built according to the International Organization for Standards (ISO), so different kinds of devices with various software applications mounted, distinct physical characteristics, and interfaces can communicate safely and confidently (Mahmood et al. 2020).

The data link layer establishes communication between the varieties of devices in the network system, defines their unique MAC address, corrects physical layer errors, and transfers functional and procedural data. The data link layer consists of the logical link layer (LLC) and the MAC layer (Mahmood et al. 2020). The following sections briefly discuss different types of data link layer attacks.

2.1 Spanning tree protocol attack

There could be several paths between client and server to provide a backup path while the original route is down. Because of several paths between a server and the device of a client, frames will loop in the network indefinitely, which will affect network performance. Figure 1 illustrates the spanning tree protocol (STP) attack. The STP detects and prevents such looping frames. The spanning tree protocol uses a spanning tree algorithm (STA) called 802.1D IEEE and is designed to run on the switches and/or bridges compatible with the 802.1D IEEE standard. Thus, STP ensures no active loops while the network has redundant connections. The main control unit is called the root bridge in the network, which is responsible for routing decisions like selecting the main and redundant paths. Since every VLAN has its domain, each VLAN must also have its separate routing path (Sharma et al. 2013).

Fig. 1

Spanning tree protocol attack

The network uses the multicast messages called bridge protocol data units (BPDUs) to select a switch or port as a root switch or trunk port accordingly. Root Bridges are responsible for spreading the BPDUs onto the other switches to decide which one should be disabled and which one should be allowed to pass traffic to the VLAN. The bridge with the lowest cost or lower root ID is chosen as the root bridge, and all other switches are not allowed to forward the traffic and/or become root bridges because of their higher root ID (Sharma et al. 2013).

The attacker sends the wrongly configured BPDUs to the switches on a VLAN. Network devices view the connection to the intruder as the root bridge. Therefore, the attacker requires two bridges, two switches, or two wireless local area network (WLAN) connections to control the network to make this attack efficient. The intruder can listen to all the victim's network traffic after being rooted and even inserting new frames. In addition, the root attacker may make a man-in-the-center attack (MITM) while the server and the client are in the middle position (Sharma et al. 2013).

In summary, the STP attack targeted wired LAN. It can be passive eavesdropping or active injective fake traffic to LAN.

2.2 VLAN hopping attack

According to IEEE 802.1Q, a root bridge is authorized to carry all the VLAN traffic from one switch to another, while the access link switch allows end-users to reach their VLAN. In addition, there can be several open ports over a VLAN that allow the network members to request a new connection. Via these open ports, everyone can link their laptop to the local area network. The automated discovery protocol of trunk connections between switches is known as Dynamic Trunking Protocol (DTP). Figure 2 declares the VLAN hopping attack (Mahmood et al. 2020).

Fig. 2

VLAN hopping attack

The DTP can be used to build new trunk connections in a VLAN. In addition, the encapsulation used can also be discovered using DTP, either ISL (Inter-Switch Link) or IEEE 802.1Q. An attacker sends the false DTP messages over a VLAN to transform an access link into a trunk link to access all the traffic that is typically filtered from the access connections. In this way, an intruder can access all the information a trunk communicates with Link (Rehman et al. 2018).

In summary, the VLAN hopping attack targeted wired LAN. It is an active attack injecting fake traffic to LAN. The attacker station tries to access eavesdrop traffic from a restricted VLAN network.

2.3 Double tagging VLAN hopping attack

VLAN protocol adds messages that contain additional 802.1Q headers circulate across the entire network between the backbone and end access points. The header 802.1Q includes two tags, the outer one for the end-user and the inner one is the service provider. The double tag header allowed the root switches to send only while the access links were not permitted in the VLAN. The outer tag is removed as the frame reaches a VLAN's trunk port (desirable dynamic option enabled switch). At the same time, the inner tag that contains the victim's relevant details is empty, and the frame is then sent to the target host as though it originated on the target VLAN, effectively bypassing the network mechanisms that logically isolate VLANs from one another, as shown in Fig. 3.

Fig. 3

Double tagging VLAN hopping attack

Switches support two types of ports that link devices to single or multiple VLANs, i.e., trunk port and access port. A trunk port is normally linked to two switches or one router and one switch or two routers that form a backbone of the VLAN, while the access ports are used to link end-users to the network. The attacker is trying to reach a victim host from the other VLAN, traversing the port of the trunk. Switches use the 802.1Q tag enabled on the ports of the trunk. There are four states that switches will operate, which are (1) trunk, (2) dynamic auto, (3) dynamic desirable, and (4) no-negotiate (Mahmood et al. 2020; Sharma et al. 2013).

Cisco switches have three modes; trunk, dynamic auto, and dynamic desirable allow an access port to be transferred to the trunk, whereas the other No-negotiate mode does not allow an access port with the trunk. Therefore, this sort of attack can only be carried out in one scenario when attacker and victim are connected to different switches, as shown in Fig. 3 (Pilamunga et al. 2018).

In summary, the double tagging VLAN hopping attack targeted wired LAN. It is an active attack injecting fake traffic to LAN. The attacker station tries to send traffic to a restricted VLAN network.

2.4 Cisco discovery protocol attack

Cisco discovery protocol (CDP) is a network-independent and media-independent protocol supported by default in the Cisco switches and routers and can therefore send CDP notifications over the corporate network. Cisco switches setup and configuration depend on CDP announcements consisting of the operating system version, hostname, port ID, device type, duplex setting, virtual trunking protocol (VTP) domain, the power drawn, source and destination addresses, and time-to-live. No authentication is provided during the generation and transmission of the CDP frame. A false CDP frame can thus be easily constructed and sent to the connected devices over the network. If an attacker gets access via Telnet, he will collect the CDPs and, therefore, the necessary information about the entire network's topology running at L2 and L3. The scenario for attacking CDP is shown in Fig. 4. This valuable knowledge enables the attacker to carry out a very successful attack on the network, such as a man-in-the-middle attack (Tippenhauer et al. 2021).

Fig. 4

Cisco discovery protocol attack

In summary, the Cisco discovery protocol attack targeted wired LAN. It is an active attack that causes Denial-of-Service (DoS). Attacker station floods connected devices using fake CDP packets.

2.5 CAM table overflow attack

CAM stands for the memory-addressable content (CAM) table, a component of switch memory. Ethernet switches are vulnerable to a CAM table overflow attack. Switches store the MAC addresses, the corresponding physical port, and the VLAN ID on which the end-user is located. CAM table is usually designed to store 100–10,000 MAC addresses simultaneously (Alsadhan et al. 2018).

If the new MAC addresses are obtained continuously from the client of a specific corporate network at the respective port, this may overflow the CAM table. Each entry is left around 300 s in the Ethernet switch's CAM table. For each entry made in the CAM table, the MAC addresses are stored for the respective port number. If there is an address in the table, only the time-stamp will be updated; otherwise, a new entry will be made for a new address. Attackers benefit from the CAM table's maximum size and send many packets with false CAM addresses. Therefore, the number of MAC addresses that are obtained exceeds the maximum table capacity. In this situation, the switch becomes a hub, allowing the attacker to reach all customers in a corporate network or VLAN. Attackers are more efficiently targeting MITM's (man in the middle attack), as seen in Fig. 5, by gathering exact information from hosts and the layout of a local area network (Alsadhan et al. 2018).

Fig. 5

CAM table overflow attack

In summary, the CAM table overflow attack targeted wired LAN. It is an active attack that causes Denial-of-Service (DoS). Attacker station makes switches MAC Address table is full with fake MAC address/port mappings sent by the attacker.

2.6 MAC spoofing attack/ARP poisoning

The Address Resolution (ARP) protocol is a protocol that normally works on the network layer, but MAC address spoofing is carried out on the data link layer. Gratuitous ARP (GARP) is n ARP Response that was not prompted by an ARP Request (Li et al. 2019).

The Gratuitous ARP is sent as a broadcast, as a way for a node to announce or update its IP is MAC mapping to the entire network. GARP packet is transmitted during spoofing, which is sent to advertise spoofed MAC and IP addresses. The devices connected to the VLAN maintain a cache containing the IP addresses of each entry and their respective MAC addresses. As no authentication system exists for received ARP packets, the attacker can submit false MAC address frames. So, when a false GARP packet is received, the secured entries on the target devices also change. The entire process of entering a device false in the ARP cache is known as ARP poisoning. Thus, an attacker can announce his access to the company network's default gateway. To that end, an intruder uses ARP poisoning, as shown by Fig. 6. The ARP poisoning enforces the entire gateway traffic towards the attacker. This scenario enables him to evaluate all traffic before moving it to the real port (Li et al. 2019).

Fig. 6

MAC spoofing attack/ARP poisoning

In summary, the MAC spoofing attack targeted wired LAN. It is an active attack that causes DoS. The attacker station sends malicious ARP packets to a default gateway on a LAN to change the pairings in its IP to the MAC address table.

2.7 DHCP starvation attack

Dynamic host configuration protocol (DHCP), which allows communication among the DHCP server and DHCP clients, is used for host configuration on the IP networks. The DHCP server offers IP network settings for default gateways, host IP addresses, IP lease time Addresses, etc. Also, a router can be set up as a DHCP server. On request made by a DHCP client, a DHCP server automatically provides the required details. In a DHCP starvation attack, an attacker can send tons of fake IP requests so that the total capacity of the DHCP server is running out, and the DHCP Server can no longer support the real clients, as shown in Fig. 7. In this situation, an attacked client may set a wrong DHCP server on the IP network, sending the DHCP responses to clients who do not reply from the real DHCP server (Singh et al. 2016).

Fig. 7

DHCP starvation attack

In summary, the DHCP starvation attack targeted wired LAN. It is an active attack that causes Denial-of-Service (DoS). Attacker station sends malicious DHCP requests to DHCP LAN to exhaust all available IP addresses.

2.8 Wireless 802.11 (Wi-Fi) attack

From the security point of view, the intruder may access the local Wi-Fi network as follows (Mukhtar et al. 2012):

• It is easy to insert himself between the server and the client performing Man-in-the-middle-attack.

• Easley executes denial-of-service (DoS) attack.

• Capture all the traffic.

There are two different ways to allow an intruder to connect to a Wi-Fi LAN:

• Set up a false access point (AP) with higher intensity signals than the original and have a configuration identical to the original one.

• De-authenticate the original client of an AP and create a new client with the same credentials as the real AP to bind the authenticated client to the rogue AP.

The WLAN denial-of-service (DoS) attack can be carried out in two ways (Mukhtar et al. 2012):

• Many applications of the wireless LAN can send tons of requests which will overwhelm the AP's resources. The access point will then refuse any further request made by the original client for a link.

• Many devices that influence (interfere) the AP operating frequency are present on the market, and the access point is unable to provide the services with the same frequency.

An intruder can be a simple device with a wireless network card that eavesdropper can catch all network traffic. For example, an attacker can take the following two simple steps to intercept NIC network traffic:

• Install the interface card for the wireless network.

• Placed the NIC in the (promiscuity) mode of monitoring.

This section explored different common attacks in wireless LAN and wired LAN. Wireless LAN is generally vulnerable to various attacks because of its open broadcasting nature, which is solved by encrypting traffic and station techniques. On the other hand, the wired LAN is more immune than the wireless LAN because of the nature of the physical layer, so traffic is not encrypted. Even traffic eavesdropping/injection and address spoofing in wired LAN are more complicated than wireless LAN, which is still possible.

All discussed attacks targeted the wired LAN, and all of them took advantage of the weakness of network protocols. Table 1 summarizes the differences between the explained common types of network attacks.

Table 1 Comparison between different common types of network attacks

After this exclusive study, we found that the algorithm used by switches to build a CAM address table is insecure, as the switches do not authenticate sender and receiver addresses in normal data frames. Our proposed MAC masquerade attack gains advantages of this weakness. Unlike all well-known attacks, it uses normal data packets, not management packets, making it difficult to be discovered or noticed by network monitoring nodes. The proposed MAC masquerade attack has no direct effect on the service provider. Unlike the DHCP, ARP, CAM attacks, the service provider suffers an outage, which is directly noticed by the network.

3 Methodology and implementation

This section describes a novel network attack known as data link layer impersonation. This attack applies to wired Ethernet networks, targeting data link layer apparatus such as L2 switches. It has two objectives: the first and simplest is to deny application layer services [we will refer to the attacker as a black hole intruder (Bicakci and Tavli 2009)]; the second and more complex objective is to spoof service traffic to steal information from the service requester [we will call attacker here as white hole intruder (Li et al. 2018))]. This research focuses on the first and most fundamental target, which is a denial of service. Here, the attacker acts as a black hole, absorbing targeted service under attack traffic and failing to respond, causing service requests to believe the service is down (denial of service).

3.1 Proposed attack description

The steps of the proposed attack are depicted in Fig. 8. Service requests are the system input. The system process is composed of three sub-processes. The attacker executes the first sub-process, which sends bogus broadcasting (to the entire network) or unicasting traffic (to another network entity). The attacker selects a random destination port for each request from well-known services (Kaur and Singh 2014) such as web hosting (80), Telnet (21), FTP (23), DNS (53), and so on. Network switches carry out the second sub-process of the attack; as fake traffic arrives from a particular port, the switch updates its MAC address table (switch CAM) (Ennouhe and Yoshihiro 2021), so that the MAC address of the service under attack appears to be connected to the hardware intruder port rather than the original service provider port. The attacker sends these bogus packets in a discrete sequence; the time interval between these packets is long enough to ensure that the network switch retains the record of the service provider's MAC address connected to the intruder port but short enough to affect the network's overall performance, making attack detection extremely difficult.

Fig. 8

Proposed attack layout passive mode

The network switch also performs the third sub-process; when a service request is sent to the network, the switches route these requests to the intruder based on the switch CAM. If the intruder ignores these requests, it acts as a black hole, resulting in a service denial attack from the perspective of the service request; if the intruder responds to these requests, it acts as a white hole, as illustrated in Fig. 9, and may initiate a new type of attack to steal information from the service request.

Fig. 9

Proposed attack layout active mode

3.2 Proposed attack setup and analysis

This section discusses in detail the proposed attack's functionality. The steps of the proposed attack are demonstrated on the flow chart depicted in Fig. 10. So, Fig. 10 describes the software implementation methodology of the attack process. While Fig. 11 shows the state diagram of the proposed attack.

Fig. 10

Attack flow chart

Fig. 11

Attack state diagram

Each testbed is a network topology [17], with various attacks and testing scenarios used to evaluate an intruder's impact on the service provider under attack.

3.3 Different scenarios of the proposed attack

Two distinct testbeds were constructed to evaluate the proposed attack. All testbeds were implemented using simulation software and then physically implemented using real Cisco network equipment to validate the results in real-world situations rather than just simulation. In addition, due to the novel nature of the proposed attack, we constructed physical testbeds and an embedded system that simulates a hardware intruder. These scenarios share the following components:

• Hardware intruder and embedded system.

• Two service providers and an IP camera broadcast live video streaming to the service requester over the network; one is the victim of an intruder attack, and the other is used to test network performance.

• Internet gateway (VDSL modem/router).

• Several service requesters are dependent on the network's topology.

3.3.1 1st testbed of a simple star Ethernet network

Figure 12 illustrates the first testbed, which utilizes a simple star topology (Trabelsi 2012). It consists of a single L2 switch acting as the network core, two IP cameras acting as service providers broadcasting video streams over the network, a VDSL router acting as a network gateway, DHCP server, and DNS server. It also consists of two laptops acting as service requesters, each of which opens the video stream of two IP cameras, and finally, the Hardwar intrusion.

Fig. 12.

1st testbed of a simple star network

3.3.2 2nd testbed of a simple tree Ethernet network

The second testbed [Extended star of tree topology (Solihah et al. 2021; Jain et al. 2015)] is depicted in Fig. 13. It consists of three L2 switches, one of which serves as the network's core and two edges. Two IP cameras serve as service providers, broadcasting video streams across the network; a VDSL router serves as a network gateway, DHCP server, and DNS server; three laptops serve as service requesters, each of which opens the video stream of two IP cameras; and finally, the hardware intruder.

Fig. 13.

2nd testbed of an extended star (tree) network

Three distinct attack scenarios exist. In the first scenario, the intruder and the service provider under attack are connected to the same edge. The second scenario involves an intruder connected to the other edge, while the third scenario involves an intruder connected to the core.

4 Results and discussions

This section discusses the testbed and various scenario attacks for each testbed to determine the effect of an attack on network performance. Table 2 presents the details of the utilized hardware and software tools.

Table 2 Utilized hardware and software tools

4.1 Results and discussions of the 1st testbed

Table 3 summarizes the network's primary devices, their connection to which switch or connection port, as well as their MAC and IP addresses. Table 4 illustrates six items investigated before and during an attack to determine the attack's effect on network performance. The first item is a record of the core switch's MAC address table, referring to the service provider port.

Table 3 Summery of network devices physical connection and logical configuration

Table 4 Summary of investigated items before and during an attack

From the perspective of the core switch, it is obvious that the intruder fooled the switch and assumed the role of the service provider under attack. The second item is the data rate of the initial service provider, which is unaffected by the attack. The third item is the data rate sent by the service provider when it is attacked; when the data rate drops to near zero as a result of the attack, it is clear that the service is down. The fourth item is the data rate received by the service requester; during the attack, the data rate decreased due to the downtime of service provider two. The final item is the intruder traffic data rate, which is active only during an attack.

4.1.1 Attacking statistics of the 1st testbed

Figure 14 depicts service provider port statistics before, during, and after an attack. According to statistics, the service provider under attack is transmitting no traffic during the attack. Figure 15 depicts service requester port statistics before, during, and after an attack. According to statistics, the received data rate decreases during an attack, indicating that the service provider is unavailable.

Fig. 14

Service provider port statistics before/during/after an attack

Fig. 15

Service requester port statistics before/during/after an attack

Figure 16 illustrates the transmitted data rate from four different ports before, during, and after an attack on the network core, which is an L2 switch. The first port, fa0/1, is connected to the first IP camera, which is regarded as the first service provider capable of broadcasting video over the network. The second port fa0/2 is connected to the second IP camera, which is the intruder's second service provider. The third port, fa0/4, is connected to the service requester, which is a laptop that uses its web browser to display direct video streams from both IP cameras. The fourth port is used to communicate with the intruder. Each port features three distinct bars that display transmitted data in the following order from left to right: prior to the attack, during an attack, and the following attack. Both fa0/1 and fa0/2 transmit data at a very low rate, as they are connected to IP cameras that receive very few requests and respond with several megabytes of the video stream. The transmitted data rate from fa0/4 is equal to the sum of the video streams transmitted by both cameras before and after the attack. When the second camera is down from the service requester's perspective during an attack, the received data rate equals the video stream data rate transmitted by the first camera alone. As long as the intruder is active during an attack, a few kilobytes of data are transmitted via port fa0/5.

Fig. 16

Active core switch ports received data rate before/during/after an attack

The intruder connected to the fa0/3 port appears to be SP2 (impersonation of its MAC) to all network devices. The third test involves tracing the root from the network gateway down to the service provider that is being attacked both before and during the attack (Andry 2016; Padmanabhan and Simon 2003). Table 5 illustrates how the trace root result prior to the attack refers to the legitimate service provider, whereas it refers to the intruder during the attack. Again, 192.168.1.1 is the source address; 192.168.1.12 is the destination address.

Table 5 Traceroute from the gateway to the service provider under attack

Figure 17 illustrates the data rate received by four different ports before, during, and after an attack on the network core, which is an L2 switch. The four ports are identical to those in Fig. 16, except that the bars represent the transmitted data rate rather than the received data rate. Because the first camera operates normally, a nearly constant data rate is transmitted throughout the scenario. The effect of the attack is obvious, as port fa0/2 receives almost no data during the attack. Because the laptop's primary function is to receive and display video streams from IP cameras, port fa0/4 receives data at a very low rate. Finally, because the intruder is only active during an attack, a portion of the data stream is only received during an attack via port fa0/5.

Fig. 17

Active core switch ports transmitted data rate before/during/after an attack

4.1.2 Mathematical model of the 1st testbed

Equation (1) describes the data rate received by each service requester before an attack, assuming N service requests and M service providers. This equation describes the normal situation (no attack), where the received data rate by service requester number n equals the sum of transmitted data rates be all M service providers divided by the number of all service requesters N.

Equation (2) specifies the data rate at which the service provider transmits data before an attack. This equation describes the normal situation (no attack), where the transmitted data rate by m service provider equals the sum of received data rate by N service requester divided by the number of service provider M.

Equation (3) specifies the data rate at which each service requester receives data during an attack. This equation describes the process during the attack, where the received data rate by service requester n equals the sum of transmitted data rate by the M-1 service provider (the number of service providers not affected by the attack) divided by the number of all service requesters N. Also, during the attack process, the transmitted data rate by m service provider equals the sum of received data rate by N service requester divided by the number of service provider M-1 (number of service providers not affected by the attack).

Finally, Eqs. (4) and (5) describe the data rate at which the service provider transmits data during an attack. So, Eq. (5) indicates that the transmitted data rate by the service provider under attack equals 0.

$$ SR_{n} (Rx) = \sum\limits_{m = 1}^{M} {\frac{{SP_{m} (Tx)}}{N}} $$

(1)

$$ SP_{m} (Tx) = \sum\limits_{n = 1}^{N} {\frac{{SR_{n} (Rx)}}{M}} $$

(2)

$$ SR_{n} (Rx) = \sum\limits_{m = 1}^{M - 1} {\frac{{SP_{m} (Tx)}}{N}} $$

(3)

$$ SP_{m} (Tx) = \sum\limits_{n = 1}^{N} {\frac{{SR_{n} (Rx)}}{M - 1}} $$

(4)

$$ SP_{ua} (Tx) = 0 $$

(5)

where a closed LAN has N service requesters and M service providers, and all N service requesters send requests to all M service providers at once, n is the service request index {1:N}, m is the service provider index {1:M}, assuming that SPM is SP_ua, and ua is the service provider under attack.

As seen in the mathematical model of 1^st testbed of a simple star network topology, the service provider under attack appears to be down for the entire network. All service requesters feel that service is down, while the service provider under attack itself is online and can access the entire network. Network monitoring nodes and devices can discover the reason behind that outage, and there is no abnormal traffic on the network, like the traditional DOS attack.

4.2 Results and discussions of the 2nd testbed of the 1st scenario

In this scenario, both the intruder and the service provider are connected to the same edge. Table 6 summarizes the primary network devices, including their connected switch, port, MAC address, and IP address.

Table 6 Summary of network devices' physical connection and logical configuration

Table 7 illustrates the effect of an attack on network performance by examining ten different items both before and during the attack. The first three items are a record of the MAC address table of three different switches, which refers to the MAC address of the second service provider (under attack) and the port to which three different switches are connected. From this vantage point, it is obvious that the intruder will manipulate all switches and assume the role of the service provider under attack.

Table 7 Summary of investigated items before and during attacks

The fourth item is the Tx data rate from the core switch to the gateway via the fa0/1 port, which is unrelated to our attack and remains constant before, during, and after the attack. Finally, the fifth item is the Tx data rate from the core switch to service requester 3 via the fa0/2 port; as service provider 2 is down during the attack, the data rate is decreased compared to the data rate prior/after the attack.

The sixth item is the Rx data rate of the edge1 switch from service provider 1 to fa0/1 port, which is unaffected by the attack, implying that the data rate is constant before, during, and after the attack. The seventh item is the Tx data rate from the edge 1 switch to service requester 1 via the fa0/2 port; it should be noted that because service provider 2 is down during the attack, the data rate decreases compared to the data rate before and following the attack.

The eighth item is the Rx data rate of the edge2 switch from service provider 2 via the fa0/1 port; notice that the Rx data rate is nearly zero during the attack. The 9th item is the Tx data rate from the edge 2 switch to service requester 1 via the fa0/2 port; as service provider 2 is down during the attack, the data rate is decreased when compared to the data rate prior to/after the attack. Finally, the tenth item is the Rx data rate via the edge 2 switch from the intruder fa0/10; it is worth noting that the port is only active during the attack. Table 8 shows the traceroute from the gateway to the service provider under attack.

Table 8 Traceroute from the gateway to the service provider under attack

The third test involves tracing the root from the network gateway down to the service provider that is being attacked both before and during the attack. Three distinct switched command-line interfaces (CLIs) are used to deduce the routing decisions made by each switch when communicating with service provider 2 before and during the attack. 192.168.1.1 is the source address; 192.168.1.12 is the destination address.

4.2.1 Attacking statistics of the 2nd testbed of the 1st scenario

In this experiment, both the intruder and the service provider under attack are connected to the same edge. Figure 18 illustrates the port statistics for the first service provider connected to the first edge switch port fa0/1. The statistics indicate that the received data rate is nearly constant and unaffected by the attack. Figure 19 is taken from the CISCO network manager and depicts the port statistics for the second service provider (under attack) before, during, and after the attack. Again, according to statistics, the service provider under attack is transmitting no traffic during the attack.

Fig. 18.

1st service provider connected to edge 1/port fa0/1 statistics before/during/after an attack

Fig. 19.

2nd service provider (under attack) connected to edge 2/port fa0/1 statistics before/during/after an attack

Figure 20 illustrates the statistics for intruder ports during and after an attack (as shown in the x-axis, which represents the timeline). Statistics depict the traffic sent to edge switch 2 during the attack. Figure 21 illustrates the port statistics for the first service requester connected to the first edge switch port fa0/2.

Fig. 20

Intruder connected to edge 2/port fa0/10 statistics before/during/after an attack

Fig. 21.

1st service request connected to edge 1/port fa0/2 statistics before/during/after an attack

Figure 22 shows the 2nd service requester port statistics before/during/after the attack, as captured from the CISCO network manager. According to statistics, the date of received data decreases during an attack, indicating that the service provider under attack is unavailable. Figure 23 illustrates the port statistics for the third service requester connected to core switch port fa0/2. Again, the statistics indicate that the received data rate decreases during the attack, indicating that the service provider is down.

Fig. 22.

2nd service request connected to edge 2/port fa0/2 statistics before/during/after an attack

Fig. 23.

3rd service request connected to core/port fa0/2 statistics before/during/after an attack

Figure 24 depicts the data rate received from six different ports prior to, during, and after an attack on the various L2 switches in this scenario. The first port, core fa0/2 (core switch), is connected to the third service requester, a laptop that uses its web browser to display direct video streams from both IP cameras.

Fig. 24

Active ports of received data rate before/during/after an attack

The second port Eadge1 fa0/1 (edge 01 switch) is connected to the first IP camera, which acts as the first service provider by broadcasting video over the network. The third port, edge1_fa0/2 (edge 01 switch) is connected to the first service requester, which is a laptop that uses its web browser to display direct video streams from both IP cameras. The fourth port edge2 fa0/1 (edge02 switch) is connected to the second IP camera, which is the intruder's second service provider. The fifth port, adge2_fa0/2 (edge 2 switch), is connected to the second service requester, which is a laptop that uses its web browser to display direct video streams from both IP cameras. The intruder is connected to the sixth port adge2_fa0/10 (edge 2 switch). Each port has three distinct bars that display data received prior to, during, and after an attack, in order from left to right.

As the first camera (1st service provider) operates normally, it transmits data nearly constantly throughout the scenario. In contrast, the second camera (2nd service provider) edge2_fa0/1 (edge 02 switch) exhibits a severe effect during an attack, with its port receiving nearly 0 Mbps. Because the primary function of all laptops is to receive and display video streams from IP cameras, the ports core_fa0/2, edge01_fa0/2, and edge2_fa0/2 receive data at a very low rate. In addition, because the intruder is only active during an attack, a chunk of a data stream is received by port edge2_fa0/10 only during an attack.

Figure 25 depicts the data rate transmitted by the same six ports prior to, during, and after the attack. Both edge1_fa0/1 and edge2_fa0/1 transmit data at a very low rate, as they are connected to IP cameras that receive very few requests and respond with several megabytes of a video stream. Before and after the attack, the transmitted data rate from core_fa0/2, edge_fa0/2, and edge2_fa0/2 equals the sum of the video streams transmitted by both cameras. When the second camera is down from the service requester's perspective during an attack, the sum of the data rates received from all service requesters equals the video stream data rate transmitted by the first camera alone. As long as the intruder is active during an attack, a few kilobytes of data are transmitted via port edge2_fa0/10.

Fig. 25

Active ports transmitted data rate before/during/after an attack

4.2.2 Mathematical model of the 2nd testbed of the 1st scenario

The mathematical model of the 2nd testbed is exactly similar to the mathematical model of the 1st testbed. So, as previously stated, the mathematical model of a simple start network is identical to that of a simple tree network, except that the intruder and service provider are connected to the same edge switch.

As seen in the mathematical model of the second 2nd testbed of the 1st scenario, a tree network tree topology (provider under attack and intrusion connected to the same edge), the service provider under attack appears to be down for the entire network. All service requesters feel that service is down, while the service provider under attack itself is online and can access the entire network. Network monitoring nodes and devices can discover the reason behind that outage ad there is no abnormal traffic on the network, like the traditional DOS attack.

4.3 Results and discussions of the 2nd testbed of the 2nd scenario

In this scenario, both the intruder and the service provider are being attacked are connected to two different edges. Table 9 summarizes the primary network devices, including their connected switch, connection port, MAC address, and IP address.

Table 9 Summary of network devices' physical connection and logical configuration

Table 10 illustrates the effect of an attack on network performance by examining ten different items both before and during the attack. The first three items are records of three different switches' MAC address tables, which refer to the second service provider's (under attack) MAC address and which port is connected to from three different switches' perspectives. Obviously, the intruder fooled all switches (core and first edge) and assumed the role of the service provider under attack, except for the switch that the original service provider provided (2nd edge).

Table 10 Summary of investigated items before and during attacks

Consider the core switch, the fourth item, which displays the data rate transmitted from the core switch to the gateway, and the fifth item displays the data received by the core switch from the third service requester. Consider the first edge, the sixth item that presents Rx data rate by edge from SP1, the seventh item that presents Tx data rate to switch from SP1, and finally, the seventh item that presents Rx data b switch from intruder; all of these are identical to the first scenario. As the intruder fools all network switches, he isolates the second service provider from all networks except the one to which SP2 is physically connected.

An intruder connected to the 1st edge's fa0/10 port fools all network nodes except the one to which the original service provider is physically connected. During the attack, all noses (except the original node) believe the intruder is the service provider, and thus all traffic is routed to the intruder rather than the original service provider. Because the intruder in back hole mode does not respond to service requesters, services appear to be unavailable during the attack from the service requester's perspective.

The 9th row, which contains Rx data from SP2's edge 2, is reduced by the ratio of service requesters who perceive service to the total number of requesters prior to the attack during the attack. Finally, the tenth row shows the Rx data rate for edge2_SR2, indicating that all traffic sent by SP2 is completely directed to SR2, the only SR that perceives SP2's correct physical location under attack.

The third test involves tracing the root from the network gateway all the way down to the service provider that is being attacked both before and during the attack. Three distinct switched command-line interfaces (CLIs) are used to deduce the routing decisions made by each switch when communicating with service provider 2 prior to and during the attack. The following table illustrates the trace root result prior to the attack when the first edge and core refer to the intruder rather than the real service provider (for the three switches). When the attack occurs, the first edge and core refer to the intruder rather than the real service provider, while the second edge, which connects the original service provider, has no effect. 192.168.1.1 is the source address; 192.168.1.12 is the destination address. Table 11 shows the traceroute from the gateway to the service provider under attack.

Table 11 Traceroute from the gateway to the service provider under attack

4.3.1 Attacking statistics of the 2nd testbed of the 2nd scenario

In this experiment, both intruders and service providers under attack are connected to two different edges. Figures 26 and 27 are taken from the CISCO network manager and depict the port statistics for the first/third service prior to/during/following the attack. Obviously, an attack affects the data rate received by service requesters, as the service provider under attack appears to be unable to provide service to the entire network, except for service providers connected directly to the same switch.

Fig. 26.

1st service requester connected to edge 1/port fa0/2 statistics before/during/after an attack

Fig. 27.

3rd service Requester connected to core/port fa0/2 statistics before/during/after an attack

Figure 28 illustrates the port statistics for the second service requester prior to, during, and after the attack. As both the requester and the provider under attack are physically connected to the same switch, it is obvious that the attack has no effect on them. Figure 29 illustrates the port's intruder statistics during and after an attack. Figure 30 depicts the port statistics for the first service provider during and after the attack, demonstrating that the data rate remains constant throughout the operating period. Figure 31 illustrates the port statistics of the second service provider during and after the attack, demonstrating that the data rate decreased during the attack because two of the three service requesters were duped by the intruder and did not receive any data from the provider under attack.

Fig. 28.

2nd service requester connected to edge 2/port fa0/2 statistics before/during/after an attack

Fig. 29

Intruder connected to edge 1/port fa0/10 statistics before/during/after an attack

Fig. 30.

1st service provider connected to edge 1/port fa0/1 statistics before/during/after an attack

Fig. 31.

2nd service provider connected to edge 2/port fa0/1 statistics before/during/after an attack

In contrast, in the second scenario, the second service provider is out of service for the entire network except for service requesters connected directly to the same switch as the service provider under attack. Figure 32 illustrates the data rate received from six different ports prior to, during, and after an attack on the various L2 switches in the second scenario. Again, the collected statistics appear to be identical to those collected in the first scenario, except for the Rx data from the second service provider under attack. No Rx data is transmitted in the first scenario, as the service provider is out of service for the entire network during the attack.

Fig. 32

Active ports of received data rate before/during/after an attack

Figure 33 depicts the data rate transmitted by the same six ports prior to, during, and after the attack. Again, the collected statistics appear to be identical to those collected in the first scenario, except for the second service requester, as the attack does not affect service requesters connected directly to the same switch as the service provider under attack, implying that the data rate remains constant throughout the operating period.

Fig. 33

Active ports transmitted data rate before/during/after an attack

4.3.2 Mathematical model of the 2nd testbed of the 2nd scenario

As with the previous 1st scenario, Eq. (1) described the data rate received by each service requester prior to the attack, while Eq. (2) described the data rate transmitted by the service provider prior to the attack. But, in this 2nd scenario, Eq. (7) describes the data rate at which each service requester receives data during an attack

$$ SR_{n} \left( {Rx} \right) = \left\{ {\begin{array}{*{20}c} { \sum\nolimits_{m = 1}^{M - 1} {\frac{{SPm\left( {Tx} \right)}}{N}} \quad if\quad n \ne ua} \\ {\sum\nolimits_{m = 1}^{M - 1} {\frac{{SPm\left( {Tx} \right)}}{N} + SP_{ua} \left( {Tx} \right)} \quad if\quad n = ua } \\ \end{array} } \right. $$

(7)

where n is the service requester index {1:N}, N is the number of service requests, m is the service provider index {1:M}, and SP_ua is the service provider under attack n = ua..

As in the preceding 1^st scenario, Eqs. (4) and (5) describe the data rate transmitted by the service provider during the attack. As seen in the 2^nd scenario of the mathematical model of network tree topology (provider under attack and intrusion connected to adjacent edges), the service provider under attack appears to be down for the entire network except for its local node, which is accessible to service requesters connected to the same node. Network monitoring nodes and devices can discover the reason behind that outage ad there is no abnormal traffic on the network, like the traditional DOS attack.

So, in this scenario, as indicated in Eq. (7), we assume the following assumptions:

1. 1.

   Assuming service requester is affected by the attack as service requester and service provider connected to adjacent switches, equals the sum of transmitted data rate by M-1 service provider (the number of service providers not affected by the attack) divided by the number of all service requesters N.

2. 2.

   Assuming service requester not affected by the attack as service requester and service provider connected to the same switch, equals the sum of transmitted data rate by M-1 service provider (the number of service providers not affected by the attack) divided by the number of all service requesters N, and transmitted data rate by m service provider under attack.

5 Conclusions

This article described a novel attack on wired networks' data link layer protocol, dubbed the data link impersonation attack. This attack aimed to disable the application layer services of the attacked apparatus, which is typically a network server. The attacker is a hardware intruder who is connected to the targeted network. The physical location of the intruder concerning the service provider under attack and the service requester is critical for visualizing the attack's effect on the victim. There are three distinct basic scenarios; in this paper, we discussed the first two, dubbed the first and second testbeds. The first testbed is the simplest network configuration; a simple star topology uses a single L2 switch as the network core; both the service provider and the intruder are physically connected to the same node. The second testbed is an extended start or tree network topology composed of L2 switches, which serve as the network's code and additional nodes serving as distributors and edges.

In a simple 8-bit controller with an IEEE 802.3 network adaptor, a hardware intruder impersonates the service provider's data link layer identity and fools network nodes (switches) into believing the intruder is the service provider. Impersonation involves cloning the victim's network identity and then producing low-rate broadcasting and unicasting traffic that regularly affects the CAM table entries built inside each node. At this point, the intruder can either act as a black hole by failing to respond to the service requester's requests or as a white hole by responding to the service requester's requests to steal information from him. We discussed and tested the black hole mode of operation in this paper.

6 Future Work

The adaptations, tests, and scenarios listed below have been reserved for future work. For example, in the second testbed, we tested different new scenarios, such as connecting the intruder to the core while the service provider under attack is connected to the edge, and vice versa, with the service provider connected to the core while the intruder is connected to the edge. Another scenario should be tested when intruders and service providers are indirectly connected to the adjacent switch or via the distributor (a tree topology). Finally, we intend to test a new testbed experiment with a core of L3 rather than L2, and a mechanism for detecting the intruder and immunizing switches and nodes from this type of attack can be considered.