Intrusion detection systems usually operate at layer 3 or above on the TCP/IP stack because layer 2 protocols in local area networks are trusted. Current firewall technology has very limited capabilities at layer 2 for the very same reason. Historically the trust in layer 2 protocols has been based on physical access control to the network links. However, new applications of these protocols extend the range of layer 2 networks beyond the physical control of a single organization. Furthermore, the insider problem [5, 18] is among the most dangerous threats. We study the effects of denial of service attacks on a layer 2 routing protocol (the Rapid Spanning Tree Protocol) as perceived from the network layer. Important performance and resiliency degradation is observed in our experiments. We also consider another category of attacks, that we designate as topology engagement attacks, with which layer 2 traffic snooping can be achieved without raising alerts at layer 3, defeating in this way the principle of traffic separation of switched local area networks. Some measures aimed at mitigating the impact of these types of attacks are proposed. Finally we present some experiments to validate the efficiency of the proposed countermeasures.
[1]
Markus G. Kuhn,et al.
Analysis of a denial of service attack on TCP
,
1997,
Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).
[2]
Eugene H. Spafford,et al.
Identification of Host Audit Data to Detect Attacks on Low-level IP Vulnerabilities
,
1999,
J. Comput. Secur..
[3]
John Black,et al.
A Block-Cipher Mode of Operation for Parallelizable Message Authentication
,
2002,
EUROCRYPT.
[4]
Vern Paxson,et al.
An analysis of using reflectors for distributed denial-of-service attacks
,
2001,
CCRV.
[5]
Paul Ferguson,et al.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
,
1998,
RFC.
[6]
Peter G. Neumann,et al.
Inside risks: risks of insiders
,
1999,
CACM.
[7]
Radia Perlman,et al.
Interconnections: Bridges, Routers, Switches, and Internetworking Protocols
,
1999
.
[8]
Roger M. Needham,et al.
Denial of service: an example
,
1994,
CACM.