Design and analysis of data link impersonation attack for wired LAN application layer services

Abstract

Impersonation attack, also known as MAC spoofing, is widespread in wireless local area networks. Under this attack, the senders cannot control the device that listens to their traffic. On the other hand, the physical layer of the wired local area network is more secure, where the traffic is transmitted through cables and network nodes to the intended receivers. Each network node builds its MAC address table, which states stations that are physically connected (directly or indirectly) to each port, so traffic encryption is an unnecessary process. This paper discusses the design and testing of a new attack called a data link impersonation attack. In this attack, the attacker is considered a hardware intruder that deceives data link layer apparatus like the switches of layer two or three, taking advantage of a vulnerability in the MAC address table of the network nodes. That leads the network switches to send all the network traffic to the intruder instead of the real network device (usually a network service provider under attack). Intruder accepts all incoming requests/traffic from the service requester. If the intruder does not reply to the received requests sent by service requesters, it acts as a black hole intruder, simply causing a denial-of-service attack. If an intruder responds to these requests with fake replies to steal information from service requesters, it acts as a white hole intruder. During the attack, the intruder is transparent for the whole network and does not affect overall network performance and generally the network services, so it is so hard to be discovered by the network software running the network apparatus. Different scenarios were tested using different network simulators and physical networks (CISCO L2/L3 switches). It is demonstrated that the attacker is successfully denied the service/application under attack. The proposed attack reveals the new vulnerability of the wired local area network and opens the door for network scientists to enhance network software that runs the network apparatus immune against the proposed attack.