Detection & Mitigation

# Create traffic baseline for anomaly detection
tcpdump -i eth0 -c 10000 -w baseline_traffic.pcap
# Captures normal traffic patterns
# Analyze with Wireshark to understand typical behavior
# Document normal ARP, DHCP, STP frequencies

# Monitor Layer 2 protocol distribution
tcpdump -i eth0 -e | awk '{print $3}' | sort | uniq -c
# Shows protocol distribution
# Helps identify unusual protocol activity

# Comprehensive Layer 2 monitoring
tcpdump -i eth0 -e '(arp or stp or vlan or (port 67 or port 68))'
# Captures all major Layer 2 protocols
# ARP, STP, VLAN tagged, DHCP traffic
# Enables real-time attack detection

# Monitor for suspicious MAC addresses
tcpdump -i eth0 -e | grep -E "([0-9a-f]{2}:){5}[0-9a-f]{2}" | \
    awk '{print $2}' | sort | uniq -c | sort -nr
# Identifies most active MAC addresses
# Helps detect MAC flooding or spoofing

# Monitor CAM table utilization (switch-dependent)
# Cisco: show mac address-table count
# HP: show mac-address
# Dell: show mac address-table

# Alert thresholds for CAM table size
# Normal: <5000 entries for small switches
# Alert: >8000 entries indicates possible flooding

# Monitor interface statistics for anomalies
ip -s link show eth0
# Watch for:
# - Sudden increase in packet rates
# - High error or drop counts
# - Unusual broadcast traffic levels

# Continuous ARP monitoring
arpwatch -i eth0 -f /var/log/arpwatch.log
# Tracks MAC-to-IP mappings
# Alerts on changes indicating spoofing
# Maintains historical database

# Manual ARP inconsistency detection
watch -n 1 'arp -a | sort'
# Monitor for:
# - Same IP with different MACs
# - Frequent MAC changes for same IP
# - Multiple IPs claiming same MAC

# Detect gratuitous ARP abuse
tcpdump -i eth0 arp | grep "is-at"
# Excessive "is-at" responses indicate spoofing
# Normal: 1-2 per IP per hour
# Attack: >10 per minute

# Bidirectional traffic analysis
tcpdump -i eth0 -e 'host 192.168.1.1' | grep -v arp
# Should see traffic in both directions
# One-way traffic indicates interception

# Monitor broadcast traffic levels
tcpdump -i eth0 broadcast | pv -l > /dev/null
# pv shows packet rate in real-time
# Normal: <50 broadcasts/minute
# Flood: >1000 broadcasts/minute

# CAM table rapid changes
# Monitor switch logs for:
# - "MAC address table full" messages
# - Rapid MAC learning/aging cycles
# - Port flapping indicators

# Monitor for unauthorized DTP frames
tcpdump -i eth0 'ether[20:2] == 0x2004'
# Detects Dynamic Trunking Protocol
# Should only see from legitimate switches
# End devices sending DTP indicate attack

# Double-tagged frame detection
tcpdump -i eth0 -e -x vlan | grep "8100.*8100"
# Identifies frames with multiple VLAN tags
# Should not appear on access ports
# Indicates double-tagging attempt

# Monitor Bridge Protocol Data Units
tcpdump -i eth0 -v stp
# Watch for:
# - BPDUs from non-switch MAC addresses
# - Priority 0 claims (unusual)
# - Frequent topology change notifications

# Root bridge tracking
tcpdump -i eth0 stp | grep "Root ID" | sort | uniq -c
# Should see consistent root bridge
# Multiple roots indicate manipulation

# Monitor DHCP request patterns
tcpdump -i eth0 port 67 or port 68 | grep "DHCP-Message"
# Normal: <10 requests per minute
# Starvation: >100 requests per minute
# Sequential MAC patterns indicate attack

# Multiple DHCP server detection
nmap --script dhcp-discover 192.168.1.0/24
# Should identify single legitimate server
# Multiple servers indicate rogue deployment

# Cisco switch port security
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address sticky
switchport port-security violation shutdown

# HP switch equivalent
port-security 00:11:22:33:44:55
port-security max-mac-count 3
port-security action shutdown

# Cisco DHCP snooping
ip dhcp snooping
ip dhcp snooping vlan 1-100
ip dhcp snooping trust  # On uplink ports only
ip dhcp snooping limit rate 10

# Creates database of legitimate DHCP assignments
# Prevents rogue DHCP servers
# Rate limits DHCP requests

# Cisco DAI configuration
ip arp inspection vlan 1-100
ip arp inspection trust  # On uplink ports
ip arp inspection limit rate 15

# Validates ARP packets against DHCP snooping database
# Drops invalid ARP responses
# Prevents ARP spoofing attacks

# STP security features
spanning-tree portfast      # On access ports
spanning-tree bpduguard     # Shutdown on BPDU
spanning-tree guard root    # Prevent unauthorized root

# 802.1X authentication for device access
# Requires certificate or credential verification
# Prevents unauthorized devices from connecting
# Provides granular access control per device

# Integrate network logs with SIEM
# Correlate Layer 2 attacks with other indicators
# Automated alerting and response capabilities
# Historical analysis for pattern recognition

# Automated response to Layer 2 attacks
#!/bin/bash
# Monitor for attack indicators
tail -f /var/log/arpwatch.log | while read line; do
    if echo "$line" | grep -q "flip flop"; then
        # Detect ARP spoofing
        INTERFACE=$(echo "$line" | awk '{print $3}')
        echo "ARP attack detected, shutting down $INTERFACE"
        # Implement switch port shutdown via SNMP
        snmpset -v2c -c private 192.168.1.1 \
            1.3.6.1.2.1.2.2.1.7.$INTERFACE i 2
    fi
done

# Automated VLAN isolation for compromised hosts
# Move suspicious hosts to quarantine VLAN
# Block inter-VLAN routing for isolated hosts
# Maintain logging for forensic analysis

# Isolate affected network segment
# Block traffic from compromised hosts
iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP
# Redirect suspicious traffic for analysis

# Restore legitimate network services
# Clear poisoned ARP caches
ip neigh flush all
# Restart network services if necessary
systemctl restart networking