Downloaded 46 times
Uploaded byMarc-Andre Heroux
Frame - MAC Address Threats & Vulnerabilities
The document discusses MAC addresses and how they are used at the data link layer (layer 2) of the OSI model. It provides an example of how a machine with IP address 10.0.0.2 would use ARP requests to find the MAC address of 10.0.1.2, which could allow for a man-in-the-middle attack if a malicious actor was able to spoof responses. The document also describes how frames are broadcast at layer 2 when MAC addresses are unknown to switches, and stresses the importance of monitoring for abnormal network activity and securing network access to prevent ARP threats.
More Related Content
Similar to Frame - MAC Address Threats & Vulnerabilities
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Frame - MAC Address Threats & Vulnerabilities
- 1. FRAME - MACADDRESS THREATS & VULNERABILITIES ETHERNET FRAMES - MAC SUBLAYER - 802.3 By Marc-Andre Heroux CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM V. 1.0 Security & Compliance Advisor
- 2. EXAMPLE OF THEUSE OF MAC ADDRESS AT THE LAYER 2 FRAME In this demonstration, we have the machine2.mydomain.net (IP: 10.0.0.2) sending to machine3.mydomain.net (IP: 10.0.1.2). Router/firewall uses datagrams at layer 3 with two components: a header and a payload. Ethernet works at layer 2 with frames (data link layer) and Address Resolution Protocol (ARP) is used (e.g.: MAC address resolution). All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.0.2 What is MAC address of 10.0.1.2? 10.0.1.2 Initial transmission request Frame sent to all ports Broadcasting
- 3. EXAMPLE OF THEUSE OF MAC ADDRESS AT THE LAYER 2 FRAME MAC ADDRESS DESCRIPTION All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
- 4. HOW FRAMES ARESENT? MAN-IN-THE-MIDDLE ATTACK If the switch ARP cache table does not contain any entry for 10.0.1.2, the frame is sent to all ports. If any IP address corresponds to 10.0.1.2, the ARP reply will contain the destination MAC. If not found at the switch level, the frame will sent to all ports. If a switch or a router is connected, they will receive the ARP request. 10.0.0.2 What is MAC address of 10.0.1.2? Potential Man-In-THE-MIDDLE Attack on MAC HEADER IN the data payload section. All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.1.2 Uses it’s own source MAC when sending request Initial transmission request Frame sent to all ports Broadcasting MAC not found
- 5. EXAMPLE OF THEUSE OF MAC ADDRESS AT THE LAYER 2 FRAME The router will then respond with it's MAC and the switch will update it’s table, a new MAC header will usually be created and frames will be sent to router and the discovery/transmission will continue to the next hop. In our example, we have many organizational routable subnets divided by routers and connected to various switches. 10.0.0.2 What is MAC address of 10.0.1.2? MAC not found Potential Man-In-THE-MIDDLE Attack on MAC HEADER IN the data payload section. All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0 10.0.1.2 Uses is own source MAC when sending request Initial transmission request Frame sent to all ports Broadcasting
- 6. CONCLUSION Prevent threatagent to connect to your local network and avoid many incidents against Ethernet frame; Detect and stop abnormal activities; Most networks are running IPV4 and uses ARP. The same principles exist for IPV6 and Neighbor Discovery Protocol (NDP). Monitoring Logging Detection Correlation Alerting Correction All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0