Analyzing & Detecting IEEE 802.x Link Layer Attacks -Part 1
WHAT IS BLUE TEAM SKILLS
Blue Team Skills is a micro blogging series of entry level to intermediate Blue Team skills I feel are essential to have knowledge on if you want to be a good defender.
The blogs are in micro format, meaning that you can focus on one particular element/learning concept at a time, as I feel this facilitates the learning and retention process. In my personal journey of studying Incident Response and Threat Hunting I will share what I have learnt through this blog series for other aspiring blue teamers.
The IEEE 802.x Link layers are a family of standards that enable intercommunication's between equipment from a variety of manufacturers.
This family of standards actually specifies functions of the physical layer and the data link layer of major LAN protocols.
Protocols at each TCP/IP Layer
The most known link layers being used nowadays are:
The Network Access/Link Layer, Ethernet , Wireless and Bluetooth.
Link layer communication is facilitated by Network Interface Cards (NICs) and the respective device drivers. Any NIC has a unique identification number known as a MAC address which is issued by the NIC’s manufacturer during NIC creation.
MAC addresses are static 48-bit long numbers. According to the TCP/IP stack, the IP layer will have to find a way to talk to the Link layer; this is done through an IP-to-MAC address association. The IP layer communicates using IP addresses, whereas the Link layer communicates using MAC addresses.
What makes this association possible in IPv4 is ARP. - Address Resolution Protocol
In IPv6, Neighbor Solicitation is used to request for a MAC address associated with a given IPv6 address, and Neighbor Advertisement is used for sending the response.
At this point, it should be noted that ARP traffic is generated only when two hosts residing in same local network want to communicate.
If the two hosts reside on different physical segments, traffic will be routed via the Internet layer first and then passed to the Network Access layer.