Layer 2 Deep Dive: Ethernet Frames, ARP and Security in Oilspring

By /

Listen to this Post

Featured Image
Most OT defenders skip Layer 2, but it’s where many security problems begin. Before deep packet inspection or routing, understanding Layer 2 is crucial because switches control traffic flow based solely on MAC addresses.

You Should Know:

1. How Switches Use MAC Learning

Switches build MAC address tables to forward traffic efficiently. Use these commands to inspect MAC tables: 

 Linux (bridge-utils) 
sudo brctl showmacs <bridge_name>

Cisco Switch 
show mac address-table

Windows (PowerShell) 
Get-NetNeighbor -AddressFamily IPv4 | Select-Object IPAddress, LinkLayerAddress, State
  1. Why Layer 2 is Insecure by Default
    • ARP Spoofing Attack: Attackers send fake ARP replies to redirect traffic. 
      Detect ARP spoofing (Linux) 
sudo arpwatch -i eth0 </li>
</ul>

Manual ARP inspection 
arp -a

  • MAC Flooding Attack: Overwhelm switch CAM tables to force broadcast behavior. 
    Prevent with port security (Cisco) 
switchport port-security maximum 2 
switchport port-security violation restrict

3. SCADA Modbus Traffic Analysis

Capture and analyze Modbus traffic between SCADA and PLCs: 

 tcpdump for Modbus (port 502) 
sudo tcpdump -i eth0 'port 502' -w modbus.pcap

Wireshark filter: 
modbus || arp || eth.addr == <MAC>
  1. VLANs and Port Security for OT Defense
    • VLAN Segmentation: Isolate OT traffic. 
      Linux VLAN setup 
sudo ip link add link eth0 name eth0.100 type vlan id 100 
sudo ip addr add 192.168.1.1/24 dev eth0.100 
sudo ip link set eth0.100 up
  • Port Security (Cisco): 
    switchport mode access 
switchport port-security 
switchport port-security mac-address sticky

What Undercode Say

Layer 2 is the foundation of OT security. Ignoring it leaves networks vulnerable to spoofing, flooding, and unauthorized access. By analyzing MAC tables, enforcing VLANs, and monitoring ARP, defenders can detect and prevent attacks before they escalate.

Prediction

As OT systems integrate more IT technologies, Layer 2 attacks will increase. Automated MAC spoofing detection and AI-based anomaly tracking in switches will become critical.

Expected Output:

References:

Reported By: Zakharb Otsiem – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ Telegram

Related Posts: