A Survey on Backbone Attack

Ebu Yusuf GÜVEN Mehmet Yavuz YAĞCI Ali BOYACI

Istanbul University - Cerrahpaşa Istanbul University - Cerrahpaşa Istanbul Commerce University
eyguven @istanbul.edu.tr [email protected] [email protected]
Serhan YARKAN Muhammed Ali AYDIN
Istanbul Commerce University Istanbul University - Cerrahpaşa
[email protected] [email protected]

Abstract—The Internet is the universal network
infrastructure that surrounds the Earth with thousands of
devices and connections that make up it. The communication of
various technologies from data centers to personal smartphones
is provided through this infrastructure. While end devices are
renewed as technology and product in short periods, network
devices such as switches and routers, where communication is
provided, can work for many years and work with out-of-date
software and protocols. Therefore, it is clear how important the
weaknesses are. Internet communication protocols are designed
with security concerns in mind instead of communication speed
and bandwidth. Even though researchers work intensively on
wireless networks, the security of the infrastructure that connects
wireless networks is ignored. In this study, we examined the
attacks on OSI layer 2 and layer 3 layers made to the devices that
constitute the backbone of the Internet infrastructure. Although
several security measures and updates have been published for
some of these attacks, the vulnerabilities that may occur in
outdated devices are revealed.
Keywords—Cyber Attack, Router, Switch, Layer 2,
Datalink layer Attack
I. INTRODUCTION
The interconnected technology of computers has
transformed into a network that has embraced the world for
decades and created the Internet. Thanks to the growing
bandwidth of the Internet, it has become an important
infrastructure for transmitting information to data centers
via Cloud Computing. With the development of smart
devices, emerging speed and performance requirements
have begun to evolve in distributed data storage
architectures on the network that process and process data,
technologies like Edge Computing and Fog Computing have
emerged. While attempting to solve the Internet capacity
and performance problems, the main danger is that the basic
principles of cyber security, such as Confidentiality,
Integrity, Authentication and Non-repudiation, cannot be
fully achieved.
The Internet infrastructure is based on the OSI model model
and there are dozens of protocols in different layers over this
layered model. However, although security measures
usually focus on the application layer, this level of security
measures not only cause additional burdens on the network,
but also address the blocking attacks like DDos and Dos.
Network devices that do not use well-made, out-of-date
software that are used for many years in particular, or use
secure protocols from performance concerns, compromise
the security of the backbone.
infrastructures communicate using the public or private
internet infrastructure. The various wireless technologies
and secure communication protocols that are introduced are
connected to the internet backbone via the gateway to which
they are connected, regardless of the range and protocol
security used. In addition, the internet network uses the
same network devices as the internet infrastructure of the
private networks, which are independent from the internet
infrastructure, and carry the internet backbone weaknesses.
In order to exploit vulnerabilities in private networks, it is
sufficient for attackers to join the network. Therefore, the
security of backbone network devices such as switches and
routers is important for all network infrastructures that are
designed with these devices.
This study has been carried out to draw attention to the
weaknesses in the Network and Datalink layers examined in
this study and to show the source of these vulnerabilities.
Chapter 2 introduces the Internet Infrastructure by referring
to the OSI model, while devices in various layers are
described. Layers, protocols and network devices included
in the study were introduced. In Chapter 3, CAM Overflow,
VLAN Hopping, Spanning Tree and Private VLAN attacks
were examined in Chapter 3 and results and discussion were
discussed in Chapter 4.
II. INTERNET INFRASTRUCTURE
The Internet is the name given to all connected devices
connected to the world, a structure that resembles a ball of
wired or wireless network devices. As seen in Figure 1, this
structure, which consists of connecting different technologies
and different systems, covers the whole world. Information,
education, business, bank and even social life to humanity is
served completely through internet infrastructure with
various applications and methods. This massive Internet
infrastructure works on the structural design called Open
Systems Interconnection model (OSI model). Thanks to this
model, the problems arising from the heterogeneous structure
of the communicating devices have been eliminated[3].
Because before OSI, each network device manufacturer used
its own communication model and it was not possible to
communicate between different platforms or it was very
difficult.

GSM infrastructure, individual and corporate, Wi-Fi

services, cloud computing services and all critical

978-1-7281-2827-6/19/$31.00 ©2019 IEEE

Authorized licensed use limited to: Sharda University. Downloaded on July 18,2023 at 08:12:19 UTC from IEEE Xplore. Restrictions apply.

Fig. 1. Access and backbone core networks and data capture platform[4].
The Internet infrastructure is communicated using the
Open Systems Interconnection Model (OSI Model). Thanks
to this model, the problems arising from the heterogeneous
structure of the communicating devices have been
eliminated. OSI model consists of 7 layers, Physical, Data
Link, Network, Transmission, Session, Presentation and
Application as shown in Table 1. Thanks to the layered
structure, each layer-specific and protocol-specific protocol
is developed and passed from the application layer of the
data package, passing through each layer, converted to a
signal in the physical layer. In addition, the detection and
maintenance of the problems encountered due to the modular
structure has become easier. The OSI model has grown with
protocols added since the late 1980s and has become a guide
for network operations [3].
TABLE I. OSI LAYERS
Layer Number Layer Name
7. Application
6. Presentation
5. Session
4. Transport
3. Network
2. Datalink
1. Physical
When the OSI layers are examined, a two-way
encapsulated and decapsulated process is carried out from
the first layer to the seventh layer. Thanks to this model, it
reaches the data through various layers from the physical
layer to the packet transmission application layer. During this
transmission, any attack on the interlayers and the network
devices on which these layers work will endanger the
security and confidentiality of the upper layers. Therefore,
network security should be evaluated towards the upper
layers starting from the lowest layer of the OSI reference[5].
The first layer of the OSI model is transmitted in the
physical layer via the transmission line as a raw data electric,
radio or optical signal. In this layer, packaged data is
transmitted as the smallest structural part bit. DOCSIS, DSL,
ADSL, VDSL, Ethernet physical layer, ISDN and RS-232
are some protocols used in the physical layer. The
Authorized licensed use limited to: Sharda University. Downloaded on July 18,2023 at 08:12:19 UTC from IEEE Xplore. Restrictions apply.
characteristics of the data connection, such as analogue or
digital, are determined and transported from the device as a
physical transmission device via copper, fiber optic cable or
radio frequency. The security of the transmitted data and the
network used depends on physical security first. Physical
listening methods apply to this layer, but attack vectors are
excluded from this study.
The data link layer is called the layer that provides the
connection between two connected end devices. The bits
from layer 1 are combined in this layer and named as Frame.
The errors in the physical layer are determined by various
validation methods. Hub and switch devices are used in this
layer. Various protocols such as IEEE 802.2, L2TP, LLDP,
MAC, PPP, ATM, MPLS are used in this layer. Within the
scope of the work we have done, security issues have been
discussed within the scope of the vulnerabilities arising from
these protocols and the software on the devices in this layer.
The data link layer is divided into two sub-layers. These
layers are respectively Medium Access Control (MAC) and
Logical Link Control (LLC). The MAC layer is responsible
for the permissions of the devices to access the network and
the permissions to send data. In the LLC layer, the data to be
sent to the upper layer is encapsulated, error checks and
frame synchronizations are made. The IEEE 802 LAN /
MAN standard middle access control (MAC) sublayer (also
known as the media access control sublayer) and the logical
link control (LLC) substrate together form the data link
layer. Within this data link layer, LLC provides flow control
and multiplexing (ie, EtherType, 802.1Q VLAN tag, etc.) for
logical connection, and MAC provides flow control and
multiplexing for the transport medium.
These two sublayers together correspond to layer 2 of the
OSI model. Due to compatibility, LLC is optional for IEEE
802.3 applications (frames later become "raw"), but is
mandatory for all other IEEE 802 standards applications.
Within the hierarchy of the OSI model and IEEE 802
standards, the MAC block provides control abstraction of the
physical layer, such that the complexity of the physical link
control does not appear to LLC and to the upper layers of the
network stack. Thus any LLC block (and higher layers) can
be used with any MAC.
Network layer: Enables the transmission of variable-
length data packets, called datagrams, from one network
node to another network node connected to the same
network. Each node connected to the network has an address
and the data is transmitted using these addresses. In this
layer, Packet / Datagram is used as the data unit. AppleTalk,
ICMP, IPsec, IPv4, IPv6 protocols used in this layer are
used. If the size of the data to be sent during the data
transmission is larger than the connection between the two
nodes, the data on the network is transmitted in several
pieces. These packages are given a sequence number and the
receiver side is merged and the package is obtained. Routers
and some advanced switches work on this layer. The
backbone of the Internet forms devices in the network layer
and data link layer. Especially network layer devices are of
great importance in the management of internet traffic. In
these devices, the vulnerabilities in the algorithms and
protocols used directly affect the Internet infrastructure. The
attacks described in this study also affect the third layer.
 Transport layer: The transport layer allows sending
datagram packets from the source device to the target device
over one or more networks while maintaining quality. The
Transmission Control Protocol (TCP), which was developed
on the Internet Protocol (IP) in the transport layer, is one of
the protocols used. The protocol used is to control the flow
through the given connection and is responsible for the error
checking by transferring the data. The transport layer also
gives a success message if no error occurs after the data
transmitted to the other party and sends the next data. If a
whole package is not delivered, the data flow is stopped and
the packet is requested again from the source until the packet
is received. Data transmission of protocols such as HTTP /
HTTPS, POP3 / SMTP, SSH, Telnet and FTP is also used by
end users. The attacks in this layer were not included in the
scope of this study.
III. BACKBONE ATTACK SURFACE
Thanks to the internet infrastructure, many products and
services are offered to the service of humanity. The biggest
technology that makes us the era of communication and
technology in our age is the internet infrastructure created in
the past century. There was no cyber security threat at the
time the Internet was developed. For this reason, it has
started to work with established protocols without
considering the safety and privacy concerns.
When sending the response packet, switch learns the port
to which b computer is connected. When sending the
response packet, switch learns the port to which b computer
is connected. Although secure protocols have been
developed in the application layer and in the network layer
over the Internet infrastructure, there is no solution to the
vulnerabilities in the lower layers. Therefore, in this study for
Data link and Network layer "CAM Overflow", "VLAN
Hopping", "Spanning Tree", "Private VLAN" attacks were
examined.
A. CAM Overflow Attack
The CAM table is a table structure that matches the MAC
addresses and switch ports that aim to prevent unrelated
packets from spreading in the network. Consider the scenario
for the glass table through the A, B, C computers in the same
network as shown in Figure 2. MAC address port mapping
was not performed since there was no communication
between computers during initial setup. Assume that packet
A is sent to computer B on computer A so that the
corresponding match occurs. The switch sends this packet to
all active ports. The C computer reads the data packet from
A to B. During traffic, switch combines A computer
connected to port and the mac address.
When sending the response packet, switch learns the port
to which b computer is connected. Instead of sending the
related packet to the entire network, the next packet is sent to
the port associated with the MAC address.
Authorized licensed use limited to: Sharda University. Downloaded on July 18,2023 at 08:12:19 UTC from IEEE Xplore. Restrictions apply.
Fig. 2. Switch, A, B and C Computers with CAM Table
When the C computer creates a fake data packet sent
from B to A and releases it to the network, the switch
combines port which C computer connected and B computer.
Therefore, packets sent to computer B will be routed to C.
There are some recommendations for the prevention of
overflow of CAM[6]. It is recommended to manually assign
the mac address for each port. It is also recommended to
block the port with the undefined MAC address, regardless
of whether the MAC addresses of the incoming packets are
defined or not.
B. VLAN Hopping Attack
In order to take security measures in the network
structures where different units are located and to create an
optimized network structure, it is necessary to create a
physically separate network structure for the locations and
units where the computers are located. Setting up different
network structures results in extra hardware costs for each
different network area. VLAN technique is used as a
software solution to divide different regions on the switch
and control interregional access. The use of VLAN offers
optimized solutions in some cases. Broadcast messages
spread across the entire network lead to high message traffic
on networks with a high number of clients. VLAN technique
is used for optimization of this message traffic. Each VLAN
is designed as a separate network and therefore has their own
broadcast and network addresses. Therefore, the broadcast
messages sent are in the corresponding VLAN [7].
It is labeled with 802.1Q or ISL standard to separate
VLAN packets from each other. The technology used to
direct many VLANs over the same physical connection is
called the trunk configuration [8].
Trunk label applied to different communication via
VLAN is designed with the idea that contain a single
level[9]. Based on this idea, a single level decapsulation
process is performed on the switch. The attacker who wants
to send a packet to the B VLAN that is in the VLAN and has
no communication between can use the nested tag structure
to deceive the switch. An attacker could use the network
packet he created to add the desired vlan tag to make it look
like sent over a different VLAN.
Some safety measures have been proposed against
attacks on VLAN and Trunk structures. First of all it is
defended that for every trunk VLAN should be defined. The
previously created definitions always look like an open door
in the system. Therefore, unused ports and VLANs must be
disabled. The first situation that the attacker who wants to be
included in the system from outside is the default ports and
vlan addresses. The significant measure to be taken in the
system is that the default VLAN is not used.
C. Spanning Tree Attacks
The connections between the switches are designed as
redundant. The line that is left as a spare connection often
causes problems such as looping the packet to the network. It
is necessary to pass that line to prevent this cycle. The
physically inactive state leads to a delay in detecting breaks
that may occur in other lines and in the commissioning of the
backup line. The Spanning Tree tree structure is
proposed[10]. Spanning tree structure is used to prevent the
formation of loops in layer 2 structures. Root switch is
agreed on according to the determined priority levels. It
communicates and configures network messages called
Bridge Protocol Data Units (BPDUs)[11]. The corresponding
structure includes information messages such as connecting a
new device to the network or disconnecting the device from
the network. It is a possible type of attack that the attacker
connected to the network can connect to two interconnected
switches and try to fool the topology by creating BPDUs
messages to pass the connection between the two
switches[8]. Generally, STP is disabled in order not to fall
into these situations. However, disabling STP significantly
increases the likelihood of looping in the network[10]. Since
there is no dynamic structure for the self-correction of the
network acting outside of normal, leaving it out of STP
increases the open points in the network and increases the
effect coefficient of the attacks.
D. Private VLAN Attack
Isolated subfields created under VLANs are called
Private VLANs (PVLANs). It is a feature used to isolate
traffic within layer 2 itself. When a device running on layer
3, such as the Router, is connected to the PVLAN
configuration, it directs all incoming packets. Attack is
shown on Figure 3[12]. Malicious users in the system can
use this situation. The organization of access lists can
prevent the attack.
Fig. 3. Private VLAN Attack
IV. CONCLUSION AND DISCUSSION
As a result, the vulnerabilities resulting from the
functioning of the standard protocols and protocols are
discussed.These vulnerabilities in the layer 2 switches, where
both wired and wireless networks are connected, jeopardize
the security of the entire Internet infrastructure. It is seen that
the protocols designed without considering the security needs
are open to attack by attackers. Within the scope of this
paper, the attacks on IEEE standard protocols or poorly
Authorized licensed use limited to: Sharda University. Downloaded on July 18,2023 at 08:12:19 UTC from IEEE Xplore. Restrictions apply.
configured network devices were investigated. It is out of
scope that Defense methods against vulnerabilities and how
to make the right configurations are excluded and sould be
another study. In addition, the vulnerabilities arising from the
special protocols that various manufacturers such as Cisco,
Huawei HP and Alcatel have identified have been excluded
from the scope. It is planned to investigate the vulnerabilities
of the protocols defined in the device and brand, in the
future.
In this article, the vulnerabilities that may occur from the
configuration errors are defined in the standards on Network
and Datalink layer devices (such as switch) which constitute
the main backbone of today's internet infrastructure. Defined
by the attacker with a look at the attack vectors indicated.
The measures to be taken using defensive point of view and
defense recommendations are presented by type of attacks.
We share the vulnerabilities we have examined in this study
to manage security risks in general scope by controlling the
following seven steps.
 While configuring Layer 2 devices, the optimization
of the network is prioritized but the risks to be made
in terms of security (such as SSH, OOB, permit lists,
etc.) are not considered. For this reason, safety risks
along with network optimization should be
considered during configuration.
 VLAN 1 with default VLAN should not be used.
Specifically, trunk should not be made over the
default VLAN numbers and a special VLAN must be
defined for the trunk structure.
 Port security features must be enabled.
 Each port should be equipped with the appropriate
security precaution.
 The Spacing Tree Protocol attacks must be enabled
for the BPDU Guard feature.
 Separation of networks must be carried out in layer 2.
 Unused ports should be blocked.
With this study, we aimed to draw attention to the
security and confidentiality of internet infrastructure and to
direct the researchers to the security vulnerabilities caused by
the infrastructure. As a result of the study, we tried to create
a security roadmap for system administrators. In future
studies, it is thought to examine the measures to be taken
against these types of attacks in detail. Safe protocol designs
are planned for protocol based vulnerabilities.
V. ACKNOWLEDGEMENT
This publication was carried out in Internet of Things
Security and Evaluation Center (ISTEC) and Istanbul
Digital Forensics Laboratory (IDFL) sponsored by the
Istanbul Development Agency.
 VI. REFERENCES
[1] E. Y. GÜVEN and A. Y. ÇAMURCU, Kenar Bilişim Güvenlik
Uygulaması: Kılıç. 2018.
[2] G. C. Idex, Cisco global cloud index: Forecast and methodology.
2019.
[3] H. Zimmermann, “OSI Reference Model - The ISO Model of
Architecture for Open Systems Interconnection,” IEEE Trans.
Commun., vol. 28, no. 4, pp. 425–432, 1980.
[4] A. Arfeen, K. Pawlikowski, D. McNickle, and A. Willig, “Global and
local scaling analysis of link streams in access and backbone core
networks,” Comput. Networks, vol. 149, 2018.
[5] J. Zhao et al., “The Discussion about Mechanism of Data
Transmission in the OSI Model,” in 2018 International Conference on
Transportation & Logistics, Information & Communication, Smart
City (TLICSC 2018), 2018.
[6] Y. Yu, R. R. Hoare, and A. K. Jones, “A CAM-based intrusion
detection system for single-packet attack detection,” IEEE Int. Symp.
Parallel Distrib. Process. Miami, {FL}, vol. 10., pp. 1–8, 2008.
[7] X. S. Y.-W. E. S. S. D. Krothpalli and S. G. R. P. University, A
systematic Approach for evolving VLAN Designs. 2010.
[8] Y. Lai, Q. Pan, Z. Liu, Y. Chen, and Z. Zhou, “Trust-Based Security
for the Spanning Tree Protocol,” IEEE Int. Parallel Distrib. Process.
Symp. Work. Phoenix, {AZ}, vol. 10., pp. 1338–1343, 2014.
[9] A. N. Jabel, S. Manickam, and S. Ramdas, “A study of SIP trunk
security and challenges,” IEEE Int. Conf. Electron. Des. Syst. Appl.
({ICEDSA}), Kuala Lumpur, vol. 10., pp. 239–243, 2012.
[10] G. S. Antonova, “Spanning Tree Protocol Interoperability with Other
Loop Prevention Algorithms,” Can. Conf. Electr. Comput. Eng.
Vancouver, {BC}, vol. 10., pp. 1098–1101, 2007.
[11] Y. N. Krishnan, C. N. Bhagwat, and A. P. Utpat, “Optimizing
spanning tree protocol using port channel,” Int. Conf. Electron.
Commun. Syst. ({ICECS}), Coimbatore, vol. 10., pp. 1–5, 2014.
[12] M. Ahmadi and A. A. M. Zamani, A hyper-cube based modified
Spanning Tree Protocol for VLANs. 11th International Conference on
Advanced Communication Technology, Phoenix Park, 2009.
[13] M. Tu, K. W. Riordan, G. Xie, and S. Yang, A secure contact
protocol for delay tolerant networks. IEEE/ACIS 16th International
Conference on Computer and Information Science ({ICIS}), Wuhan,
2017.
[14] G. Nilsen, J. Torresen, and O. Sorasen, “A variable word-width
content addressable memory for fast string matching,” Proc. Norchip
Conf., vol. 10., pp. 214–217, 2004.
[15] H. Li, P. W. C. Prasad, A. Alsadoon, L. Pham, and A. Elchouemi, An
improvement of backbone network security using DMVPN over an
EZVPN structure. International Conference on Advances in
Electrical, Electronic and Systems Engineering ({ICAEES}),
Putrajaya, 2016.
[16] H. T. F. K. A. H. K. S. A. O. S. T., Dynamic & distributed routing
control for virtualized local area network. 2010.
[17] R. O. Verma and S. S. Shriramwar, “Effective VTP Model for
Enterprise VLAN Security,” Int. Conf. Commun. Syst. Netw.
Technol. Gwalior, vol. 10., pp. 426–430, 2013.
[18] Y. Y. M. Y. Y. J. G. H. S. H., Flexible access management system for
campus {VLAN} based on open-flow. 2011.
[19] K. H. Yeung, F. Yan, and C. Leung, “Improving Network
Infrastructure Security by Partitioning Networks Running Spanning
Tree Protocol,” Int. {Conference} {Internet} {Surveillance}
{Protection} ({ICISP}’06), {Cote} d’Azur, vol. 10., p. 19, 2006.
[20] Z. A. Khattak, S. Sulaiman, and J. A. Manan, Security, trust and
privacy (STP ) framework for federated single sign-on environment.
ICIMU 2011:{Proceedings} of the 5th international {Conference} on
{Information} {Technology} & {Multimedia}, {Kuala} {Lumpur},
2011.
[21] J. R. H. S. G. C. A. J. J. P. R. S. M. Handley and E. Schooler, SIP:
session initiation protocol. C, 2010.

Authorized licensed use limited to: Sharda University. Downloaded on July 18,2023 at 08:12:19 UTC from IEEE Xplore. Restrictions apply.