A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks

Securing the network is one of the most important tasks every engineer must consider to provide a safe networking environment. Although this task mainly focuses on protecting the network from outside attacks, such as from the internet, it also involves protection against less threatening, but still fatal internal attacks.

Therefore, you should always consider the protocols and features you use in your network and provide appropriate protection against attacks that directly include them.

Using VLANs and spanning-tree protocols (STPs) is common in networks today. However, both can be easily manipulated, resulting in various internal issues or even downtime when not properly taken care of. STP is needed to stop potential loops on Layer 2 when providing redundancy, and VLANs logically divide the physical network into separate independent domains. 

In this article, we will discover what VLAN and STP attacks are, how they affect network behavior, and how to mitigate them. View some of our other protection guides:

• Configure Network Security Using an ACL in SVI Environments
• A Guide to Configuring and Troubleshooting DHCP Snooping
• The Ultimate Guide to DHCP Spoofing and Starvation Attacks

VLAN Attacks

VLANs are the easiest way to divide the physical network into independent logical networks. You can create as many VLANs as you need based on your requirements, such as different departments, floors, and locations, and then based on your policies, permit or deny communications between them.

The rules of using VLANs are quite simple and easy to follow. Once the VLANs are configured, the Layer 2 switches allow inter-VLAN communication, but for inter-VLAN communications, all traffic must go through a Layer 3 device such as a router.

So, you might be wondering, what can go wrong with such a simple feature? Well, a couple of things, for that matter. Two common VLAN-based attacks that can easily abuse any VLAN misconfiguration are VLAN hopping attacks and double-tagging VLAN hopping attacks. Let’s see what they do and how to protect against them.

VLAN Hopping Attack

VLAN hopping attacks allow the attacker to access all VLANs configured on the switch to which he connects. As a result, the attacker can send and receive data traffic freely on all those VLANs.

So, how can such a thing even happen in the first place? Incorrectly configured interfaces on the switch can lead to such an attack. By default, each interface on the switch is configured in auto mode, which allows them to operate in either access or trunk mode. However, the trunk mode provides access to all VLANs available on the switch by default.

So, since the Dynamic Trunking Protocol (DTP) is enabled by default, anybody with an appropriate tool can negotiate a trunk link when connecting to such an interface and become a “member” of all those VLANs allowed on that trunk link. Therefore, anytime you have an unused port on the switch operating in either auto mode or trunk mode, it could be a potential threat to your network.

The protection against this attack is quite simple and involves the following steps:

• First, disable any unused ports. If you don’t need them, there is no point in having them enabled.
• Configure all those unused ports on your switch in access mode, which does not allow a trunk to be created, only an access link. As a result, the interface can belong to only one VLAN instead of all available VLANs.
• To increase the security, you can assign the same ports to some unused VLAN, so any connection to them would allow access to a place where nothing happens.
• Finally, disable DTP. If you manually define the operational mode of each interface, the auto-negotiation feature is unnecessary.

As you can see from the image above, the attacker is connected to interface fa0/1 on the switch. The following commands would provide sufficient protection on interface fa0/1 against a VLAN hopping attack.

Long lead times getting you down and making deadlines impossible to meet? What if there's a simple solution and more?

- Get a single source for your IT needs.

- Get hardware options to match your budget.

- Get speedy fast lead times.

View PivIT's OneCall Flexible Service Level Agreements to get next-day or 4-hour hardware replacements, or on-site spares. We have a solution for everyone!

Double-Tagging VLAN Hopping Attack

This attack allows information from one VLAN to be sent into another without using a Layer 3 device, otherwise known as the “leaking” of data.

It happens on switches that perform only one level of 802.1Q decapsulation, allowing the attacker to embed a second 802.1Q tag inside the frame it sends. As a result, the frame reaches the victim in the VLAN specified in the additional tag inside the frame.

However, for this attack to work, a condition must be met. The attacker must belong to the same VLAN configured as native on the trunk link between the switches. As you can see from the image above, the native VLAN is 100, and the attacker connects to an interface that belongs to the same VLAN.

So, when the attacker wants to send data to the victim that is part of VLAN 200, they add an 802.1Q tag identifying VLAN 200. As a result, when the frame is sent, it contains two tags, the inner (hidden one) for VLAN 200 and the outer for VLAN 100.

When SW1 receives the frame, it accepts it because the source VLAN is the same as the native VLAN (in our case, VLAN 100), then discards the outer tag because it uses the same VLAN as the native one (no tagging for the native VLAN), and finally forwards the frame to SW2.

What follows next is a normal switch behavior. SW2 uses the only tag inside the frame (for VLAN 200) and directs the frame to the victim in that same VLAN.

It is important to note that this attack is unidirectional and works only when the attacker belongs to the same VLAN as the VLAN defined as native on the trunk link between the switches. By default, the native VLAN on a trunk port/link is always VLAN 1, but changing it to another VLAN is recommended as a security measure.

To mitigate such an attack, you should never assign interfaces connecting end devices to the same VLAN you use as the native VLAN on the trunk link. For that reason, you create a VLAN to be a native VLAN on the trunk link and do not use it anywhere else on that switch.

STP Attacks

The importance of using spanning tree protocol is crucial in Layer 2 networks. It provides redundancy while at the same time protecting against switching loops that can lead to unwanted problems and poor network behavior.

However, inappropriate protection against various STP attacks could easily result in suboptimal paths, creating loops even with STP running on the switches, and result in man-in-the-middle attacks.

The way the STP attack works is surprisingly easy. The attacker starts sending superior BPDU packets that contain a better bridge ID compared to the bridge ID of the active root bridge (4096) in the network.

Because of that, the attacker takes over the role of the root bridge, and all traffic between the other switches passes through the attacker’s device. This results in a man-in-the-middle attack and can be fatal, especially if sensitive data is exchanged.

Let PivIT handle your network protection with EXTEND, which serves as a seamless and confidential extension of your IT teams. Consider us your boots on the ground working to cost-effectively extend your reach and complete your projects.

As you can see from the image above, initially, SW1 is the root bridge, but this changes when the attacker starts sending superior BPDU packets. Consequently, the attacker becomes the root bridge, and after STP calculations, different ports become blocked, which leads to a man-in-the-middle attack.

To protect against an STP attack, you should implement the root guard feature. It prevents unwanted root bridge changes by denying superior BPDU packets being received on the interfaces where it is enabled. However, when such a thing happens, the interface transitions to a root-inconsistent state (becomes passive) and stays in this mode until they stop appearing.

To enable this security feature, you must enter the “spanning-tree guard root” command in interface configuration mode for those interfaces where you want to protect against this attack.

Implement a Firewall for Increased Protection

As you can see, even though the VLAN and STP attacks are straightforward to implement, they can result in fatal network behavior when not properly handled. Therefore, as a network engineer, you should never underestimate them and must always take appropriate security measures in advance to be prepared for such events when they unexpectedly happen.

Get extra protection with a dedicated firewall! If you are not sure about which firewall would best suit your network, send PivIT a request or connect with our Team in real-time using our chat feature. Know how to configure everything already but you're in need of new hardware? Click below to view your options!