Share this
A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks
by PivIT Global on Aug 2, 2022 7:01:00 AM
Securing the network is one of the most important tasks every engineer must consider to provide a safe networking environment. Although this task mainly focuses on protecting the network from outside attacks, such as from the internet, it also involves protection against less threatening, but still fatal internal attacks.
Therefore, you should always consider the protocols and features you use in your network and provide appropriate protection against attacks that directly include them.
Using VLANs and spanning-tree protocols (STPs) is common in networks today. However, both can be easily manipulated, resulting in various internal issues or even downtime when not properly taken care of. STP is needed to stop potential loops on Layer 2 when providing redundancy, and VLANs logically divide the physical network into separate independent domains.
In this article, we will discover what VLAN and STP attacks are, how they affect network behavior, and how to mitigate them. View some of our other protection guides:
- Configure Network Security Using an ACL in SVI Environments
- A Guide to Configuring and Troubleshooting DHCP Snooping
- The Ultimate Guide to DHCP Spoofing and Starvation Attacks
VLAN Attacks
VLANs are the easiest way to divide the physical network into independent logical networks. You can create as many VLANs as you need based on your requirements, such as different departments, floors, and locations, and then based on your policies, permit or deny communications between them.
The rules of using VLANs are quite simple and easy to follow. Once the VLANs are configured, the Layer 2 switches allow inter-VLAN communication, but for inter-VLAN communications, all traffic must go through a Layer 3 device such as a router.
So, you might be wondering, what can go wrong with such a simple feature? Well, a couple of things, for that matter. Two common VLAN-based attacks that can easily abuse any VLAN misconfiguration are VLAN hopping attacks and double-tagging VLAN hopping attacks. Let’s see what they do and how to protect against them.
VLAN Hopping Attack
VLAN hopping attacks allow the attacker to access all VLANs configured on the switch to which he connects. As a result, the attacker can send and receive data traffic freely on all those VLANs.
So, how can such a thing even happen in the first place? Incorrectly configured interfaces on the switch can lead to such an attack. By default, each interface on the switch is configured in auto mode, which allows them to operate in either access or trunk mode. However, the trunk mode provides access to all VLANs available on the switch by default.
So, since the Dynamic Trunking Protocol (DTP) is enabled by default, anybody with an appropriate tool can negotiate a trunk link when connecting to such an interface and become a “member” of all those VLANs allowed on that trunk link. Therefore, anytime you have an unused port on the switch operating in either auto mode or trunk mode, it could be a potential threat to your network.
The protection against this attack is quite simple and involves the following steps:
- First, disable any unused ports. If you don’t need them, there is no point in having them enabled.
- Configure all those unused ports on your switch in access mode, which does not allow a trunk to be created, only an access link. As a result, the interface can belong to only one VLAN instead of all available VLANs.
- To increase the security, you can assign the same ports to some unused VLAN, so any connection to them would allow access to a place where nothing happens.
- Finally, disable DTP. If you manually define the operational mode of each interface, the auto-negotiation feature is unnecessary.
As you can see from the image above, the attacker is connected to interface fa0/1 on the switch. The following commands would provide sufficient protection on interface fa0/1 against a VLAN hopping attack.
Long lead times getting you down and making deadlines impossible to meet? What if there's a simple solution and more?
- Get a single source for your IT needs.
- Get hardware options to match your budget.
- Get speedy fast lead times.
View PivIT's OneCall Flexible Service Level Agreements to get next-day or 4-hour hardware replacements, or on-site spares. We have a solution for everyone!
Double-Tagging VLAN Hopping Attack
This attack allows information from one VLAN to be sent into another without using a Layer 3 device, otherwise known as the “leaking” of data.
It happens on switches that perform only one level of 802.1Q decapsulation, allowing the attacker to embed a second 802.1Q tag inside the frame it sends. As a result, the frame reaches the victim in the VLAN specified in the additional tag inside the frame.
However, for this attack to work, a condition must be met. The attacker must belong to the same VLAN configured as native on the trunk link between the switches. As you can see from the image above, the native VLAN is 100, and the attacker connects to an interface that belongs to the same VLAN.
So, when the attacker wants to send data to the victim that is part of VLAN 200, they add an 802.1Q tag identifying VLAN 200. As a result, when the frame is sent, it contains two tags, the inner (hidden one) for VLAN 200 and the outer for VLAN 100.
When SW1 receives the frame, it accepts it because the source VLAN is the same as the native VLAN (in our case, VLAN 100), then discards the outer tag because it uses the same VLAN as the native one (no tagging for the native VLAN), and finally forwards the frame to SW2.
What follows next is a normal switch behavior. SW2 uses the only tag inside the frame (for VLAN 200) and directs the frame to the victim in that same VLAN.
It is important to note that this attack is unidirectional and works only when the attacker belongs to the same VLAN as the VLAN defined as native on the trunk link between the switches. By default, the native VLAN on a trunk port/link is always VLAN 1, but changing it to another VLAN is recommended as a security measure.
To mitigate such an attack, you should never assign interfaces connecting end devices to the same VLAN you use as the native VLAN on the trunk link. For that reason, you create a VLAN to be a native VLAN on the trunk link and do not use it anywhere else on that switch.
STP Attacks
The importance of using spanning tree protocol is crucial in Layer 2 networks. It provides redundancy while at the same time protecting against switching loops that can lead to unwanted problems and poor network behavior.
However, inappropriate protection against various STP attacks could easily result in suboptimal paths, creating loops even with STP running on the switches, and result in man-in-the-middle attacks.
The way the STP attack works is surprisingly easy. The attacker starts sending superior BPDU packets that contain a better bridge ID compared to the bridge ID of the active root bridge (4096) in the network.
Because of that, the attacker takes over the role of the root bridge, and all traffic between the other switches passes through the attacker’s device. This results in a man-in-the-middle attack and can be fatal, especially if sensitive data is exchanged.
Let PivIT handle your network protection with EXTEND, which serves as a seamless and confidential extension of your IT teams. Consider us your boots on the ground working to cost-effectively extend your reach and complete your projects.
As you can see from the image above, initially, SW1 is the root bridge, but this changes when the attacker starts sending superior BPDU packets. Consequently, the attacker becomes the root bridge, and after STP calculations, different ports become blocked, which leads to a man-in-the-middle attack.
To protect against an STP attack, you should implement the root guard feature. It prevents unwanted root bridge changes by denying superior BPDU packets being received on the interfaces where it is enabled. However, when such a thing happens, the interface transitions to a root-inconsistent state (becomes passive) and stays in this mode until they stop appearing.
To enable this security feature, you must enter the “spanning-tree guard root” command in interface configuration mode for those interfaces where you want to protect against this attack.
Implement a Firewall for Increased Protection
As you can see, even though the VLAN and STP attacks are straightforward to implement, they can result in fatal network behavior when not properly handled. Therefore, as a network engineer, you should never underestimate them and must always take appropriate security measures in advance to be prepared for such events when they unexpectedly happen.
Get extra protection with a dedicated firewall! If you are not sure about which firewall would best suit your network, send PivIT a request or connect with our Team in real-time using our chat feature. Know how to configure everything already but you're in need of new hardware? Click below to view your options!
Share this
- Configuration Guides (47)
- Cisco Routers (29)
- Switches (27)
- Network Security (23)
- Cisco Switches (21)
- Routing Protocols (21)
- Routers (20)
- Cisco (19)
- Product Comparisons (19)
- Firewall (18)
- Cisco Security (17)
- Cisco Technical Information (17)
- IT Hardware Solutions (17)
- Network Protocols (17)
- Wireless (17)
- Security (15)
- OneCall (13)
- Servers (12)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Cisco Catalyst (9)
- Cisco UCS (9)
- Upgrading Network (9)
- Cisco Servers (8)
- Product Highlight (8)
- Access Control Lists (7)
- Fortinet (7)
- Server Comparisons (7)
- Access Points (6)
- Arista Networks (6)
- OSPF (6)
- Wireless APs (6)
- Cisco ASR (5)
- Cloud Solutions (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- Network Management (5)
- SD-WAN (5)
- Storage (5)
- Switch Comparison (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- Firewall Architecture (4)
- HSRP (4)
- Juniper Networks (4)
- Network Automation (4)
- Network Servers (4)
- OEM Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Internet (3)
- Maintenance (3)
- Maintenance Renewal (3)
- Network Accessories (3)
- TPM (3)
- Telephony (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- IT Trends (2)
- LAN Networks (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- WLAN (2)
- Ways to Save (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Cost of Downtime (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Sparing Integrity Program (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- hyperconverge (1)
- April 2024 (2)
- March 2024 (1)
- February 2024 (2)
- January 2024 (1)
- December 2023 (1)
- November 2023 (2)
- October 2023 (1)
- September 2023 (3)
- August 2023 (5)
- July 2023 (2)
- June 2023 (4)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think