CDP Attacks – Cisco Discovery Protocol Attack
CDP – The Cisco Discovery Protocol is a proprietary protocol that all Cisco devices can use by default. CDP discovers other Cisco devices that are directly connected, which makes possible to the devices to auto-configure their connection in some cases, simplifying configuration and connectivity. CDP messages are not encrypted.
Most Cisco routers and switches have CDP enabled in the default configuration, out of the box. CDP information is sent in periodic broadcasts that are updated locally in each device’s CDP database. Because CDP is a Layer 2 protocol, routers do not propagate it.
CDP contains information about the network device, such as the software version, IP address, platform, capabilities, and the native VLAN. When this information is available to an attacker computer, the attacker from that computer can use it to find exploits to attack your network, usually in the form of a Denial of Service (DoS) attack.
Attacker can easily use Wireshark or other networking analyzer software to sniff information about devices that CDP is sending across the network in a broadcast messages. The Cisco IOS software version discovered via CDP, in particular, would allow the attacker to research and determine whether there were any security vulnerabilities specific to that particular version of code. Also, because CDP is unauthenticated, an attacker could craft bogus CDP packets and have them received by the attacker’s directly connected Cisco device. If the attacker can get access to the router either via Telnet or SNMP, they can use the CDP information to discover the entire topology of your network at Layer 2 and 3, including all IOS levels, router and switch model types, and IP addressing. If somebody was armed with this information and a Cisco bug list, they could launch a very effective attack against your network.
All this are the reasons that many network professionals choose to disable CDP throughout their networks. If you think to disable CDP for security reasons, you should consider to disable it on the whole router not on some interfaces. If you disable CDP on a single interface, you will only prevent people from reading the CDP advertisements but the CDP table will still exist and will be easily accessible through SNMP or Telnet. Probing is than always possible.
Security risk is always possible from two main points. Attack can be launched against your network either from the inside or from a directly connected network. If we put it that way you can see that CDP must be disabled on any router that connect to external networks, most of all the router that connects you to the public Internet. On other side, attacks from inside are attacks that are launched by people who are already physically connected to the network and these people probably have legitimate access to the network. It is hard to detect an attacker in the group of people which you trust. Usefulness of CDP can then be minor to the the risk of attack. Will you disable CDP or not in situation like this depends on how much you can trust your network users.
To be sure and address these vulnerabilities, it is recommended that you disable the use of CDP on devices that do not need to use it.