STP Layer 2 attack – Manipulating Spanning Tree Protocol settings

Redundant links are always welcome in switch topology as they are increasing the network’s availability and robustness.

Redundant links, if we look at them from layer 2 perspective, can cause Layer 2 loops. This is simply because TTL (Time To Live) field of the packet is found in Layer 3 header and L2 doesn’t have such a field.

On L3, this means that TTL number will be diminished only when the packet is passing through the router. There is no way to “kill” a packet that is stuck in layer 2 loop. This situation can result in broadcast storms.

Fortunately, Spanning Tree Protocol (STP) can allow you to have redundant links while having a loop-free topology, thus preventing the potential for a broadcast storm.

STP achieves this loop-free topology by selecting one switch as the root bridge. If needed, network administrator can influence which switch becomes the root bridge. This is then done by manipulating a switch priority, lowest bridge priority means the root bridge.

Every other switch in the network picks a root port, port STP converged network“closest” to the root bridge switch, in terms of “cost.” The switches are making arrangements for election of the root bridge through the exchange of Bridge Protocol Data Units (BPDU). All the switch ports in the topology are either in the blocking state or in the forwarding state.

If the root bridge goes down, the STP topology must find a new root bridge and the election starts in that moment. Port does not immediately transition from the blocking state to the forwarding state. Rather, a port transitions from blocking to listening, then to learning, and then again to the forwarding state. The time before port starts to forward packets can be up to one minute.

STP attackSTP attack

If an attacker has access to switch ports that are able to become trunk ports, he can introduce a rogue switch into the network.

Remember that Cisco switches have all the ports in “dynamic desirable” mode by default. This means if the ports are still in that mode, the attacker can connect the rouge switch in his cubicle network wall jack and the switch will negotiate trunk link the with switch in the company.

In that moment he has a possibility to form another connection to the second switch from that company and then he is able to manipulate rouge switch spanning tree priority. If he configures his rogue switch to have priority which is less than any other switch in the company, most of the traffic will theoretically pass through that switch.

Rogue switch with e.g priority 0 announces its “superior BPDUs,”  and the STP topology reconverts. His rouge switch will become root bridge and all the traffic will cross this switch. This gives him the possibility to sniff all traffic in the company. It will also redirect traffic from high bandwidth links between other switches to 100 Mbps link on the rouge switch. This will significantly reduce the speed of the network.

How to get rid of this security problem: Read: How to stop STP attack

One Response

  1. Dylan Hughes July 21, 2018

Leave a Reply