STP Layer 2 attack – Manipulating Spanning Tree Protocol settings

Redundant links are always welcome in switch topology as they are increasing the network’s availability and robustness. Redundant links if we look at them from layer 2 perspective can cause Layer 2 loops. This is simply because TTL (Time To Live) field of the packet is found in Layer 3 header. In networking technology this means that TTL number will be diminished only when the packet is passing through the router. There is no way to “kill” a packet that is stuck in layer 2 loop. This situation can result in broadcast storms. Fortunately, Spanning Tree Protocol (STP) can allow you to have redundant links while having a loop-free topology, thus preventing the potential for broadcast storms.

STP achieves this loop-free topology by electing one switch as the root bridge and of course network administrator can influence which switch becomes the root bridge. This is done by manipulating a switch priority, lowest bridge priority means the root bridge. Every other switch in the network picks a root port, port STP converged network“closest” to the root bridge switch, in terms of “cost.” The switches are making arrangements for election of the root bridge through the exchange of Bridge Protocol Data Units (BPDU). All the switch ports in the topology are either in the blocking state or in the forwarding state.

If the root bridge goes down, the STP topology must find a new root bridge and the election is starts in that moment. Port does not immediately transition from the blocking state to the forwarding state. Rather, a port transitions from blocking, to listening, to learning, to forwarding states and the time before port starts to forward packets can be up to one minute.

STP attackIf an attacker has access to switch ports that are able to become trunk ports, he can introduce a rogue switch into the network. Remember that Cisco switches have all they ports in “dynamic desirable” mode by default. This means if the ports are still in that mode, the attacker can connect rouge switch in his cubicle network wall jack and the switch will form trunk link with switch in the company. In than moment in he have maybe possibility to form another connection to second switch from that company he is able to manipulate rouge switch priority  so that is less than any other switch in the company. Rogue switch with e.g priority 0 announces its “superior BPDUs,”  and the STP topology reconverts. His rouge switch will become root bridge and all the traffic will cross this switch. This gives him the possibility to sniff all traffic in the company but it will also redirect traffic from high bandwidth links between real switch to 100 Mbps link on the rouge switch. This will significantly reduce the speed of the network.

How to get rid of this security problem: Read: How to stop STP attack

Leave a Reply

%d bloggers like this: