CSN11111/8

Network Security

LAN Security
Learning Objectives

Introduction to Layer 2 Technology

Attacks and Counter Measures
MAC Address, ARP, and DHCP
Vulnerabilities
VLAN Vulnerabilities
Panning Tree Protocol
Port security
Layer 2 Technology
Layer 2 switching (or Data Link layer switching) is the
process of using devices’ MAC addresses on a LAN to
segment a network. Switches and bridges are used for Layer
2 switching. They break up one large collision domain into
multiple smaller ones.

There is usually a correspondence between building

separation and subnet separation.
 Switching inside a building
 Routing between buildings

Layer 2 protocols basically control access to a shared

medium (copper, fiber, electro- magnetic waves).

Wireless (802.11a,b,g,n) is also Layer-2 technology .

Layer 2 Technology
 Switch
Learns the location of each node by looking at the
source address of each incoming frame, and builds a
forwarding table.

Forwards each incoming frame to the port where the

destination node is
 Reduces the collision domain
 Makes more efficient use of the wire
 Nodes don’t waste time checking frames not destined
to them
Layer 2 Technology
 How switches work

Each network card has a unique identifier called a Media

Access Control (MAC) address.
This address is used in LANs for communication between
devices on the same network segment.
Devices that want to communicate need to know each
other MAC address before sending out packets. They use a
process called ARP (Address Resolution Protocol) to find
out the MAC address of another device.
(ARP) is the process by which a known L3 address is
mapped to an unknown L2 address.
If a host is speaking to another host on the same IP
network, the target for the ARP request is the other host’s
IP address. If a host is speaking to another host on a
different IP network, the target for the ARP request will be
the Default Gateway’s IP address.
Layer 2 Technology
 Layer 2 vs. Layer 3

 Layer 2 uses MAC addresses and is responsible for

packet delivery from hop to hop.
 Layer 3 uses IP addresses and is responsible for packet
delivery from end to end.
 When a computer has data to send, it encapsulates it in a
IP header which will include information like the Source
and Destination IP addresses of the two “ends” of the
communication.
 The IP Header and Data are then further encapsulated in
a MAC address header, which will include information like
the Source and Destination MAC address of the current
“hop” in the path towards the final destination.
Layer 2 Technology
 How switches work
Layer 2 Technology
 How switches work
 host A wants to communicate with host B for the first time.
 Host A knows the IP address of host B, but since this is the
first time the two hosts communicate, the hardware (MAC)
addresses are not known.
 Host A uses the ARP process to find out the MAC address
of host B.
 The switch forwards the ARP request out all ports except
the port the host A is connected to. Host B receives the ARP
request and responds with its MAC address.
 The switch knows the MAC address of host B and stores
that address in its MAC address table. The same is with host
A.
 Now, when host A sends a packet to host B, the switch
looks up in its MAC address table and forwards the frame
only out Fa0/1 port, the port on which host B is connected.
 Layer 2 Technology
 Virtual LANs (VLANs)

 VLANs logically segment switched networks based on the functions, project

teams, or applications of the organization regardless of the physical location or
connections to the network.
 Are logical grouping of devices in the same broadcast domain. A broadcast
domain defines how far a broadcast or unknown unicast flood frame can reach.
Broadcast frames contain an all-1s destination MAC address, which indicates
that they are intended for everyone on the LAN (or VLAN)
 Allow us to split switches into separate(virtual) switches.
 Only members of a VLAN can see that VLAN’s traffic.
 VLANs can be spread across multiple switches, with each VLAN being treated
as its own subnet or broadcast domain.
Layer 2 Technology
 Virtual LANs (VLANs)
One link per VLAN or a single VLAN
10.1.0.0/ Trunk (later)
16 10.1.0.0/
16

10.2.0.0/
16
10.2.0.0/
16
10.3.0.0/
16
10.3.0.0/
16

Without VLANs: With VLANs

√ Without VLANs, each group is on a different IP network and on a

different switch.
√ Using VLANs. Switch is configured with the ports on the
appropriate VLAN. Still, each group on a different IP network;
however, they are all on the same switch.
Layer 2 Technology
 Two Major Functions of VLANs
Below is a network with three different physical switches.
The switches facilitate communication within networks, and
the Routers facilitate communication between networks.
Each switch above independently perform all the functions of a switch.
If each of these switches have 24 ports and only two are in use, then 22
ports are left wasted on each switch. Moreover, what if you need to
replicate this network elsewhere and you do not have three physical
switches to accommodate?
That is where the first major function of a VLAN comes into play: A VLAN
allows you to take one physical switch, and break it up into smaller mini-
switches.
Layer 2 Technology
 Breaking up one Physical Switch into multiple Virtual
Switches
 Consider each circle on the switch below as its own mini-
switch (or virtual switch). Each of these mini-switches are a collection of
switch ports which operate completely independent from the others
 exactly as they would had there been three different physical switches.
 Traffic flow through the single switch of this topology operates exactly as it
did in the topology above it with three separate physical switches. The
routers are configured and operate exactly as they did above
 Each virtual switch, or VLAN, is simply a number assigned to each
switch port. For example, the two switch ports in the red mini-switch might
be assigned to VLAN #10. The two ports in the orange mini-switch might be
assigned to VLAN #20. And lastly the two switch ports in the blue mini-switch
might be assigned to VLAN #30.
Layer 2 Technology
 Breaking up one Physical Switch into multiple
Virtual Switches
 Any switch port which is not explicitly assigned a VLAN number, resides in
the default VLAN. Which for most vendors corresponds to VLAN 1.
 Traffic arriving on a switch port assigned to one VLAN will only ever be
forwarded out another switch port that belongs to the same VLAN – a switch
will never allow traffic to cross a VLAN boundary. Again, each VLAN
operates as if it were a completely separate physical switch.
 In the first illustration, traffic from the red switch cannot magically appear on the
orange switch without first passing through a router. Similarly, in the second
illustration, traffic in VLAN #10 cannot magically appear on VLAN #20 without
also passing through a router.
 When a frame arrives on a switchport in VLAN #10, it can only leave a
switchport in VLAN #10. You and I can see that the same frame is traversing all
three VLANs, but from the Switch’s perspective, it is three different instances
of a frame arriving on one port in one VLAN, and leaving on another port in
the same VLAN.
Layer 2 Technology
 Extending Virtual Switches across multiple Physical Switches

 VLAN# 10 and VLAN# 30 have been extended onto a second switch. This enables Host
A and Host C to exist in the same VLAN, despite being connected to different physical
switches located in potentially different areas.
 The primary benefit of extending a VLAN to different physical switches is that the Layer
2 topology no longer has to be tied to the Physical Topology. A single VLAN can span
across multiple rooms, floors, or office buildings.
 Each connected switch port is a member of only a single VLAN. This is referred to as
an Access port. An Access port is a switch port that is a member of only
one VLAN.
 In order to extend a VLAN to the second switch, a connection is made
between one Access port on both switches for each VLAN. While functional, this
strategy does not scale. Imagine if our topology was using ten VLANs, on a 24 port
switch nearly half of the ports would be taken up by the inter-switch links.
 Instead, there is a mechanism which allows a single switch port to carry traffic from
multiple VLANs. This is referred to as a Trunk port. A Trunk port is a switch port that
carries traffic for multiple VLANs.
Layer 2 Technology
 VLANs across switches
 Two switches can exchange traffic from one or more VLANs
 Inter-switch links are configured as trunks, carrying
frames from all or a subset of a switch’s VLANs
 Each frame carries a tag that identifies which VLAN it
belongs to

No VLAN Tagging

VLAN Tagging
Layer 2 Technology
 Tagged Ports and Untagged Ports
 Whenever a Switch is sending frames out a Trunk port, it adds to
each frame a tag to indicate to the other end what VLAN that frame
belongs to. This allows the receiving switch to read the VLAN tag in order
to determine what VLAN the incoming traffic should be associated to.
 An Access port, by comparison, can only ever carry or receive traffic for a
single VLAN. Therefore, there is no need to add a VLAN Tag to traffic
leaving an Access port.
 When an Ethernet frame is exiting a Trunk port, the switch will insert a
VLAN Tag between the Source MAC address and the Type fields.
 This allows the receiving switch to associate the frame with the
appropriate VLAN.
Layer 2 Technology
 VLANs across switches
Tagged Frames

802.1Q Trunk
Trunk Port

VLAN X VLAN Y VLAN X VLAN Y

Edge Ports

This is called “VLAN Trunking”

 802.1Q isthe IEEE standard that defines how ethernet

frames should be tagged when moving across switch trunks
 This means that switches from different vendors are
able to exchange VLAN traffic.
Layer 2 Technology
 Virtual LANs (VLANs) Advantages
 VLANs increase the number of broadcast domains
while decreasing their size.
VLANs reduce security risks by reducing the number of
hosts that receive copies of frames that the switches
flood.
You can keep hosts that hold sensitive data on a
separate VLAN to improve security.
You can create more flexible network designs that group
users by department instead of by physical location.
Network changes are achieved with ease by just
configuring a port into the appropriate VLAN.
Layer 2 Technology
 Switching Loop
Switch A Switch B

Swtich C

√ When there is more than one path between two

switches
√ What are the potential problems?
 Forwarding tables become unstable
 Source MAC addresses are repeatedly seen
coming from different ports
 Switches will broadcast each other’s broadcasts
 All available bandwidth is utilized
 Switch processors cannot handle the load
Layer 2 Technology
 Switching Loop

Switch A Switch B

Node1 sends a
Swtich C broadcast frame
(e.g. an ARP request)

Node 1
Layer 2 Technology
 Switching Loop

Switches A, B
and C broadcast
Switch A Switch B
node 1’s frame
out every port

Swtich C

Node 1
Layer 2 Technology
 Switching Loop

But they receive

each other’s
Switch A Switch B
broadcasts, which
they need to
forward again out
Swtich C
every port!
The broadcasts
are amplified,
Node 1 creating a
broadcast
storm…
Layer 2 Technology
 STP Concept
The STP is a loop-prevention protocol.
 It is a layer 2 protocol
 It uses special purpose algorithms to discover physical
loops in a network and creates a loop-free logical topology.
 Physical loops without proper STP design result in the
problems outlined in the previous slide
 The IEEE 802.1D defines the Spanning-Tree Algorithm that
characterises STP. This algorithm relies on the Bridge ID
(BID), Path Cost and Port ID parameters.
Layer 2 Technology
 How STP works?
Layer 2 Technology
 How STP works?

Electing the Root Switch/Bridge-Example
The switches elect a single root bridge by looking for the bridge with the
lowest BID (often referred to as a “root war”).
If all three bridges are using the default bridge priority of 32,768, the
lowest MAC address serves as the tie-breaker.


Every non-root bridge must select one root port.
 The root port of a bridge is the port that is closest to the root
bridge.
 The root path cost is the cumulative cost of all links to the root
bridge.


Each segment in a bridged network has one designated port
Functions as the single bridge port that both sends and receives
traffic to and from that segment and the root bridge.

The bridge containing the designated port for a given segment is referred to
as the designated bridge for that segment.

Note: Every active port on the root bridge becomes a designated port.
Layer 2 Technology
 How STP works?
How does STP decides in which state the port will be placed? A couple of
criteria exist:
1. all switches in a network elect a root switch. All working interfaces on the
root switch are placed in forwarding state.
2. all other switches, called nonroot switches, determine the best path to
get to the root switch. The port used to reach the root switch (root port) is
placed in forwarding state.
3. on the shared Ethernet segments, the switch with the best path to reach
the root switch is placed in forwarding state. That switch is called the
designated switch and its port is known as the designated port.
4. all other interfaces are placed in blocking state and will not forward
frames.
Layer 2 Technology
 CAM Table
CAM table stands for Content Addressable Memory
The CAM table stores information such as MAC
addresses available on physical ports with their
associated VLAN parameters
CAM tables have a fixed size
 Normal CAM Behavior 1/3

MAC Port
A 1

Port 2

rB
C 3

fo
MAC B

P
R
A
ARP for B

Port 1
MAC A Port 3

A
R
P
fo
B Is Unknown—

rB
Flood the
Frame
MAC C
 Normal CAM Behavior 2/3

MAC Port
A. 1
B. 2

B
C
Port 2

A
C. 3

M
MAC B

m
IA
I Am MAC B

Port 1
MAC A Port 3

A Is on Port 1
Learn:
B Is on Port 2
MAC
29
C
 Normal CAM Behavior 3/3

MAC Port
A. 1
B. 2

B
Port 2

➔
C. 3
MAC B

A
fic
af
Tr
Traffic A ➔ B

Port 1
MAC A Port 3

B Is on Port 2

Does Not See MAC

30
C
Traffic to B
Attacks and Counter Measures
 CAM Overflow 1/2
 If a switch does not have
an entry pointing to a
destination MAC address,
it floods the frame.
 What happens when a
switch does not have
room to store a new
MAC address?
 And what happens if
an entry that was there
2 seconds ago was
just overwritten by
another entry?
 These questions are
probably what Ian Vitek
must have asked himself
back in 1999 when he
Attacks and Counter Measures
 CAM Overflow 2/2

MAC Port
Assume CAM Table Now Full
Y 3
Z

B
3 Port 2

➔
Y Is on Port 3

A
MAC B

fic
C 3

af
Tr
Traffic A ➔B

Port 1
MAC A Port 3
Z Is on Port 3

MAC C
I See Traffic to B!
Attacks and Counter Measures
 CAM Table Full

 Once the CAM table is full, traffic without a CAM entry is flooded
out every port on that VLAN, but NOT traffic with an existing
CAM entry
 This will turn a VLAN on a switch basically into a
hub, which makes it easy for anyone off any port to
collect all traffic exchanged in the port’s VLAN,
 This attack will also fill the CAM tables of adjacent switches
 As a result, the attacker can see all of the frames sent from
one host to another.
 Traffic is flooded only within the local VLAN, so the intruder
sees only traffic within the local VLAN to which the intruder is
connected.
Attacks and Counter Measures
 Countermeasures for MAC Attacks
00:0e:00:aa:aa:aa Only One MAC
00:0e:00:bb:bb:bb Addresses
Allowed on the
Port: Shutdown

132,000
Bogus MACs

34
Solution:
 Both MAC spoofing and MAC address table overflow attacks can be
mitigated by configuring port security on the switch.
 With port security, the administrator can either statically specify the
MAC addresses on a particular switch port or allow the switch to
dynamically learn a fixed number of MAC addresses for a switch
port.
Attacks and Counter Measures
 CAM Table Full
Scenario
Use macof to send thousands of frames into a switch to make its CAM table
full of bogus mac addresses so that valid PCs are not able to create CAM
entries on a switch.
After overwhelming the switch’s CAM table, let’s see FTP conversation
between 2 workstations.
Here is my lab environment:
Attacks and Counter Measures
 CAM Table Full

Steps
First off, let’s take a look at what a clean CAM table looks like.
Currently there are only 2 MAC addresses learned and 8043 space are available.

To overwhelm the switch’s CAM table, I am going to use “macof”. It will make up
tens of thousands of bogus MAC addresses while sending frames to the switch.
On the attackers PC, open terminal and type macof -i eth0.
Attacks and Counter Measures
 CAM Table Full

As a result of the previous command, tons of frames with bogus MAC addresses
will be sent to the switch.
Here is what a CAM table looks like after CAM table overflow attack. As you can
see the switch has learned so many MAC addresses which are all bogus! At this
point the switch can no longer learn a new MAC address and will send all traffic
from a device which its MAC address is not in the CAM table to all ports.
Attacks and Counter Measures
 CAM Table Full

If 2 newly connected PCs start conversation, all conversation between the 2 will
be also sent to the attacker’s PC as the switch does not know and cannot
remember the newly connected PC’s MAC addresses. If attacker is running
Wireshark or other Network analyzer, he will be able to capture the
conversations. On the attacker’s PC, run Wireshark and take a look at
conversation between the 2 PCs. As FTP sends everything in plain text, Attacker
successfully captures the username and password.
Attacks and Counter Measures
 ARP Spoofing Attack

 ARP (Address Resolution Protocol) Function Review

 Before a station can talk to another station it must
do an ARP request to map the IP address to the
MAC address
 All computers on the subnet will receive and
process the ARP request; the station that matches
the IP address in the request will send an ARP
reply

I Am
10.1.1.4
MAC A

Who Is
10.1.1.4?

SEC-206
Attacks and Counter Measures
 ARP Function Review
 According to the ARP RFC, a client is allowed to send an
unsolicited ARP reply; this is called a gratuitous ARP; other
hosts on the same subnet can store this information in their
ARP tables
 A Gratuitous ARP is an ARP Response that was not prompted by an ARP Request. The Gratuitous ARP is sent as a
broadcast, as a way for a node to announce or update its IP to MAC mapping to the entire network.
 when a host had a new MAC address because its Ethernet
adapter was replaced, it should have sent an unsolicited ARP
reply to force an update on all ARP tables in the other hosts.
 Anyone can claim to be the owner of any IP/MAC address
they like
 ARP attacks use this to redirect traffic

You Are I Am You Are You Are

10.1.1.1
10.1.1.1 MAC A 10.1.1.1 10.1.1.1
MAC A MAC A MAC A
Attacks and Counter Measures
 ARP Spoofing Attack

 An ARP spoofing attack is also known as ARP

poisoning.
 It relies on the absence of authentication in the
ARP messages.
 Anyone can claim to be the owner of any IP/MAC
address they like
 ARP attacks use this to redirect traffic
Attacks and Counter Measures
 ARP Spoofing Attack in Action

10.1.1.2 Is Now
■Attacker 10.1.1.1 MAC C

“poisons” the MAC A

ARP tables
ARP 10.1.1.2
ARP 10.1.1.1 Saying
Saying 10.1.1.1 is MAC C
10.1.1.2 is MAC C

10.1.1.3
MAC C 10.1.1.2
MAC B

10.1.1.1 Is Now
MAC C
42
Attacks and Counter Measures
 ARP Attack in Action

■All traffic flows 10.1.1.2 Is Now

through the 10.1.1.1 MAC C
MAC A
attacker
Transmit/Receive
Traffic to Transmit/Receive
10.1.1.2 is MAC C Traffic to
10.1.1.1 is MAC C

10.1.1.3
MAC C 10.1.1.2
MAC B

10.1.1.1 Is Now
MAC C
43
Attacks and Counter Measures
 Dynamic ARP Inspection
■ Uses the DHCP
10.1.1.1 Snooping Binding table
MAC A information
■ Dynamic ARP Inspection
ARP 10.1.1.1 IsNTohnies Is theARP
IP/MAC Binding table
All packets must match
Saying MyBcNhin
Mat DHCP Snooping entries
10.1.1.2 is MAC C Enabled Dynamic If the entries do not match,
inOdgin!g ARP Inspection throw them in the bit bucket
Enabled
ARP’sTianbtel h
?e Bit
Bucket

10.1.1.3
MAC C 10.1.1.2
ARP 10.1.1.2 MAC B
Saying
10.1.1.1 is MAC C

■ Looks at the MacAddress and IpAddress fields to

see if the ARP from the interface is in the binding, it
not, traffic is blocked
sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
Attacks and Counter Measures
 DHCP: quick overview
DHCP Server

Client
DHCP Discover (Broadcast)

IP Address: 10.10.10.101
DHCP Offer (Unicast) Default Routers: 10.10.10.1
DNS Servers: 192.168.10.4,
192.168.10.5
DHCP Request (Broadcast)

DHCP Ack (Unicast)

 Server dynamically assigns IP address on demand

 Administrator creates pools of addresses available for
assignment
 Address is assigned with lease time
 DHCP delivers other configuration information in options
SEC-206
Attacks and Counter Measures
 DHCP Starvation Attack = Port Security
Client
ice
erv
ofS
Gobbler ial DHCP
DHCP Discovery) x (Size of Scope)
Den Server
DHCP Offer x (Size of DHCPScope)

DHCP Request x (Size of Scope)

DHCP Ack x (Size of Scope)

 Gobbler/DHCPx looks at the entire DHCP scope and tries to lease all of the
DHCP addresses available in the DHCP scope
 The DHCP Server leases a new IP address for each new MAC address
 Attackers could continue to request IP addresses from a DHCP server by
changing their source MAC addresses in much the same way as is done in a
CAM table flooding attack.
 The goal is to try to lease all of the DHCP addresses available in the DHCP
scope. 46
 This is a Denial of Service DoS attack using DHCP leases
Attacks and Counter Measures
 Rogue DHCP Server Attack
Client
Vlan 5

Vlan 165
Vlan 5
DHCP Server
Rogue Server
DHCP Discovery (Broadcast)

2 DHCP Offers (Unicast) (1 from Rogue, 1 genuine) DHCP Request

(Broadcast) to 1st offer

DHCP Ack (Unicast) from Rogue Sever

 What can the attacker do if he is the DHCPserver?

 An attacker attempts to respond to DHCP requests and trying to list
themselves (spoofs) as the default gateway or DNS server, hence, initiating a
man in the middle attack.
 With that, it is possible that they can intercept traffic from users before
forwarding to the real gateway or perform DoS by flooding the real DHCP
SEC-206 47
server.
Attacks and Counter Measures
 Rogue DHCP Server = DHCP Snooping

 DHCP snooping works by

separating trusted from
untrusted interfaces on a switch.
 Trusted interfaces are allowed to
respond to DHCP requests;
untrusted interfaces are not.
Attacks and Counter Measures
 Mitigating DHCP & ARP Spoofing with DHCP Snooping

switch(config)#

ip dhcp snooping

• Enable DHCP Snooping.

switch(config)#

ip dhcp snooping vlan vlan_id {,vlan_id}

• Enable DHCP Snooping for specific VLANs.

switch(config-if)#

ip dhcp snooping trust

• Configure an interface as trusted for DHCP snooping

purposes.
Attacks and Counter Measures
 Mitigating DHCP & ARP Spoofing with DHCP Snooping

switch(config-if)#

ip dhcp snooping limit rate rate

• Set rate limit for DHCP Snooping.

switch(config)#

ip arp inspection vlan vlan_id

• Enables DAI on a VLAN

switch(config-if)#
ip arp inspection trust

• Enables DAI on a interface and sets the interface as trusted

interface
Attacks and Counter Measures
 Port Security

Capabilities are dependant on the platform

Allows to specify MAC addresses for each port, or to
learn a certain number of MAC addresses per port
Upon detection of an invalid MAC address the switch
can be configured to block only the offending MAC
address or just shut down the port
Attacks and Counter Measures
 Port Security - configuration

switch(config-if)#

switchport port-security

• Enable port security on interface.

switch(config-if)#

switchport port-security [mac_addr]

• Enable port security and set specific MAC address

(H.H.H).
Attacks and Counter Measures
 Port Security -
configuration

switch(config-if)#

switchport port-security maximum (1-132)

• Set maximum number of MAC addresses.

switch(config-if)#
switchport port-security violation shutdown [protect |
restrict | shutdown]

• Set action on violation.

Attacks and Counter Measures
 Port Security Violation Modes

The port behavior depends on how it is configured to respond to a

security violation.
When a MAC address differs from the list of secure addresses, the port
either:
• Shuts down until it is administratively enabled (default mode).
• Drops incoming frames from the insecure host (restrict option).
Attacks and Counter Measures
 VLAN Attacks

There are a number of different types of VLAN attacks that

are prevalent in modern switched networks.
It is important to understand the general methodology
behind these attacks and the primary approaches to
mitigate them.
Common VLAN attacks include:
• VLAN hopping attack
• Double-Tagging VLAN attack
Attacks and Counter Measures
 VLAN Hopping Attack

A VLAN hopping attack can be launched in one of two

ways:
• Spoofing DTP messages from the attacking host
causes the switch to enter trunking mode
• Introducing a rogue switch and enabling trunking
The end result is that it enables the attacker to potentially
access all VLANs on the network.
Attacks and Counter Measures
 VLAN Hopping Attacks Example
The attacker takes advantage of the default automatic
trunking configuration on most switches and configures a
system to spoof itself as a switch.
The Dynamic Trunking Protocol (DTP) is networking protocol for the purpose of
negotiating trunking on a link between two VLAN-aware switches, and for negotiating the
type of trunking encapsulation to be used.
Dynamic Auto —The port becomes a trunk port if the neighboring port is set to
trunk or dynamic desirable mode. This is the default mode for some switchports
Attacks and Counter Measures
 VLAN Hopping Attacks Example

The switch creates a trunk link with the host enabling the
attacker to gain access to all the VLANs on the trunk port, and
the attacker can now send and receive traffic on all the VLANs.
Attacks and Counter Measures
 Double-Tagging VLAN Attack

What is Native VLAN?

 Normally a Switch port configured as a trunk port send and receive
IEEE 801.q VLAN tagged Ethernet frames.
 If a switch receives untagged Ethernet frames on its Trunk port, they
are forwarded to the VLAN that is configured on the Switch as native
VLAN.
Attacks and Counter Measures
 Double-Tagging VLAN Attack
 Double tagging attack will work only if the attacker is connected to an
interface which belongs to the native VLAN of the trunk port. Double
tagging attack is unidirectional
 Double tagging VLAN hopping attack takes advantage 802.1Q tagging
and tag removal process of many types of switches.
 An attacker changes the original frame to add two VLAN tags. An outer
tag, which is of his own VLAN and an inner hidden tag of the victim's
VLAN.
 Here the attacker's PC must belong to the native VLAN of the trunk link.
 When the double tagged frame reaches the switch (2), the switch can
only see the outer tag of the VLAN that the interface really belongs to.
 The Switch (2) will now remove the outer VLAN Tag and will forward to
all the ports belong to native VLAN
 When the frame reaches (3), it will open the frame to see the second
tag. (3) will now assume that frame belongs to VLAN 20 and it is
forwarded to VLAN 20
 Double tagging attacks can be prevented by keeping the native VLAN of
the trunk ports different from the user VLANs
Attacks and Counter Measures
 Security Best Practices for VLANs and Trunking

Always use a dedicated VLAN ID for all trunk ports

Disable unused ports and put them in an unused VLAN
Be paranoid – Do not use VLAN 1 for anything
Disable auto-trunking on user facing ports (DTP off)
Explicitly configure trunking on infrastructure ports
Use all tagged mode for the native VLAN on trunks
Attacks and Counter Measures
 Spanning Tree Protocol Manipulation

Network attackers can manipulate STP to conduct an attack by

making their host appear as the root bridge and, therefore,
capturing all traffic for the immediate switched domain.
This attack can be used to defeat all three of the security
objectives: confidentiality, integrity, and availability.
Attacks and Counter Measures
 Spanning Tree Protocol Manipulation

The attacking host broadcasts STP

configuration and topology change
BPDUs to force spanning-tree
recalculations.
The BPDUs sent by the attacking
host announce a lower bridge
priority in an attempt to be elected
as the root bridge.
Attacks and Counter Measures
 Spanning Tree Protocol Manipulation

If successful, the attacking host

becomes the root bridge and sees a
variety of frames that otherwise are
inaccessible.
Attacks and Counter Measures
 Spanning Tree Protocol Manipulation

Mitigation techniques for STP manipulation include enabling:

 PortFast
 Root guard
 BPDU guard
Attacks and Counter Measures
 PortFast

PortFast causes a Layer 2 interface to transition from the

blocking to the forwarding state immediately, bypassing the
listening and learning states.
Used on Layer 2 access ports that connect to a single
workstation or server.
It allows those devices to connect to the network immediately,
instead of waiting for STP to converge.
Attacks and Counter Measures
 Configuring PortFast
To configure PortFast on all non-trunking ports at once:
Switch(config)#

spanning-tree portfast default

To configure PortFast on an interface:

Switch(config-if)#

spanning-tree portfast
Attacks and Counter Measures
 BPDU(A bridge protocol data unit)

Is a data message transmitted across a local area network to

detect loops in network topologies.
A BPDU contains information regarding ports, switches, port
priority and addresses.
BPDUs contain the information necessary to configure and
maintain spanning tree topology.
 BPDU Guard
BPDU Guard keeps the active network topology predictable.
• It protects a switched network from receiving BPDUs on
ports that should not be receiving them.
• Received BPDUs might be accidental or part of an
attack.
If a port configured with PortFast and BPDU Guard receives
a BPDU, the switch puts the port into the disabled state.
Attacks and Counter Measures
 Configuring BPDU Guard

To enable BPDU guard on all PortFast enabled ports, use the

following global configuration mode command .

Switch(config)#
spanning-tree portfast bpduguard default

BPDU filtering prevents interfaces that are in a PortFast-

operational state from sending or receiving BPDUs.
 The interfaces still send a few BPDUs at linkup before the
switch begins to filter outbound BPDUs.
 The feature can be configured globally or at the interface level.
Attacks and Counter Measures
 Root Guard
Root guard enforces the placement of root bridges by limiting the
switch ports out of which the root bridge can be negotiated.
 If a root-guard-enabled port receives BPDUs that are superior to
those that the current root bridge is sending, that port is moved
to a root-inconsistent state.
 This effectively is equal to an STP listening state, and no data
traffic is forwarded across that port.
 If an attacking host sends out spoofed BPDUs in an effort to
become the root bridge, the switch, upon receipt of a BPDU,
ignores the BPDU and puts the port in a root-inconsistent state.
 The port recovers as soon as the offending BPDUs cease.
Attacks and Counter Measures
 Configuring Root Guard

Root guard is best deployed toward ports that connect to switches

that should not be the root bridge using the following interface
configuration mode command:

Switch(config-if)#
spanning-tree guard root
 Thank You
Any Questions