Protecting Against an STP Attack

Redundant links can be introduced into a Layer 2 switch topology to increase the network's availability. However, redundant links can potentially cause Layer 2 loops, which can result in broadcast storms. Fortunately, Spanning Tree Protocol (STP) can allow you to physically have redundant links while logically having a loop-free topology, thus preventing the potential for broadcast storms.

STP achieves this loop-free topology by electing one switch as the root bridge. The network administrator can influence which switch becomes the root bridge by manipulating a switch's bridge priority, in which the switch with the lowest bridge priority becomes the root bridge. Every other switch in the network designates a root port, which is the port on the switch that is "closest" to the root bridge, in terms of "cost." The bridge priorities of switches are learned through the exchange of Bridge Protocol Data Units (BPDU). After the election of a root bridge, all the switch ports in the topology are either in the blocking state (where user data is not forwarded) or in the forwarding state (where user data is forwarded).

If the root bridge fails, the STP topology reconverges by electing a new root bridge. Note that a port does not immediately transition from the blocking state to the forwarding state. Rather, a port transitions from blocking, to listening, to learning, to forwarding.

If an attacker has access to two switch ports (each from a different switch), he can introduce a rogue switch into the network. The rogue switch can then be configured with a lower bridge priority than the bridge priority of the root bridge. After the rogue switch announces its "superior BPDUs," the STP topology reconverges. All traffic traveling from one switch to another switch now passes through the rogue switch, thus allowing the attacker to capture that traffic.

For example, consider the topology shown in Figure 6-3. Data traveling from PC1 to Serverl passes through SW2 and SW3 (the root bridge).

Figure 6-3 Converged STP Network

Figure 6-3 Converged STP Network

Notice PC2 and PC3. If an attacker gained access to the switch ports of these two PCs, he could introduce a rogue switch that advertised superior BPDUs, causing the rogue switch to be elected as the new root bridge. The new data path between PC1 and Serverl, as shown in Figure 6-4, now passes through the attacker's rogue switch. The attacker can configure one of the switch ports as a Switch Port Analyzer (SPAN) port. A SPAN port can receive a copy of traffic crossing another port or VLAN. In this example, the attacker could use the SPAN port to receive a copy of traffic crossing the switch destined for the attacker's PC.

Figure 6-4 Introducing a Rogue Switch

Figure 6-4 Introducing a Rogue Switch

Superior Bpdu

Consider two approaches for protecting a network from this type of STP attack:

■ Protecting with Root Guard: The Root Guard feature can be enabled on all switch ports in the network off of which the root bridge should not appear (that is, every port that is not a root port, the port on each switch that is considered to be closest to the root bridge). If a port configured for Root Guard receives a superior BPDU, instead of believing the BPDU, the port goes into a root-inconsistent state. While a port is in the root-inconsistent state, no user data is sent across it. However, after the superior BPDUs stop, the port returns to the forwarding state. Example 6-4 illustrates the configuration of Root Guard on a port.

Example 6-4 Configuring Root Guard

Cat3550(config)# interface gigabitethernet 0/1

Cat3550(config-if)# spanning-tree guard root

■ Protecting with BPDU Guard: The BPDU Guard feature is enabled on ports configured with the Cisco PortFast feature. The PortFast feature is enabled on ports that connect to end-user devices, such as PCs. It reduces the amount of time required for the port to go into forwarding state after being connected. The logic of PortFast is that a port that connects to an end-user device does not have the potential to create a topology loop. Therefore, the port can go active sooner by skipping STP's listening and learning states, which by default take 15 seconds each. Because these PortFast ports are connected to end-user devices, they should never receive a BPDU. Therefore, if a port enabled for BPDU Guard receives a BPDU, the port is disabled. Example 6-5 shows a sample BPDU Guard configuration.

Example 6-5 Configuring BPDU Guard

Cat3550(config)# interface gigabitethernet 0/2 Cat3550(config-if)# spanning-tree portfast bpduguard

Table 6-2 summarizes the actions of Root Guard and BPDU Guard.

Table 6-2 Root Guard Versus BPDU Guard

STP Attack Mitigation Method


Root Guard

After receiving a superior BPDU, a port configured for Root Guard goes into a root-inconsistent state. While in this state, the port stops forwarding. After the superior BPDUs stop, the port returns to forwarding state.

BPDU Guard

BPDU Guard is designed to work on ports configured for the PortFast feature. If a port enabled for BPDU Guard receives a BPDU, the port is disabled.

0 0

Post a comment