Spanning Tree Protocol Manipulation

Another common attack against switches is to manipulate the STP configuration by sending valid bridge protocol data units (BPDUs) and changing the topology of the network so as to create a spanning-tree loop.

A Layer 2 loop in any network will bring down the entire broadcast domain and render all services unusable. Sometimes, in fact, spanning-tree loops occur naturally, so do not always assume that a Layer 2 loop is the result of an attacker's involvement without first properly investigating.

By attacking STP, the network attacker hopes to spoof his or her system as the root bridge in the topology. To become the root bridge in a Layer 2 environment, all you need to accomplish is to send a valid BPDU frame telling all other devices that your root priority is the lowest in the network and should install it as the root bridge. By accomplishing a spanning-tree event (through the use of sending what appears to be a valid BPDU frame), the intruder's PC can accomplish a spanning-tree topology change that results in ports forwarding incorrectly and can result in a potential Layer 2 loop. Layer 2 loops in any switched network will bring the network to a standstill.

To mitigate this form of attack, you simply configure all switch ports not connected to other switches with BPDU guard. This feature allows the switches to immediately disable the port if a BPDU frame is received, thus rendering this attack immediately ineffectual and disabling the intruder.

Example 3-43 displays the Catalyst OS and IOS commands to enable BPDU guard.

Example 3-43 Enable BPDU Guard

! Catalyst OS

CatOS> (enable)set spantree portfast mod/num bpdu-guard enable

! IOS enabled Switch

CatSwitch-IOS(config)#spanning-tree portfast bpduguard enable

0 0

Post a comment