Stp

Spanning-Tree Protocol (STP) is a L2 loop avoidance mechanism. Without STP, redundant L2 links woul<

cause large forwarding loops and massive performance problems. From a security standpoint, STP has i few design characteristics of interest.

First, STP has no provisions for authentication of the bridge protocol data units (BPDUs) that are sent fr switches and bridges as they exchange STP information. These BPDUs could easily be sent from an unauthorized device that could have any number of undesirable effects.

To start with, if the attacker can cause a failure of a link in the forwarding state, it generally takes 30 to seconds for STP to deal with the failure and reconverge the topology. Some switches now include featur to deal with this problem. On Cisco devices, the features are called port fast and uplink fast.

Second, for there to be some "authority" in the STP network, the participating switches elect a root brid It is from this bridge that the loop-free topology is built. The method for determining the root bridge is generally through STP configuration messages, which indicate the bridge priority of a given switch. The lowest number becomes the root bridge. If an attacker is able to send out BPDUs from his station, he ca send out a configuration message with a bridge priority of zero. This will likely make his system the root bridge and will often change which links are active on a given network (since the topology is redetermin from the perspective of the new root bridge). No special tools are needed to do this; some UNIX implementations come with Ethernet bridging utilities that allow them to configure their system as a bri with full participation in the STP process. As an example, consider the following topology in Figure 6-1.

In the figure, you can see that the attacker has established two links to two different L2 switches. F denotes a link that is forwarding; B is a link that is blocked because of STP. This could easily be done by walking a long cable to another jack in a building or by using a WLAN network (if it was poorly designed From here, you can see that one of the attacker's links is in the blocking state. This is exactly what STP should do to prevent loops. However, the attacker then sends BPDUs advertising himself as bridge prior zero. This causes STP to reconverge and the attacker to become the root bridge. A topology that looks l the one in Figure 6-2 results.

Figure 6-1. Starting Topology

Access Swilches

Figure 6-1. Starting Topology

Access Swilches

Atlacker

Figure 6-2. Resulting Topology

Aoccsii Switches

Aoccsii Switches

Aitacker

Because the topology is built from the perspective of the attacker, you can see that all traffic that must pass between the switches flows through the attacker's PC. This allows an attacker any number of optio as outlined in Chapter 3. The most obvious are sniffing traffic, acting as a man-in-the-middle, or creatin denial of service (DoS) condition on the network. The DoS condition is achieved because the attacker ca make his links much slower than the links between the two access switches, which could very likely be connected by gigabit Ethernet.

NOTE

You might ask, "Doesn't STP take into account bandwidth speed when determining the topology? " It does but always from the perspective of the root bridge. While testing in the lab, I was able to take a full-duplex gigabit link between two access switches and reduce it to a half-duplex 10 megabit (Mb) connection between those access switches and the attacking PC. This is never good for a production network.

Fortunately, mitigating this attack is fairly straightforward. First, some advocate disabling STP in all case in which you don't have network loops. Although this sounds like a good idea, the attacker could instead introduce a loop into your network as a means of attack. A better option is to filter which ports are allow to participate in the STP process. Some switches offer the ability to do this today. On Cisco devices, the two principal options are BPDU Guard and Root Guard.

100 SEO Tips

100 SEO Tips

100 SEO Tips EVERY SEO Enthusiast Should Know. This Report 100 SEO Tips will help you to Utilize These Tips to Dominate The Search Engine Today.

Get My Free Ebook


Post a comment