VLAN Hopping Attacks

VLANs are a simple way to segment the network within an enterprise to improve performance and simplify maintenance. Each VLAN consists of a single broadcast domain. VLANs work by tagging packets with an identification header. Ports are restricted to receiving only packets that are part of the VLAN. The VLAN information may be carried between switches in a LAN using trunk ports. Trunk ports have access to all VLANs by default. They route traffic for multiple VLANs across the same physical link. Two types of trunks are used: 802.1q and ISL. The trunking mode on a switch port may be sensed using Dynamic Trunk Protocol (DTP), which automatically senses whether the adjacent device to the port may be capable of trunking. If so, it synchronizes the trunking mode on the two ends. The DTP state on a trunk port may be set to auto, on, off, desirable, or non-negotiate. The DTP default on most switches is auto.

One of the areas of concern with Layer 2 security is the variety of mechanisms by which packets that are sent from one VLAN may be intercepted or redirected to another VLAN, which is called VLAN hopping . VLAN hopping attacks are designed to allow attackers to bypass a Layer 3 device when communicating from one VLAN to another. The attack works by taking advantage of an incorrectly configured trunk port.

It is important to note that this type of attack does not work on a single switch because the frame will never be forwarded to the destination. But in a multiswitch environment, a trunk link could be exploited to transmit the packet. There are two different types of VLAN hopping attacks:

• Switch spoofing The network attacker configures a system to spoof itself as a switch by emulating either ISL or 802.1q, and DTP signaling. This makes the attacker appear to be a switch with a trunk port and therefore a member of all VLANs.

• Double tagging Another variation of the VLAN hopping attack involves tagging the transmitted frames with two 802.1q headers. Most switches today perform only one level of decapsulation. So when the first switch sees the double-tagged frame, it strips the first tag off the frame and then forwards with the inner 802.1q tag to all switch ports in the attacker's VLAN as well as to all trunk ports. The second switch forwards the packet based on the VLAN ID in the second 802.1q header. This type of attack works even if the trunk ports are set to off.

Figure 14-3 shows VLAN hopping with a double-tagging scenario.

0 0

Post a comment