Español | English
rss facebook linkedin Twitter

Attacks on the layer two of the OSI model (III): Spanning Tree Protocol

Let's have a look at three possible attacks at STP. The first two are Denial of Service (DoS) attacks, which force every device participating in STP to recompute their paths. This causes network instability, because every switch is forced to consume CPU time and memory recomputing the paths. It is also possible for such attacks to cause appearance of network loops. The worst scenario is that the entire network goes down and duplicated packets will be seen everywhere, congesting the network and causing total malfunction.

These attacks are rather simple. They are based on sending thousands of BPDUs (in case of first attack - Configuration BPDUs and in the second case - TCNs) which have their source MAC address (and other fields in a Configuration BPDU, like the Bridge ID) generated randomly. This simulates thousands of new devices connecting to the network and wanting to participate in the protocol. This causes chaos.

The two attacks can be performed using Yersinia and are called: sending conf BPDUs and sending tcn BPDUs (press [x] to choose the attack in GUI mode).
Results of a DoS attack sending Configuration BPDU
01:20:26: STP: VLAN0001 heard root 32768-d1bf.6d60.097b on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-9ac6.0f72.7118 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-85a3.3662.43dc on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-3d84.bc1c.918e on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b2e2.1a12.dbb4 on Fa0/8

Results of a DoS attack sending TCN BPDU
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
The third attack consists of trying to acquire the STP root role. A BPDU is first captured, which contains the root ID. Then the attacking system is set up, so that it behaves as another network device which wants to participate in the STP and has a lower ID than the current one. The root ID is decremented by one, so that it doesn't differ much from the real root ID and the network administrator won't be able to notice the change with a simple glimpse.

The main consequence of such attack is network instability. We must remember, that all the members of the network send notifications (TCN) to the root device when they detect a change. Only then the root device sends Configuration BPDU with the change bit set to 1 (Flags field) in order to notify all the members to recompute their paths. If the attack is successful, the new, false root device discards the TCNs sent by switches, so no switch recomputes its path. This, in turn, breaks down the structure of the network.

In order to perform the attack in Yersinia, we must first press [d] to fill the BPDU with default values and then run the attack called Claiming Root Role (press [x] and then choose attack four). The attack is a two-phase attack. First we capture the configuration BPDU to learn the root ID, then we send the new crafted configuration BPDU each hello time seconds.
Results of the Claiming Root Role attack
01:58:48: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/8
01:58:48: supersedes 32769-000e.84d5.2280
01:58:48: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/8, cost 19
The old root ID was 32769-000e.84d5.2280, while the new one is now 32769000e.84d4.2280. If we carefully examine the root ID, we can see that in the fifteenth character there is now a four instead of five. Our virtual device has a lower ID, and is therefore elected to be the STP root ID.

There are more possibilities of STP-based attacks, some of them are implemented in Yersinia. One of them is called Causing Eternal Root Elections - it keeps sending packets with lower and lower IDs, which causes never ending root election and complete network chaos. Another one is called Claiming Root Role with MiTM attack, which is a Man-in-the-Middle-type attack. We can also try Claiming Other Role, which means: trying to behave like just another switch - it's a proof-of-concept attack with no negative consequences.

In order to avoid STP attacks on Cisco devices, an administrator can:
  • disable STP where it's not needed,
  • use Spanning Tree Portfast BPDU Guard Enhancement and Spanning Tree Protocol Root Guard Enhancement
Alfredo Andrés
David Barroso
S21sec e-crime

1 comentarios:

Lukasz said...

"We must remember, that all the members of the network send notifications (TCN) to the root device when they detect a change. Only then the root device sends Configuration BPDU with the change bit set to 1 (Flags field) in order to notify all the members to recompute their paths."

..Not true. TC BPDU does not start Spanning Tree recalculation.
It decreases only mac-adressess aging time(in STP) or causes mac-addressess flush(in RSTP)


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login