Attacks on the layer two of the OSI model (IV): Cisco Discovery Protocol

Cisco Discovery Protocol (CDP) is a proprietary Cisco protocol, which allows different Cisco network devices to communicate with one another. However, other vendors might also use CDP if they've bought the technology (for example Hewlett-Packard).

The easiest way to identify a CDP packet is by looking at the following features: an IEEE 802.3 packet with a 802.2 SNAP header and multicast destination MAC 01:00:0C:CC:CC:CC (see Figure 3). A CDP packet always contains interesting information about the properties of the device sending the packet. This information can contain for example:

• device name
• model
• IOS version
• IP address (can contain more than one)
• VTP domain
• capabilities (switch, router, bridge etc).

This data, sent periodically by each Cisco device, can offer very valuable information for later attacks. By default, CDP is enabled in Cisco devices and sends this information every 180 seconds (three minutes).

No authentication is involved when sending and receiving CDP packets. Packet data is sent in clear text. This makes attacks very easy. Additionally, CDP format is explained on the Cisco website (see Inset On the Net). A CDP packet is composed of the following fields:

• Version (1 byte): indicated CDP version, usually one or two
• TTL (1 byte) - Time To Live: CDP packet lifetime
• Checksum (2 bytes): verifies whether the packet is correct
• TLV (variable length) - Type, Length, Value series. This is the field containing the actual data, which is represented by a list of TLV tuples, each tuple with the following format: Type (2 bytes) - data type (for example Device ID, Address, Port ID), Length (2 bytes) - TLV length and Value (variable length) - the actual value (see Table 1 for examples of TLV tuples and Figure 5 for a screenshot of Yersinia showing TLVs for an example packet).

Knowing the format, we can pose as a network device sending a crafted CDP packet. It's also worth knowing, that old Cisco IOS versions have a DoS vulnerability discovered by FX of Phenoelit (see Inset On the Net). If lots of CDP packets with different IDs are sent (trying to behave as different network devices), memory is exhausted in the device. This in turn causes the device to fail and it must be rebooted to work properly. Such an attack can cause a network segment to be disconnected or, if a router is targeted, no access to Internet is possible until the device is rebooted.

If we are connected to a network which contains CDP capable devices, the GUI will quickly show CDP modes of these devices. The first attack related to CDP is based on the above mentioned vulnerability. For that, no additional information is needed.
In the Yersinia GUI in CDP mode press [x] and choose attack flooding CDP table.

Results of a CDP DoS attack
# show cdp neighbours
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
2EEEWWW Gig 0/1 253 yersinia Eth 0
ZCCCUU9 Gig 0/1 250 T S I r yersinia Eth 0
J222FFX Gig 0/1 249 R T yersinia Eth 0
WAAASS6 Gig 0/1 240 R B I r yersinia Eth 0
2IIWWWE Gig 0/1 249 T B H I yersinia Eth 0
K333FFX Gig 0/1 234 R T yersinia Eth 0
TBBBOO7 Gig 0/1 252 B H r yersinia Eth 0
3KKYKYY Gig 0/1 250 R B H yersinia Eth 0
TBBBPP7 Gig 0/1 252 S H I r yersinia Eth 0

Results of a CDP DoS attack - switch log
00:06:08: %SYS-2-MALLOCFAIL: Memory allocation of 224 bytes failed from
0x800118D0, alignment 0
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: I/O Free: 32 Cause: Not enough free memory
-Process= "CDP Protocol", ipl= 0, pid= 26
-Traceback= 801DFC30 801E1DD8 800118D8 80011218 801D932C 801D9318
00:06:08: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:09: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:10: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:11: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:12: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:13: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:14: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:15: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:16: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:17: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:18: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:19: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:20: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:21: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:22: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:23: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:38: %SYS-2-MALLOCFAIL: Memory allocation of 140 bytes failed from 0x801E28BC, alignment 0
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: I/O Free: 32 Cause: Not enough free memory

Yersinia also incorporates another attack, which allows to set up virtual Cisco devices. When a network administrator checks the neighbours in one of the real devices, all the crafted virtual devices will show up on a console. This attack has no negative consequences except annoying the network administrator (who will certainly try to find out what is the new device connected to their network).

The only valid countermeasure against CDP attacks is disabling CDP using the command: no cdp run. The protocol itself has not been enhanced for security.

Alfredo Andrés
David Barroso
S21sec e-crime