Spanning Tree Switch Exploits? Fact or Fiction?

["Sean Convery" <grommond () hotmail com>]

I've heard a bit of rumbling about STP exploits with ethernet switches.  
They seem to center around two possibilities:

1) Sending bogus BPDUs to a switched network to continually force spanning 
tree recalculation, thereby creating a DoS condition on the switches.

2) Sending bogus BPDUs with an advertisement that the attacker should be the 
root bridge.  Upon completing this, the attacker would then get forwarded 
frames he might not normally receive.

My first question is this: Has anyone verified if this works or not with 
common switch vendors (Cisco et. al.)?  If you look at FX's prezo from Black 
Hat Europe last year, he mentions the possibility of both, but doesn't 
demonstrate anything.  I'm beginning to wonder if this is just a red 
herring.

Second question is more of a comment.  With far more useful exploits for a 
switched network (MAC flooding, ARP spoofing), why would you bother with 
this anyway?  Especially since mitigating the threat is easy enough (BPDU 
guard mode on Cisco at least).

Thoughts?

Thanks,

Grom



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.