Re: Spanning Tree Switch Exploits? Fact or Fiction?

[Jose Nazario <jose () monkey org>]

On Wed, 17 Apr 2002, Sean Convery wrote:

> 1) Sending bogus BPDUs to a switched network to continually force
> spanning tree recalculation, thereby creating a DoS condition on the
> switches.

early linux traffic shaping code would do this some switches, with a rate
proportional to the size of the LAN. larger bridged LANs would suffer the
most.

libnet 1.1 now includes 802.1d code, so it should be easy to forge all
sorts of abusive packets.

> 2) Sending bogus BPDUs with an advertisement that the attacker should
> be the root bridge.  Upon completing this, the attacker would then get
> forwarded frames he might not normally receive.

with the 802.1d construction routines in libnet, plus some analysis of the
switched topology, this should be pretty easy.

> My first question is this: Has anyone verified if this works or not
> with common switch vendors (Cisco et. al.)?

i've seen the first go ballistic on old cabletron switching fabrics. i
haven't tested it against cisco, linksys, etc hardware.

> Second question is more of a comment.  With far more useful exploits
> for a switched network (MAC flooding, ARP spoofing), why would you
> bother with this anyway?

its not as well known to the script kiddie community, its a bit harder to
pull off, and consequently its not watched for often. snmp traps on arp
floods are (thankfully) gaining more ground as people learn about it. a
spanning tree recalculation is a bit harder to detect for most
deployments.

alan cox has commented on this in the past, for example:

http://security-archive.merton.ox.ac.uk/archive-199905/0178.html

anyhow, i hope this makes some sense.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/