Vulnerability Development mailing list archives
Re: Spanning Tree Switch Exploits? Fact or Fiction?
From: "Sean Convery" <sean () cisco com>
Date: Wed, 1 May 2002 17:54:04 +0200
After some further thought on this, it seems like
there are 3 attack scenarios which make sense:
1) BPDU DoS attack:
Send BPDUs in order to cause the switch to
recalculate spanning tree. This would be
relatively easy to execute and would create a DoS
condition on the switched network for a period of
time.
2) This next attack would require the following
topology (sure hope the ASCII art works):
F=Forward
B=Block
R=STP Root Bridge
R F F
SWITCH----------SWITCH
\ F / F
\ /
\ /
\ /
\ /
F\ X B
\ /
ATTACKER
If the attacker sends out BPDU messages to become
root, the topology would change to this:
F B
SWITCH-------X--SWITCH
\ F / F
\ /
\ /
\ /
\ /
F\ / F
\ /
ATTACKER
R
This would cause all traffic generally traveling
between the two switches, to now travel via the
attacker. Note that this attack isn't
particularly useful to an attacker since it
requires a simultaneous connection to two
different switches. Once executed the attacker
would be able to launch any variety of
man-in-the-middle or DoS attacks.
3) A variant on number two which is a bit more
realistic is this next attack.
The topology looks like this:
GE=Gigabit Ethernet Link
FE=Fast Ethernet Link
R F F
SWITCH----------SWITCH
\ F GE / F
\ /
\FE FE/
\ /
\ /
F\ X B
\ /
SWITCH
|
|
ATTACKER
Again, the attacker sends BPDU messages to become
root. This creates an STP topology change:
F B
SWITCH-------X--SWITCH
\ F GE / F
\ /
\FE FE/
\ /
\ /
F\ / F
\ /
SWITCH
|
|
ATTACKER
R
The impact then becomes a very painful DoS as now
the GE link is no longer in use in favor of the
two FE links. This attack could then potentially
be combined with a CAM table flooding attack to
cause backbone traffic to overflow on the
attackers port.
Can anyone think of other scenarios?
Thanks,
Sean
Current thread:
- Re: Spanning Tree Switch Exploits? Fact or Fiction? Sean Convery (May 01)