Vlan hopping attack

Vlan hopping attack

by Cyrus Lok on Tuesday, March 30, 2010 at 2:34am
Illustration of Vlan hopping attack using double tagging frame.

ASIC is optimized to see one tag in the frame hence if there’s another dot1q tag in the frame it will not be detected by the switch.

When you defined vlans and did not assign any interfaces to the vlans that you have created, all interface will be in vlan1 by default. If not specified explicitly vlan1 will always be the native vlan.

In the illustration, an attack is attempting to flood vlan20. He first tagged a vlan20 to the frame then sent out via interface of vlan1 (native vlan).

The first switch got the frame sent by the attacker and because vlan1 was native vlan it would be untagged, hence vlan1 tag was stripped off and pass on the frame to the next hop.

The second switch received the frame saw the frame has a vlan20 tag, it had no knowledge that this frame was originated from vlan1, stripped off vlan20 tag; tagged the frame and sent out from the exit interface that’s destined for vlan20.

The attacker could continuously do this to flood vlan20.

Hence to prevent this kind of attack, it is always not a practice to use native vlan to send data, and it is best practice to assign native vlan to an unused vlan. Shut down all interfaces that are not used.

It is easier to manage if all trunk links use the same native vlan.

Disable dynamic trunking protocol (DTP) on all destined trunk links.
2 modes of DTP:
dynamic desirable: the interface proactively wants and ready to be a trunk port. If this interface is connected to a peer interface which is a trunk or dynamic desirable or dynamic auto, this interface will negotiate itself to be a trunk.

dynamic auto: the interface passively waiting for an interface to negotiate a trunk. If the peer interface is a trunk or dynamic desirable, this interface will be a trunk. It will not work with dynamic auto because both interfaces will be waiting for trunk negotiation.

To turn off DTP on a trunk and assume gigabitethernet 0/0 is the trunk.
interface gigabitethernet 0/0
switchport mode trunk
switchport nonegotiate
switchport trunk native vlan 100. (example: vlan 100 is to be a native vlan)

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s