Stp Manipulation Attack

It is aimed to manipulate the protocol that allows switches to determine the root path among themselves by keeping some ports closed to prevent looping among themselves. Bpdu is received from the ports designated as root, Bpdu is sent from the Designated port. Since the ports connected to the PCs are designated, they can send Bpdu and show themselves as the root switch.

How to do Stp Manipulation Attack?

It can take the network out of service for a while by sending a large number of 'BPDU Configuration' packets from the port to which the attacker is connected.

At the same time, with the "Claiming Root Role" attack, it can show itself as the root switch and listen to the traffic by allowing the traffic to pass through itself.

The root path that the switch learned before the attack is as follows;

After the attack, the root path and port changed as follows;

Now that the traffic will pass through the attacker, he can perform a man-in-the-middle attack and eavesdrop on the network.

How to prevent Stp Manipulation Attack?

Stp Manipulation Attack is prevented in a simple way by applying the following security actions to the ports on the Switch.

Spanning-tree portfast bpduguard default : It is enabled by running "Spanning-tree portfast bpduguard default" command in global config.
Spanning-tree guard root : In an established network, root routes are known and if a bpdu request is received from any port and it is trying to be configured as a root route, it disables that port.
Spanning-tree bpduguard enable : Disables the port if bpdu packets are detected on the applied port.

On Sechard, again on the Security page, go to the Stp Manipulation Attack section, select the ports and apply the config as follows.

Thus, if bpdu requests come from this port, it will disable the port and will not allow attacks to be made. As can be seen below, the port is closed as soon as the bpdu request arrives.