CDP - LLDP Attack

It is a multicast protocol used to learn neighborhood relationships and device data that supports some CDP/LLDP protocols. With CDP/LLDP spoofing, it is aimed to lock switch resources by sending fake CDP/LLDP packets and filling CDP/LLDP tables. At the same time, by obtaining important information such as switch ip - mac addresses, LLDP attacks can be made and the attacker can show himself as a switch by writing himself in the neigboard table and ensure that the traffic passes through him.

How to do CDP / LLDP Attack?

The neighbors table before the CDP flooding attack is as follows.

Attacker locks the switch resources by filling the CDP neigbors table by making a CDP flooding attack from the port it is connected to.

CDP Snarf attack is performed to obtain information about the switch. By sending LLDP packets with the obtained mac address, the attacker can add himself to the LLDP neigbors table.

How to prevent CDP / LLDP Attack?

CDP and LLDP can be turned off completely on the Switch. For this, it is necessary to turn off CDP and LLDP in global mode. For this, go to the Hardenin section in Sechard and turn off "Set no CDP run" by Enabling it.

CDP and LLDP can be turned off as a service.

Another option is to disable CDP and LLDP not in global mode but under interfaces. It makes sense to prevent these protocols from running on the port to which the end user will be connected.

CDP is disable by selecting interfaces on the Security page on Sechard.

SecHard Technical Portal

CDP - LLDP Attack

Related content