10.2.2.1.3. CDP Attack / Flooding Attack

Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can use by default. CDP discovers other Cisco devices that are directly connected. It simplifies configuration and connectivity by enabling devices to automatically configure their connections in some cases. CDP messages are not encrypted.

 CDP contains information about the network version such as software version, IP address, platform, capabilities and local VLAN. When this information is available to an attacker computer, the attacker on that computer can use it to find exploits to attack your network, usually in the form of a Denial of Service (DoS) attack.

An attacker can easily use Wireshark or other network analyzer software to sniff information about devices that CDP sends across the network in a broadcast message. In particular, the Cisco IOS software version found through CDP allows the attacker to investigate and determine if there are any vulnerabilities specific to that particular code version. Furthermore, because CDP is not authenticated, an attacker can create fake CDP packets and have them received by the attacker's directly connected Cisco device. If the attacker can access the router via Telnet or SNMP, they can use CDP information to discover the entire topology of your network at Layer 2 and Layer 3, including all IOS levels, router and switch model types, and IP addressing.