SecHard
10.2.2.1.6. STP Manipulation Attack / Manipulation Attack
- seda peker
This attack uses Spanning Tree Protocol (STP) and the attacker connects to a port on the switch, either directly or through another switch. STP parameters are manipulated to reach the state of a root bridge, which helps the attacker to see various frames that would otherwise not be visible.
STP attacks typically focus on changing the root bridge of the Layer 2 network by injecting falsified Bridge Protocol Data Units information, which causes the Spanning-Tree Protocol to recalculate and allows the attacker's switch to become the root bridge of the Layer 2 network. Once this happens, traffic is forwarded through the attacker's switch, allowing the attacker to view any type of data using simple tools such as packet capture.
The BPDU Guard feature puts all PortFast-enabled ports that receive a BPDU into a fault disabled state. Once the interface is placed in the error-disabled state, it must be manually enabled by the administrator, providing an additional layer of security and a secure response to invalid configurations or possible security conditions. Furthermore, the port will remain in this state until superior BPDUs received on these ports are no longer received.
Root Guard is a Cisco Catalyst switch feature that allows administrators to define the correct placement of the root switch in a Layer 2 network. The Root Guard feature is configured on all interfaces with non-root ports. In a Spanning-Tree Protocol implementation, a root port is any port on the switch that is closest to the root bridge of the Spanning-Tree-switched domain.
Unlike the BPDU Guard feature, which can be enabled globally for the entire switch or on a per-interface basis, the Root Guard feature can only be enabled on a per-interface basis. This is accomplished through the spanning-tree guard root interface configuration command.
An attacker attempts to connect an unauthorized network device, such as another switch, to an access port to gain access to the Layer 2 switched network. BPDU Guard will disable an interface configured for PortFast that receives a BPDU with error. The attacker tries to manipulate the STP root bridge so that all traffic is routed to its own switch. Root Guard blocks the forwarding of all packets on an interface that receives superior BPDUs with this feature enabled. The commands "spanning-tree guard root" and "spanning-tree bpdguard enable" are used to control these actions.
spanning-tree guard root
spanning-tree bpduguard enable
Related content
SecHard