References :

http://www.pages02.net/coastamsnetworkbox/newsletter/newsletter_oct2013_article1.html?s
pMailingID=5794236&spUserID
=MTY5NTk0OTE2NTAS1&spJobID=342534226&spReportId=MzQyNTM0MjI2S0
(diakses 11 Februari 2017)

Redscan - Ten top threats to VLAN security - Unusual traffic detected

Ten top threats to VLAN security

When people talk about Virtual LANs (VLANs), they tend not to focus on the security features
of this versatile network topology. However, there are several tangible security vulnerabilities
that can increase business risk if they are not properly understood and mitigated. In this article,
Redscan's Simon Heron highlights the ten top threats.

Attacks on VLANs are easier to perpetrate than you might think. There are several known
applications (including yersinia, dsniff and macof) that provide potential attackers with the
tools to penetrate VLANs and cause chaos. Easy to find and download from the Internet, these
tools show people how to exploit badly configured networks and physical weaknesses in the
LAN, making it depressingly easy for them to launch a devastating VLAN attack.

VLANs are implemented at layer 2 of the OSI network model. The majority of layer 2 (data
link layer) attacks exploit the inability of a switch to track an attacker, because the switch has
no inherent mechanism to detect that an attack is occurring. This weakness means that this same
attacker can perform malicious acts against the network path, altering the path and exploiting
the change without detection.

While the number of possible attack vectors is large, here is a list of what I believe to be the top
ten threats for organisations using VLANs in no particular order.

1. CAM Table Overflow/Media Access Control (MAC) Attack

This attack focuses on the Content Addressable Memory (CAM) table, which stores
information such as MAC addresses on a physical port along with the associated VLAN
parameters. CAM tables have a fixed size and that is what makes them a target for attack. Like
a buffer overflow attack, the aim is to fill this table up and see what happens.

The attacker sits on a physical port and generates a vast number of MAC entries. When the
CAM table fills up and has no room left, traffic without a CAM entry is sent out on all ports of
the VLAN in question. Traffic with a CAM entry is not affected, but adjacent switches can be.

Depending on the switch in question, this type of attack can be mitigated by:

Specifying the MAC addresses that are allowed to communicate through the physical
port
 Limiting the number of MAC addresses for a port

If an invalid MAC address is found, the MAC address can either be blocked or the port closed
down. This prevents the CAM table from being filled up and blocks the attack. Whilst more
draconian, it can be argued that closing the port may be the better response as, obviously,
something suspicious is happening on that port.

2. Address Resolution Protocol (ARP) attack

ARP was developed at a time when security was not such an issue. Consequently, this protocol
has a simple belief that everyone is friendly and responses can be taken at face value. If a host
broadcasts an ARP request to the network, it expects only the relevant host to respond.
Similarly, if a host announces its presence by sending out a gratuitous ARP, other hosts expect
that it is telling the truth and believe what it broadcasts. This, of course, works well until a
malicious host appears.

In Figure 2, a host starts broadcasting a gratuitous ARP, announcing itself to hold the IP address
of the default gateway, 10.3.2.1. PCs, routers and other hosts may cache information gained
from gratuitous ARPs for future communications. As a result, anything from a legitimate host
will be routed through the malicious host as the default gateway. The attacker then pushes the
data to the real default gateway. This will allow the attack to view traffic on the way out of the
network but incoming traffic will by-pass the attacker. The attacker now needs to broadcast the
address of the host they are trying to target on the LAN to get the default gateway to send the
incoming packets to itself before transmitting them to the victim. Now it can see all the traffic
incoming and outgoing.
One consideration is that without a VLAN, this attacker could affect the entire LAN, so VLANs
do mitigate this sort of attack. Another way of mitigating these 'Man in the Middle' attacks is
to use Private VLANs to force hosts to only talk to the default gateway but this is not always
practical.

3. Switch Spoofing/Basic VLAN Hopping Attack

In my previous article on VLANs, The anatomy of a VLAN published in Redscan's July 2013
newsletter, I explained how trunks on switches carry traffic for all VLANs. In Figure 3 below,
there are three VLANs, 5, 10 and 15. A VLAN trunk has been configured to allow the two sites
to communicate.

A malicious host now presents itself to router 1 as another router and attempts to connect by
using the appropriate tagging and trunking protocols (e.g. Multiple VLAN Registration
Protocol, IEEE 802.1Q, VLAN Trunking Protocol). If successful, then the attacker can see the
traffic on all the VLANs and can contact hosts on any of the VLANs.

To mitigate this attack vector, organisations should ensure that ports are not set to negotiate
trunks automatically and that ports, which are not meant to be trunks, are configured as access
ports.

4. Double Tagging/Double Encapsulation VLAN Hopping Attack

This is a development of Switch Spoofing, as many systems are now configured correctly to
prevent Switch Spoofing. The exploit this time is to build a packet with two 802.1Q VLAN
headers as shown on the left of Figure 4. The first router strips off the first header and sends it
on to router 2. Router 2 strips the second header and send the packet to the destination.

This attack sends a packet in only one direction, but still gives the attacker access to hosts that
should not be accessible. It only works if the trunk has the same native VLAN as the attacker.
To mitigate this attack, auto-trunking should be disabled and a dedicated VLAN ID should be
used for all trunk ports. Finally, avoid using VLAN 1.

5. VLAN Management Policy Server (VMPS)/ VLAN Query Protocol (VQP) attack

This is a slightly unlikely attack as it requires the network to use VMPS. It is unusual as it
imposes a significant load on the administrative resources of a company and Cisco, whose
protocol this is, is moving towards 802.1X for the same functionality.

However, if implemented, VMPS allows VLANs to be assigned based on the MAC address of
the host and these relationships are stored in a database. This database is usually downloaded
to the VMPS and then queried using VQP, an unauthenticated protocol that uses UDP (User
Datagram Protocol), making it very easy to manipulate by an attacker. As a result, by using
VQP, it is very easy to impersonate hosts as there is no authentication, which allows the attacker
to join a VLAN that he or she is not authorised to access.

The mitigation is to either monitor the network for misbehaviour, send VQP queries out of band
or to disable it the protocol.

6. Cisco Discovery Protocol (CDP) Attack

CDP is a feature that allows Cisco devices to exchange information and configure the network
to work smoothly together. The information being sent is sensitive, such as IP addresses, router
models, software versions and so on. It is all sent in clear text so any attacker sniffing the
network is able to see this information and, as it is unauthenticated, it is possible to impersonate
another device.

The best option is to disable CDP where possible. However, CDP can be useful and, if it can
be isolated by not allowing it on user ports, then it can help make the network run more
smoothly.
7. Multicast Brute-Force Attack

A multicast brute-force attack searches for failings in the switch software. The attacker tries to
exploit any potential vulnerability in a switch, by storming it with multicast frames. As with
CAM overflow, the aim is to see if a switch receiving a large amount of layer 2 multicast traffic
will "misbehave". The switch should limit the traffic to its original VLAN, but if the switch
does not handle this correctly, frames might leak into other VLANs, if routing connects them.

This type of attack is pretty speculative as it looks for the switch to mishandle multicast frames.
The switch should contain all the frames within their appropriate broadcast domain and an
attack of this nature should not be possible. However, switches have failed to handle this form
of attack in the past and hence it is another attack vector.

8. Random Frame-Stress Attack

This type of attack could almost be considered "Fuzzying"

(https://www.owasp.org/index.php/Fuzzing), but at layer 2. A large number of packets is
generated, randomly varying several fields within each packet and leaving only the source
and destination addresses untouched. The aim is to see how the switch software copes with
meaningless or unexpected values in packet fields. This type of attack should fail, but
obviously bugs do occur which may allow for unexpected access to other VLANs or give rise
to denial of service (DoS) attacks.

9. Private VLAN (PVLAN) Attack

PVLANs are used to further divide up groups of hosts at layer 2. For instance a demilitarised
zone (DMZ) might have web servers that are accessed by the outside world and a sFTP (Secure
File Transfer Protocol) server providing download facilities for staff in the field. There is no
reason for these servers to talk to each other and PVLANs will prevent this from happening.
Indeed, PVLANs make it very difficult for an infected web server to taint a sFTP server,
however, they will only do this at layer 2. PVLANs are not intended or designed to protect
against a layer 3 attack.

An example is given in Figure 5. An attacker would create a frame with the destination MAC
address set to that of the router; the source address can be that of the host he or she is on. At
layer 3, the frame has the IP address of the intended victim. The switch will pass this frame to
the router as the destination MAC address is that of the router. The router will then forward the
frame to the victim as the IP address is valid.

With this attack, packets can only be sent. The return frames will have the correct addressing
and will be blocked.
An attack can be mitigated by the using the right ACLs (Access Control List) on the router,
preventing the IP addresses on the primary LAN from talking to each other. This means that
only those servers in PVLAN1 can talk to each other through the switch, thanks to the PVLAN,
but the attacker cannot access servers on PVLAN 1 from PVLAN 2.

10. Spanning Tree Protocol (STP) Attacks

STP is used to maintain loop free network topologies. This is achieved using Bridge Protocol
Data Units (BPDU) which are very simple packets with no payload. By using BPDUs, a switch
is chosen as the Root Bridge which then defines how traffic is routed round the network. In
such an exchange, it can take around 30 seconds to establish which switch is to be the Root
Bridge.

An attacker has two options. One is to repeatedly send Topology Change Notification (TCN)
messages to disrupt the systems current understanding of the network and force renegotiation
of the Root Bridge, resulting in a DoS attack. An alternative is to send a specially crafted BPDU
to try and become the Root Bridge. Once this is done, then it is possible for the attacker to see
packets that are not intended for him/her. This is not trivial and requires for the attacker to stay
connected to two switches, running bridging software, so that he/she can advertise as a priority
zero bridge.

Prevention of STP attacks can be achieved by using features like BPDU guard on Cisco
products, which enforce the selection of the Root Bridge.

Despite the scale and variety of VLAN threats - and their potentially devastating impact on
networks - they can all be effectively mitigated through the combination of good network
management practices, effective network design and the application of advanced security
products. VLANs can be secure, and organisations should not be perturbed from deploying
them because of the threats; rather they should deploy them wisely to mitigate the threats.
References : http://yahdiinformatika.staff.telkomuniversity.ac.id/ide-proyek-
akhiruntuknetwork-engineering-dan-network-programming/

Title: STP Vulnerabilities, attacks and mitigation

Abstract:
The projects understand the internal architecture of STP packets and the fields inside it. The
mechanism which attackers use to exploit the vulnerabilities in the STP packets is understood.
The project understand the different features available on Cisco switches like BPDU-Root
guard, Root guard , Loop guard along with appropriate configurations.
References : http://www.masagunglearning.com/2016/10/keamanan-jaringan-pada-
spanningtree-protocol.html (diakses 14 Februari 2017)

Artikel membahas Keamanan Jaringan pada Spanning Tree Protocol (STP). Spanning Tree
Protocol (STP) adalah lapisan 2 protokol manajemen link. Tujuan utama dari STP adalah untuk
memastikan bahwa tidak ada loop aliran data ketika jaringan memiliki jalur berlebihan.

Umumnya, jalur berlebihan dibangun untuk memberikan kehandalan ke jaringan. Tapi mereka
bisa membentuk loop mematikan yang dapat menyebabkan serangan DoS dalam jaringan.

Spanning Tree Protocol

Dalam rangka memberikan jalan redundansi yang diinginkan, serta untuk menghindari kondisi
loop, STP mendefinisikan sebuah pohon yang mencakup semua switch dalam jaringan. STP
memaksa link data yang berlebihan tertentu ke dalam keadaan diblokir dan membuat link
lainnya dalam keadaan forwarding.

Jika link dalam kondisi forwarding rusak, STP mengkonfigurasi ulang jaringan dan mengubah
jalur data dengan mengaktifkan jalur standby yang sesuai. STP berjalan pada bridge dan switch
digunakan dalam jaringan. Semua switch bertukar informasi untuk seleksi root switch dan
untuk konfigurasi selanjutnya dari jaringan. Bridge Protocol Data Units (BPDU) membawa
informasi ini. Melalui pertukaran BPDU, semua switch dalam jaringan memilih akar jembatan
/ switch yang menjadi titik fokus dalam jaringan dan mengontrol link diblokir dan diteruskan.

Serangan pada STP

Mengambil alih root Bridges. Ini adalah salah satu jenis yang paling mengganggu dari
attack pada lapisan 2. Secara default, switch LAN mengambil setiap BPDU dikirim dari
berdekatan beralih pada nilai nominal. Kebetulan, STP adalah trustfull, stateless, dan tidak
menyediakan mekanisme otentikasi suara.
Setelah di modus serangan root, saklar menyerang mengirimkan BPDU setiap 2 detik
dengan prioritas yang sama dengan jembatan akar saat ini, tetapi dengan alamat MAC sedikit
numerik lebih rendah, yang menjamin kemenangannya dalam proses pemilihan root-bridge.
Switch penyerang bisa meluncurkan attack DoS baik dengan tidak benar mengakui switch lain
menyebabkan BPDU banjir atau dengan menundukkan switch untuk over-proses BPDU
dengan mengaku menjadi root pada satu waktu dan mencabut secara berurutan.
 DoS menggunakan Flood Konfigurasi BPDU. Switch menyerang tidak berusaha untuk
mengambil alih sebagai root. Sebaliknya, itu menghasilkan sejumlah besar BPDU per detik
yang mengarah ke sangat tinggi utilisasi CPU pada switch.

Pencegahan Serangan Pada STP

Untungnya, penanggulangan serangan root take over sederhana dan mudah. Dua fitur
membantu dalam mengalahkan serangan root take over.

Root Guard root guard membatasi port switch dari mana root bridge dapat
dinegosiasikan. Jika 'root-guard-enabled' Port menerima BPDU yang lebih unggul dengan yang
root bridge saat mengirimkan, maka port yang pindah ke kondisi root-inkonsisten, dan tidak
ada lalu lintas data diteruskan menyeberangi Port itu. Root Guard terbaik dikerahkan menuju
port yang terhubung ke switch yang tidak diharapkan untuk mengambil alih sebagai jembatan
root.
BPDU-Guard BPDU-guard digunakan untuk melindungi jaringan dari masalah yang
mungkin disebabkan oleh penerimaan BPDU pada port akses. Ini adalah port yang tidak boleh
menerima mereka. BPDU-guard yang terbaik dikerahkan menuju port yang dilihat pengguna
untuk mencegah penyisipan switch nakal oleh penyerang.