Re: STP mitm attack idea Apr 28 2010 09:26PM
Jason T. Masker (jason masker net) (1 replies)
Re: STP mitm attack idea Apr 29 2010 05:21PM
Ivan Jager aij+ (at) mrph (dot) org [email concealed] (aij+ mrph org) (1 replies)
RE: STP mitm attack idea Apr 30 2010 01:02PM
Williams, Dan (dwilliam london ca) (1 replies)
RE: STP mitm attack idea May 20 2010 01:50PM
Guillermo Marro Bruno (gmmarro flowgate net)

> Shutting down the port is useful for security in the way that it helps
> prevent the type of attack that Xperience has described. When BPDU Guard
> is implemented the port will be shut down if any Spanning Tree packets
> are seen. It is risky turning off Spanning Tree as any loops in the
> network will create a denial of service by causing broadcast traffic to
> be sent out every port on the switch in a continuous loop. An
> interesting thing to note is what happens if a cable is plugged into two
> ports on a switch, essentially creating a loop. For this reason when
> BPDU is implemented and a port comes up it will send out two Spanning
> Tree packets. The opposing port sees these packets and shuts down. One
> other feature of BPDU guard is that it can be configured to stay in an
> error state for a specified period of time by using the "errdisable
> recovery cause bpduguard" command. When configured using the "errdisable
> recovery interval xxx" This allows the port to return to normal usage
> after the error condition has been resolved. Another reason to implement
> these features is that it prevents Access ports from "sharing" Spanning
> Tree information and "leaking" the network topology. From a security
> stand point it might be useful disabling CDP on Access ports as well.

In complex L2 network topologies, physical link redundancy is good, but
logical link redundancy is not. Thus we need R/STP.

In my eyes, BPDU guard and Root Guard are somehow effective measures but
they tend to focus on L2 issues coming from a L3-ish philosophy ('think
first and then connect the plug'). When you plug a cord on a switch you
want it to be as plug-and-play as possible, you don't want to think
about port configuration issues, it's L2 after all!.
By using Cisco's countermeasures we are constraining the very intent of
The true solution that unfortunately no vendors seem to explore is
adding BPDU message authentication (crypto-based). It's no trivial, it'd
demand more initial configuration, but it's the only reasonably strong

BTW, the attack described by Xperience, it's a variation of a
tree-segmentation attack. See page 24 in:


In the case you can get some sort of direct link between C and D
(wireless?), the attack would be much more stealth and efficient.



Guillermo Marro
F l o w g a t e Consulting
Maipu 778 - Piso 1 - Of 10
(2000) Rosario - Santa Fe - ARGENTINA
TEL: +54-341-4112511

PGP Fingerprint:
8EFD D853 00A4 B247 2F36 692F 4242 4C02 C0BF 67DB

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus