VLAN Hopping Attacks And Mitigation/Prevention
Any network is as strong as its weakest link, Layer 2 of the OSI model supports the upper layers where most applications are operate layer 2 is also where most attacks occur. We will examine some common layer 2 attacks and then look at ways that they can be mitigated, if not eliminated.
VLAN Hopping Attacks
VLAN hopping attacks occur when an attacker tricks a switch into allowing traffic to hop to a different VLAN assigned to the port to which they are connected. Normally, routers are required to route traffic between VLANs at layer 3. Allowing traffic to hop to a different VLAN is very dangerous; if an attacker can fool the switch into revealing traffic from another VLAN, sensitive information carried in cleartext, such as passwords, can be obtained. For example, an attacker might be able to hop into the management VLAN, a mission-critical traffic plane. This is ironic, since according to Cisco, the three main advantages of VLANs are:
Segmentation
Flexibility
Security
The first and third points are related. By segmenting a network into different virtual broadcast domains, security is achieved; under normal operations, a user connected to a switch port is able to see only the following traffic and only in their VLAN:
Unicast traffic: These are frames destined to a single/user’s PC.
Flooded traffic. These are frames that are forwarded out all but the originating interface and consist of the following:
Unknown unicast frames
Majority of multicast frames
Broadcast frames
We will examine two common VLAN hopping attacks:
VLAN hopping by rogue trunk and double tagging
VLAN Hopping by Rogue Trunk
VLAN hopping by rogue trunk is one of the simplest attacks to explain and also one of the simplest to mitigate. A rogue trunk (like a rogue access point) is where an attacker sets up an unauthorized trunk on the switch port to which they are connected. Trunks (either Cisco ISL or IEEE 802.1Q) carry traffic from all VLANs by default. Add to this fact that Cisco switch ports will auto-negotiate trunking, and you have a problem. Here is how an attack will proceed:
1. An attacker needs just to trick the switch into negotiating a trunk by using the signaling protocol for automatic trunk negotiation, Dynamic Trunking Protocol (DTP). The attacker connects a rogue switch to an unused switch port and spoofs DTP messages to automatically negotiate and thus turn on trunking between the rogue switch and the victim switch.
2. The attacker can now send traffic into the network tagged with the VLAN ID of a VLAN that has been learned from the trunk.
VLAN Hopping by Rogue Trunk Attack Mitigation
Attack mitigation is simple:
Turn off trunking on ports unless they specifically need it:
Catalyst1(config-if)#switchport mode access
Disable DTP on the remaining ports that require trunking and manually enable trunking on them:
Catalyst1(config-if)#switchport mode trunk
Catalyst1(config-if)#switchport nonegotiate
VLAN Hopping by Double-Tagging
Another type of VLAN attack is a double-tagging (or double-encapsulated) VLAN hopping attack. This type of attack takes advantage of the way that hardware on most switches operates. Most switches perform only one level of 802.1Q decapsulation; this can allow an attacker in specific situations to embed a hidden 802.1Q tag inside the frame. This tag allows the frame to go to a VLAN that the original 802.1Q tag did not specify. An important characteristic of the double-encapsulated VLAN hopping attack is that it works even if trunk ports are disabled.
A double-tagging VLAN hopping attack follows four steps:
1. The attacker sends a double-tagged 802.1Q frame to the switch. The outer header has the VLAN tag of the attacker, which is the same as the native VLAN of the trunk port. For the purposes of this example, assume that this is VLAN 10. The inner tag is the victim VLAN, in this example, VLAN 20.
2. The frame arrives on the switch, which looks at the first 4-byte 802.1Q tag. The switch sees that the frame is destined for VLAN 10, which is the native VLAN. The switch forwards the packet out on all VLAN 10 ports after stripping the VLAN 10 tag. On the trunk port the VLAN 10 tag is stripped, and the packet is not retagged since it is part of the Native VLAN. At this point, the VLAN 20 tag is still intact and has not been inspected by the first switch.
3. The frame arrives at the second switch but has no knowledge that it was supposed to be for VLAN 10. Native VLAN traffic is not tagged by the sending switch as specified in the 802.1Q specification.
4. The second switch looks only at the inner 802.1Q tag that the attacker sent and sees that the frame is destined for VLAN 20, the target VLAN. The second switch sends the frame on to the victim port or floods it, depending on whether there is an existing MAC address table entry for the victim host.
VLAN Hopping by Double-Tagging Attack Mitigation
This type of attack is unidirectional and works only when the attacker and trunk port have the same native VLAN. Thwarting this type of attack is not as easy as stopping basic VLAN hopping attacks.
The best approach is to ensure that the native VLAN of the trunk ports is different from the native VLAN of the user ports. In fact, it is considered a security best practice to use a dummy VLAN that is unused throughout the switched LAN as the native VLAN for all 802.1Q trunks in a switched LAN. An example CLI is:
Catalyst1(config-if)#switchport trunk native vlan 10.
Tags: Layer 2 security
Previous Article