In local networks, the Spanning Tree Protocol (STP), which works on OSI Layer 2, plays an important role in ensuring a stable network infrastructure. As a protocol to avoid loops, it enables a redundant network topology and protects against data loss and network congestion. In this blog post we deal with the security risks that the default configuration of the STP harbors: We will show you 3 spanning tree protocol attacks and then explain how you can avoid them with the BPDU-Guard function.
If you want to read how the spanning tree protocol works in detail, we recommend our basic article:
https://www.prosec-networks.com/blog/das-spanning-tree-protokoll/
The Spanning Tree Protocol, although developed as a stabilizing technology, harbors weaknessesthat attackers can exploit.
Sent and received BPDUs are trusted by default. There is no authentication/verification option within the protocol that switches can use to check whether it is a valid BPDU packet from another switch. As a result, any BPDU-enabled device (Linux, Unix, switches) can access and change the spanning tree process.
A common STP attack method is to disrupt the network over longer periods of time or to prevent communication (denial of service). This can lead to impairments or temporary total loss of network traffic. Another possibility is the eavesdropping and "crosstalk" of network traffic.
The following section shows 3 specific attacks, which take advantage of the spanning tree protocol.
The ports of the switches have no security mechanism that prevents an attacker from accessing the STP. This allows an attacker to Read STP traffic.
If you do not take active countermeasures, attackers will receive corresponding BPDU-conf frames from the respective STP process running on the ports.
In our example we read the traffic with the network analysis tool Wireshark with and have Insight into the STP frames.
The BPDU frames reveal additional information such as BPDU type, flags, root ID, etc. This information can be useful for further attack vectors.
In addition to gathering information, attackers can use the SPT to trigger a denial of service in the network. To do this, the attacker sends reconfiguration packets to all switches. The attacker can use various frames to cause a denial of service, which we will discuss in more detail below.
We use the tool Yersiniato perform this attack.
In the Attack Menu for Yersinia, the attacks marked with x are DoS attacks. As long as an attacker runs the DoS via Yersinia, other devices can no longer communicate because the switch is repeatedly asked to restart the STP process. The root bridge is constantly being renegotiated, which produces a lot of traffic.
If you look at the attack in Wireshark, you can see from the ConfCT that Yersinia is manipulating entries. This includes the root bridge priority, Bridge System ID Extension and others.
Yersinia keeps sending new topology change notifications to the root bridge and by generating TCN packets, the bandwidth between the switches is set to a maximum (traffic congestion).
By doing the attacker declares his device as the root bridge in the network, all Layer 2 traffic flows through it. Since normal computers are usually not up to the load, a system crash is not unlikely. Therefore, you should approach this attack with caution.
In the attack menu in Yersinia choose option 4: "Claim root role". Yersinia emulates that a new layer 2 device comes into the network and negotiates the root bridge accordingly. With large networks, there is a high probability that the computer will crash. If the attacker device crashes, a DoS is triggered, because the attacker represents the root bridge, which is then no longer available.
To detect and prevent man-in-the-middle or denial-of-service spanning tree protocol attacks, we recommend using the "BPDU Guard" function on so-called access/edge switch ports.
After the configuration has been completed, switch ports that receive a BPDU from a connected client are switched off and the BPDU is discarded so that no reconfiguration is transmitted to the network.
If the feature is not enabled, a properly crafted BPDU can cause the attacker device to become the root bridge in a network, redirecting traffic. This enables man-in-the-middle attacks. BPDUs cause all switches in a network to renegotiate the structure of the spanning tree. During this period no further packets will be forwarded and the network will not function. Attackers can maintain this state by constantly sending BPDUs.
You can use the following CLI commands to activate the BPDU Guard function:
#Globale Aktivierung des BPDU Guard Features auf dem Switch.
#Wird nur auf Ports mit der Portfast Einstellung eingesetzt.
configure terminal
spanning-tree portfast bpduguard default
#Auswahl des Switchport-Interfaces.
#Alternativ kann auch eine Interface Range benannt werden.
interface interface-id
#Aktiviert das Port Fast Feature, das dazu führt,
#dass ein Switchport sofort in den Forwarding State wechselt.
#Dieser Zustand sollte nur an Access/Edge-Ports vorherrschen.
spanning-tree portfast
#Beendet Config-Prompt.
#Switch-abhängig - Switche neuerer Generation beinhalten
#diesen Command nicht mehr.
end
#Verifizierung der Einstellungen
show spanning-tree interface interface-id
Note:
The BPDU Guard feature can also be activated on individual switch ports or ranges. The following command can be used for this:
#Aktiviert das BPDU Guard Feature auf dem Switchport
spanning-tree bpduguard enable
#Beendet Config-Prompt.
end
#Verifizierung der Einstellungen
show spanning-tree interface interface-id
The Spanning Tree Protocol (STP) is essential for network stability and efficient data transmission. It offers advantages such as redundancy, resilience, control of broadcast and multicast messages, as well as ease of implementation and interoperability. Still, it's important to understand the security risks involved and take appropriate steps to mitigate them.
One such measure is the activation of the "BPDU Guard' on access/edge switch ports to detect and block spanning tree protocol attacks such as man-in-the-middle and denial-of-service. Regular security audits and STP configuration reviews are also recommended to identify weaknesses and act accordingly.
