Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

The Future of Spanning Tree Attacks > The Future of Spanning Tree Attacks - Pg. 98

98 chapter 5 Spanning Tree Attacks inconsistent" state, during which it listens but does not forward traffic ­ it is blocked. Once the superior frames stop arriving, the port transitions to learning and finally to forwarding. If the superior frames start arriving again the port is blocked again. This assures that the root bridge can never be located off of a port with root guard enabled. By correctly configuring ports with root guard, the network administrator can define the network perimeter and prevent stealing the root bridge role. BPDU guard is another Cisco technology for defining a network perimeter and protecting against STP attacks. Like root guard, BPDU guard is enabled or disabled on a port-by-port basis. BPDU guard operates in a much more strict fashion than root guard: if a BPDU frame arrives then the port is transitioned to an "error disable" (blocked) state and generates a message about the event. Unlike root guard, the port does not automatically transition back to a forwarding state as soon as possible, but remains in the blocked state until either the state is manually cleared or an automatic recovery timer expires. Automatic recovery requires a minimum of 30 seconds, mak- ing denial of service attacks impractical. BPDU guard allows the network adminis- trator to establish the limits of the STP protocol, so that BPDU frames are simply not accepted outside a defined perimeter. BPDU guard is a good choice for ports where endpoints (workstations, printers and servers) are going to be attacked, since these devices should not be sending BPDU frames at all, unless they are explicitly configured to act as a router. BPDU guard is often combined with the portfast setting, which instructs a port to skip the listening and learning states and move directly to forwarding. Again, this makes sense for ports where endpoints that do not send BPDU frames are going to be located. THE fuTuRE of SPAnnInG TREE ATTACKS Root guard and BPDU guard are both very effective strategies to mitigate STP attacks but are both (at the time of writing) limited to Cisco hardware. These technol- ogies may still allow an intruder to monitor BPDU frames and use these to discover network information. Once you have established a perimeter, the intruder may seek to compromise a device inside the perimeter. By capturing frames, an intruder can obtain the MAC addresses of devices inside the perimeter. By using other layer 2 attacks, the attacker may be able to compromise a device inside the perimeter and then launch an STP-based attack such as a denial of service. Many different versions of STP exist with proprietary extensions, such as the portfast extension mentioned previously. It may be possible to exploit these exten- sions in ways not described here. If an intruder can set all ports to forward then they can force cycles and trigger a denial of service. Many switch implementations provide diagnostic settings that copy traffic from all ports to a single port, making it much easier to monitor and steal data.