Contents

Introduction
Yersinia
  Interactive Mode
  Graphical Mode
  Daemon Mode
Attack 1: TCN Attack
Attack 2: BPDU DoS Attack
Attack 3: Root Role Attack
  TCN is not handled
  Change Role Frequently
  Man-in-the-middle Attack
Countermeasure
  Root Guard
  BPDU Guard
  BPDU Filter

Introduction

In this article, I am going to introduce the Spanning Tree Protocol Attack to interrupt the network service or change the network topology. The result of Spanning Tree Protocol Attack can be serious such as, out of service for the entire network, information exposure and Man-in-the-middle Attack. It is assumed that you have already understood the theory of Spanning Tree Protocol. If you are not sure, please see the following article first, Spanning Tree Protocol (STP).

⛑️  Please be reminded that the aim of this article is to explain the network threats and how to eliminate the issue. Illegal activities are not encouraged⛑️

Yersinia

Yersinia is a very good weapon for attacking the switches. It can generate fake BPDU to the switch. You can find this tool in Kali Linux.

Use yersinia --help to check the Menu.

stp attack

There are three operation modes in Yersinia,

Interactive Mode

Use yersinia -I  to enter the Interactive Mode. Press h to open the help menu. You may check the different meaning of the commands here.

stp attack

For example, if we want to attack STP, press g and choose STP. Then, press ENTER to change the screen to STP attacking interface.

stp attack

Graphical Mode

Use yersinia -G to enter Graphical Mode. I seldom use this mode since it halted always.

stp attack

Daemon Mode

Use yersinia -D to enter Daemon Mode and a Server Process will be started. Telnet to localhost port number 12000 to login. The default username and password are root. The interface is similar to Cisco IOS. Enable is needed in order to use attack command. The default enable password is tomac. The features are same as in the other modes.

stp attack

Attack 1: TCN Attack

Now, we can try the first attack type, the TCN Attack. Topology Change Notification (TCN) is a BPDU that used to notify the Root Switch when there is a topology change. Any switches that receive the TCN will forward the message to Root Switch. When the Root Switch receives the TCN, it will tell all switches in the network to shorten their MAC Address Table Aging Time from 300 seconds to 15 seconds in order to clear the old MAC Address records. If fake TCNs are sent continuously when there is no topology changes, switches will always clear the MAC Address Table and the record is always not found when a switch wants to forward a data frame. In this situation, switch will send out by broadcast. The large amount of broadcast messages occupy the network bandwidth and the information is exposure to the entire network.

GNS3 and Kali Linux (Attacker) that run in Virtualbox will be used to simulate the attack.

stp attack

In this topology, SW1 is the Root Switch. The Aging Time of both Switches are 300 seconds (default value).

SW1#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0200
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 
SW2#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/1               Root FWD 100       128.2    Shr 

Open Yersinia and press e to change Type to 0x80 (that is the type value of TCN).

stp attack

Press x and choose 0 or 1 to send out the BPDU to switch. Although there are already an option for sending tcn BPDU, it will fail if we do not change the Type manually (may be a bug).

stp attack

Then, MAC Address Table Aging Time of all switches in the network becomes 15 seconds. If TCNs are sent countinously, switches can not keep the MAC Address Record for more than 15 seconds.

SW1#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0200
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 
SW2#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0200
             Cost        100
             Port        2 (Ethernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/1               Root FWD 100       128.2    Shr 

Attack 2: BPDU DoS Attack

Switch needs to spend CPU resource when it receives BPDU message. If a large amount of BPDUs are sent to the switch in very short time, CPU resource will be used up and the normal operation is influenced. Yersinia can deliver ten thousands of BPDU in a second.

Before attack, check the CPU processing history of the switch. It shows that the CPU is idle for the past 60 seconds.

SW1#show processes cpu history       
                                                              
                                                              
                                                              
100                                                           
 90                                                           
 80                                                           
 70                                                           
 60                                                           
 50                                                           
 40                                                           
 30                                                           
 20                                                           
 10                                                           
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5    
               CPU% per second (last 60 seconds)


It is very easy to implment the DoS attack in Yersinia, press x and choose 2 or 3.

stp attack

Check Spanning Tree Detail and it is found that nearly 700 thousands of BPDUs are received in a very short period.

SW1#show spanning-tree interface ethernet 0/0 detail 
 Port 1 (Ethernet0/0) of VLAN0001 is designated forwarding 
   Port path cost 100, Port priority 128, Port Identifier 128.1.
   Designated root has priority 32769, address aabb.cc00.0100
   Designated bridge has priority 32769, address aabb.cc00.0200
   Designated port id is 128.1, designated path cost 100
   Timers: message age 0, forward delay 0, hold 0
   Number of transitions to forwarding state: 1
   Link type is shared by default
   BPDU: sent 185, received 695426

Check the CPU process history again. The attack only used up about 5% of CPU resource since it is a Simulator but not a real environment. Trust me! It will be painful if the attack is implemented on a real switch!

SW1#show processes cpu history 
                                                              
                                                              
    11111222224444444444555555555522222               22222333
100                                                           
 90                                                           
 80                                                           
 70                                                           
 60                                                           
 50                                                           
 40                                                           
 30                                                           
 20                                                           
 10                     **********                            
   0....5....1....1....2....2....3....3....4....4....5....5....
             0    5    0    5    0    5    0    5    0    5    
               CPU% per second (last 60 seconds)


Attack 3: Root Role Attack

Attacker can send a BPDU with a lower Root Priority than the Root Switch to win the Root Switch role. Use Yersinia again to implement the attack.

Check the Root Priority of the Root Switch first. It is 24577 (0x6001). And the MAC Address is aabb.cc00.0200.

SW1#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0200
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15 

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 

Press x in Yersinia and then choose 4 to claim root role. Yersinia will send BPDU with same Priority but a lower MAC Address (aabb.cc00.0100). It will become the new Root Switch. We can verify by show spanning tree at SW1.

SW1#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Cost 100 
             Port 1 (Ethernet0/0)
  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 15 

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Desg FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 

Attacker claim the Root Role will cause the following issues,

TCN is not handled

In normal operation, when a Root Switch receive a TCN, it will notify all other switches to shorten the MAC Address Table Aging Time from 300 seconds to 15 seconds in order to learn the updated MAC Address. When an attacker becomes the root, it does not handle the TCN so that the MAC Address Table is not up-to-date when there are topology changes. It will cause Black Hole. Please be reminded that it is different to the TCN Attack. TCN Attack forces switches to update when it is not needed. And the situation that we are talking now is ignore the update when it is needed.

Change Role Frequently

Attacker win the root role and then lost it. Repeat this process to keep the topology change from time to time and the network becomes unstable.

Man-in-the-middle Attack

It is also called Dual-homed (or Dual-homing). Attacker use two interfaces to connect to the differnt switches and win the root. Traffic is transmitted through the attacker and all the data frame is exposure to the attacker.

According to the follow topology, Attacker wins the root. The linkage between SW1 and SW2 will be blocked and the traffic between the Client and Server will be transmitted through the Attacker. We will try to simulate this attack now.

stp attack

Since two interfaces are needed, press i in Yersinia to enable the interfaces and claim the root role.

stp attack

Verify in the switches, the Attacker becomes the Root Switch and the status of port E0/1 at SW2 is Blocking.

SW1#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0100
             Cost        100
             Port        1 (Ethernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     aabb.cc00.0200
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Root FWD 100       128.1    Shr 
Et0/1               Desg FWD 100       128.2    Shr 
SW2#show spanning-tree 

VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     aabb.cc00.0100
             Cost        100
             Port        1 (Ethernet0/0)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     aabb.cc00.0100
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Et0/0               Root FWD 100       128.1    Shr 
Et0/1               Altn BLK 100       128.2    Shr 

We need another puzzle to complete the Man-in-the-middle Attack. It is called Ettercap. It can act as a Virtual Switch and also sniff all Data Frame that passing through.

stp attack

Choose Sniff ➡️  Bridged sniffing.

stp attack

Choose the interfaces that are connected to the switches.

stp attack

Choose View ➡️  Connections. We could see the messages that transmitted between the Client and Server now......😱

stp attack

We can also open the contents of these communications. For example, in the diagram below, it is the contents of a HTTP request from client to server and also the response from server to client.

stp attack

Countermeasure

The issue of Spanning Tree Protocol Attack is all coming from BPDU. Countermeasures should be focused on the protection when receiving BPDUs.

Root Guard

Root Guard can prevent claiming of Root Switch at un-proper or un-trust location. For the detaiils of Root Guard, please check here.

BPDU Guard

BPDU Guard is more advance when compared to Root Guard, it monitors all type of BPDUs and the influence to current STP status is not allowed. For the details of BPDU Guard, please check here.

BPDU Filter

BPDU Filter can simply drops the BPDU which sent to or received from the port. However, please be careful when use it since Switch Loop may be created. For the details of BPDU Filter, please check here.