I've heard a bit of rumbling about STP exploits with ethernet switches. They seem to center around two possibilities: 1) Sending bogus BPDUs to a switched network to continually force spanning tree recalculation, thereby creating a DoS condition on the switches. 2) Sending bogus BPDUs with an advertisement that the attacker should be the root bridge. Upon completing this, the attacker would then get forwarded frames he might not normally receive. My first question is this: Has anyone verified if this works or not with common switch vendors (Cisco et. al.)? If you look at FX's prezo from Black Hat Europe last year, he mentions the possibility of both, but doesn't demonstrate anything. I'm beginning to wonder if this is just a red herring. Second question is more of a comment. With far more useful exploits for a switched network (MAC flooding, ARP spoofing), why would you bother with this anyway? Especially since mitigating the threat is easy enough (BPDU guard mode on Cisco at least). Thoughts? Thanks, Grom _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 09:40:31 PDT