After some further thought on this, it seems like there are 3 attack scenarios which make sense: 1) BPDU DoS attack: Send BPDUs in order to cause the switch to recalculate spanning tree. This would be relatively easy to execute and would create a DoS condition on the switched network for a period of time. 2) This next attack would require the following topology (sure hope the ASCII art works): F=Forward B=Block R=STP Root Bridge R F F SWITCH----------SWITCH \ F / F \ / \ / \ / \ / F\ X B \ / ATTACKER If the attacker sends out BPDU messages to become root, the topology would change to this: F B SWITCH-------X--SWITCH \ F / F \ / \ / \ / \ / F\ / F \ / ATTACKER R This would cause all traffic generally traveling between the two switches, to now travel via the attacker. Note that this attack isn't particularly useful to an attacker since it requires a simultaneous connection to two different switches. Once executed the attacker would be able to launch any variety of man-in-the-middle or DoS attacks. 3) A variant on number two which is a bit more realistic is this next attack. The topology looks like this: GE=Gigabit Ethernet Link FE=Fast Ethernet Link R F F SWITCH----------SWITCH \ F GE / F \ / \FE FE/ \ / \ / F\ X B \ / SWITCH | | ATTACKER Again, the attacker sends BPDU messages to become root. This creates an STP topology change: F B SWITCH-------X--SWITCH \ F GE / F \ / \FE FE/ \ / \ / F\ / F \ / SWITCH | | ATTACKER R The impact then becomes a very painful DoS as now the GE link is no longer in use in favor of the two FE links. This attack could then potentially be combined with a CAM table flooding attack to cause backbone traffic to overflow on the attackers port. Can anyone think of other scenarios? Thanks, Sean
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 09:12:17 PDT