Nice article, but after reading it is comprehensible for me, that the network manufacturers didn't react: because of no necessity.
The attacks that were described are not practical in a proper secured LAN:
1) All user ports have STP disabeled (the authors mentioned that)
2) All user ports have port security enabled, that means that only the MAC of normaly attached end station is allowed, no other (that the authors forgot, but is of greatest concern!)
3) All tagged ports are configured to drop untagged frames, all untagged ports are configured to drop tagged frames (it is somehow mentioned, but not explicitly)
4) All your ports have a port based vlan association (only 1 vlan per user port): This can be configured statically or you use a VLAN-Policy-Server. (not explicitly mentioned)
5) Physical access control to all network equipment in the company (not mentioned)
When this is given (and most companies implement that), you have hardly a chance to attack the STP. When you have access to an end station (maybe you are employed there), you have only access to the network through your single NIC. Any attempt of attaching a second NIC or any other computer will be blocked by port security. When sending faked BPDUs, these will be dropped by the switch because STP is disabled on all user ports. When trying to send faked BPDUs or any other frame with faked VLAN-Tagg, again these will be dropped.
And there is a big fault in this text: the authors give the security advice (Quick Fix) of disabling STP on all user ports. If you do that whithout having port security enabled, you have an possible security leck. An attacker needs only to plug a crossed cable between two ports (on 1 switch or even better on 2 switches). Then you potentially have a loop in the network, that cannot be detected by STP (it is disabled on these ports). This affect would be looping user traffic (broadcasts) that will could lead to a DoS of the attacked switch(es).
Thanx n bye
Secure-it Team
|
|