VLAN Attacks

Unanswered Question
Jun 24th, 2008
User Badges:

Hi there,

There are 2 common vlan attacks:


1. switch spoofing


2. double tagging


My question is: when the switch gets a double tagged frame doesn't it consider the frame an error and drops it?

Even more, does the Switch permit tagged frames as native vlan to enter an access port?


Let's assume the double frame gets to the end user in another vlan. The response frame can't get to the cracker in another vlan (native vlan) only if it is routed. So from my point of view this is only a theoretical attack. Am I right?

Has anyone tested it in a lab using real equipments?


Thank you for clarification.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mohammed_moustafa Tue, 06/24/2008 - 05:27
User Badges:

Hi Dear,


first the double taging attack takes place on trunk links with native vlan 1, of ports that trunk mode is auto so an atacker can use tools to understand the trunk negotiation and establish trunk connection to the switch. when the switch receives double tagged frame it does only check the first tag encapsulation and the fram is considered valid as long as it's length is withen the allowed length.

double tagged frames attack is UNIDIRECTIONAL, so there is no reply back received, but many trojan and worms can only take one packet as it's too small in size so we don't need any reply.


Let me know if u need any further help.


Thanks,

rsvensson Tue, 06/24/2008 - 12:59
User Badges:

To compliment what Mohammed has already said, a double tag and switch spoofing attacks are REAL attacks. For double tagging, the port facing the malicious user does not need to be in its default state of VLAN 1 as native VLAN and using DTP (Dynamic Trunking Protocol). Instead, as long as DTP is enabled, any VLAN can be used as the native VLAN. The way it works is that a user sends a packet with two native VLAN headers. The first must match that of the Native VLAN, which the switch will remove. After it is removed the switch will exman the other header and send the frame into that VLAN. I hope this better explains what you are asking.


**This attack is only possible when using 802.1Q and native VLANs without tagging.


Here is a link with further information:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211


Hope this helps,

--Richard

wizassonic Wed, 06/25/2008 - 08:32
User Badges:

Everything is clear now. I've already tested the attack using Mausezahn and it works as expected.


Thank you

Actions

This Discussion