cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1619
Views
0
Helpful
3
Replies

VLAN Attacks

wizassonic
Level 1
Level 1

Hi there,

There are 2 common vlan attacks:

1. switch spoofing

2. double tagging

My question is: when the switch gets a double tagged frame doesn't it consider the frame an error and drops it?

Even more, does the Switch permit tagged frames as native vlan to enter an access port?

Let's assume the double frame gets to the end user in another vlan. The response frame can't get to the cracker in another vlan (native vlan) only if it is routed. So from my point of view this is only a theoretical attack. Am I right?

Has anyone tested it in a lab using real equipments?

Thank you for clarification.

3 Replies 3

Hi Dear,

first the double taging attack takes place on trunk links with native vlan 1, of ports that trunk mode is auto so an atacker can use tools to understand the trunk negotiation and establish trunk connection to the switch. when the switch receives double tagged frame it does only check the first tag encapsulation and the fram is considered valid as long as it's length is withen the allowed length.

double tagged frames attack is UNIDIRECTIONAL, so there is no reply back received, but many trojan and worms can only take one packet as it's too small in size so we don't need any reply.

Let me know if u need any further help.

Thanks,

To compliment what Mohammed has already said, a double tag and switch spoofing attacks are REAL attacks. For double tagging, the port facing the malicious user does not need to be in its default state of VLAN 1 as native VLAN and using DTP (Dynamic Trunking Protocol). Instead, as long as DTP is enabled, any VLAN can be used as the native VLAN. The way it works is that a user sends a packet with two native VLAN headers. The first must match that of the Native VLAN, which the switch will remove. After it is removed the switch will exman the other header and send the frame into that VLAN. I hope this better explains what you are asking.

**This attack is only possible when using 802.1Q and native VLANs without tagging.

Here is a link with further information:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39211

Hope this helps,

--Richard

Everything is clear now. I've already tested the attack using Mausezahn and it works as expected.

Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: