VLAN Hopping

Answered Question
Jan 14th, 2010

I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?

This is my current understanding of the attack:

Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim

The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)

SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.

If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.

Unfortunately I don't have a PC to send double-tagged packet so I cannot test.

Is my misunderstanding incorrect?

Thanks

Correct Answer by Jon Marshall about 7 years 1 month ago

dodgerfan78 wrote:

I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?

This is my current understanding of the attack:

Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim

The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)

SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.

If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.

Unfortunately I don't have a PC to send double-tagged packet so I cannot test.

Is my misunderstanding incorrect?

Thanks

The key to understanding this is that when a 802.1q trunk port on a switch whose native VLAN is the same as the VLAN  on the outer tag gets the packet, it strips the outer tag and forwards the packet as untagged traffic.

So the attacker simply creates packet with 2 tags, the inner tag being the vlan he is attacking an the outer packet being the tag that corresponds to the native vlan. If the outer tag was any other vlan than the native vlan then the behaviour would not be the same.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 01/14/2010 - 10:47

dodgerfan78 wrote:

I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?

This is my current understanding of the attack:

Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim

The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)

SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.

If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.

Unfortunately I don't have a PC to send double-tagged packet so I cannot test.

Is my misunderstanding incorrect?

Thanks

The key to understanding this is that when a 802.1q trunk port on a switch whose native VLAN is the same as the VLAN  on the outer tag gets the packet, it strips the outer tag and forwards the packet as untagged traffic.

So the attacker simply creates packet with 2 tags, the inner tag being the vlan he is attacking an the outer packet being the tag that corresponds to the native vlan. If the outer tag was any other vlan than the native vlan then the behaviour would not be the same.

Jon

dodgerfan78 Thu, 01/14/2010 - 10:49

I think I see it now, so if the outer tag was not the native vlan, the tag wouldn't even be stripped it would just appear to be on that vlan and tag kept intact.

thanks!

Jon Marshall Thu, 01/14/2010 - 11:04

dodgerfan78 wrote:

I think I see it now, so if the outer tag was not the native vlan, the tag wouldn't even be stripped it would just appear to be on that vlan and tag kept intact.

thanks!

Basically yes. It is precisely because of the behaviour of an 802.1Q trunk port and a native vlan tag that allows a double-tag attack.

Jon

Ganesh Hariharan Fri, 01/15/2010 - 00:00

Hi,

The basic defination for vlan hopping says:-


VLAN hopping (virtual local area network hopping) is a computer security exploit, a method of attacking networked resources on a VLAN. The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.

In a switch spoofing attack, an attacking host that is capable of speaking the tagging and trunking protocols used in maintaining a VLAN imitates a trunking switch. Traffic for multiple VLANs is then accessible to the attacking host.

In a double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

Hope that helps out your query !!

Regards

Ganesh.H

CARLO CIANFARANI Fri, 09/28/2012 - 05:39

Hi,

regarding this discussion my question is: why a switch port configured as "static access" accepts & handles tagged frames at ingress (in this scenario with native VLAN tag) ?

thanks

Giuseppe Larosa Fri, 09/28/2012 - 06:21

Hello Carlo,

a switched port in access mode can accept frames with an 802.1Q vlan tag = to the vlan-id that is a member of.

This depends from implementation details.

Example: an access-port in vlan 10 may accept frames with an 802.1Q with vlan-id=10.

The recommended workaround against double Vlan hopping attack is to never assign ports to the native vlan of trunks.

In other words, the native vlan of trunks should be a dedicated vlan never used for other purposes. The recommendation is to use the same dedicated vlan for native vlan on all trunk links and to never assign ports to it.

All this happens for implementation reasons.  Older CatOS switches like C5000 could accept tagged frames with any vlan-id and this  allowed  1 Vlan hop attack to be successful on them.

Hope to help

Giuseppe

Actions

This Discussion