Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3955
Views
10
Helpful
6
Replies

VLAN Hopping

Go to solution
dodgerfan78
Level 1
Level 1

‎01-14-2010 10:30 AM - edited ‎03-06-2019 09:18 AM

I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?

This is my current understanding of the attack:

Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim

The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)

SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.

If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.

Unfortunately I don't have a PC to send double-tagged packet so I cannot test.

Is my misunderstanding incorrect?

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-14-2010 10:47 AM 

dodgerfan78 wrote:
I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?
This is my current understanding of the attack:
Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim
The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)
SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.
If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.
Unfortunately I don't have a PC to send double-tagged packet so I cannot test.
Is my misunderstanding incorrect?
Thanks

The key to understanding this is that when a 802.1q trunk port on a switch whose native VLAN is the same as the VLAN  on the outer tag gets the packet, it strips the outer tag and forwards the packet as untagged traffic.

So the attacker simply creates packet with 2 tags, the inner tag being the vlan he is attacking an the outer packet being the tag that corresponds to the native vlan. If the outer tag was any other vlan than the native vlan then the behaviour would not be the same.

Jon

View solution in original post

6 Replies 6

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎01-14-2010 10:47 AM 

dodgerfan78 wrote:
I have been reading that the double-tagged VLAN hopping attack only works when the attackers VLAN is the same as the native vlan of the trunk. I don't see why this is necessary, can someone help me understand?
This is my current understanding of the attack:
Attacker------vlanx------SW1------trunk------SW2------vlan10------Victim
The Attacker sends double tagged packet with inner tag of 10 and outer tag of 20 (for example)
SW1 peels off 20 and sends the packet down any trunk link that allows vlan 10.
If the trunk between SW1 and SW2 allows vlan 10, then SW2 will receive the packet and forwrd it to all ports in vlan 10 including our victim.
Unfortunately I don't have a PC to send double-tagged packet so I cannot test.
Is my misunderstanding incorrect?
Thanks

The key to understanding this is that when a 802.1q trunk port on a switch whose native VLAN is the same as the VLAN  on the outer tag gets the packet, it strips the outer tag and forwards the packet as untagged traffic.

So the attacker simply creates packet with 2 tags, the inner tag being the vlan he is attacking an the outer packet being the tag that corresponds to the native vlan. If the outer tag was any other vlan than the native vlan then the behaviour would not be the same.

Jon

Go to solution
dodgerfan78
Level 1
Level 1
In response to Jon Marshall

‎01-14-2010 10:49 AM

I think I see it now, so if the outer tag was not the native vlan, the tag wouldn't even be stripped it would just appear to be on that vlan and tag kept intact.

thanks!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to dodgerfan78

‎01-14-2010 11:04 AM 

dodgerfan78 wrote:
I think I see it now, so if the outer tag was not the native vlan, the tag wouldn't even be stripped it would just appear to be on that vlan and tag kept intact.
thanks!

Basically yes. It is precisely because of the behaviour of an 802.1Q trunk port and a native vlan tag that allows a double-tag attack.

Jon

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-15-2010 12:00 AM

Hi,

The basic defination for vlan hopping says:-


VLAN hopping (virtual local area network hopping) is a computer security exploit, a method of attacking networked resources on a VLAN. The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging.

In a switch spoofing attack, an attacking host that is capable of speaking the tagging and trunking protocols used in maintaining a VLAN imitates a trunking switch. Traffic for multiple VLANs is then accessible to the attacking host.

In a double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first header (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. The second, false, header is then visible to the second switch that the packet encounters. This false VLAN header indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it were layer 2 traffic. By this method, the attacking host can bypass layer 3 security measures that are used to logically isolate hosts from one another.

Hope that helps out your query !!

Regards

Ganesh.H

0 Helpful

Go to solution
CARLO CIANFARANI
Level 1
Level 1

‎09-28-2012 05:39 AM

Hi,

regarding this discussion my question is: why a switch port configured as "static access" accepts & handles tagged frames at ingress (in this scenario with native VLAN tag) ?

thanks

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to CARLO CIANFARANI

‎09-28-2012 06:21 AM

Hello Carlo,

a switched port in access mode can accept frames with an 802.1Q vlan tag = to the vlan-id that is a member of.

This depends from implementation details.

Example: an access-port in vlan 10 may accept frames with an 802.1Q with vlan-id=10.

The recommended workaround against double Vlan hopping attack is to never assign ports to the native vlan of trunks.

In other words, the native vlan of trunks should be a dedicated vlan never used for other purposes. The recommendation is to use the same dedicated vlan for native vlan on all trunk links and to never assign ports to it.

All this happens for implementation reasons.  Older CatOS switches like C5000 could accept tagged frames with any vlan-id and this  allowed  1 Vlan hop attack to be successful on them.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card