{"id":606,"date":"2017-05-08T17:38:00","date_gmt":"2017-05-08T17:38:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=606"},"modified":"2024-11-17T17:56:44","modified_gmt":"2024-11-17T17:56:44","slug":"bpdu-guard-concept-stp-attack-and-mitigation-example","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/bpdu-guard-concept-stp-attack-and-mitigation-example\/","title":{"rendered":"BPDU Guard Concept, STP Attack and Mitigation Example"},"content":{"rendered":"

BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they protect and how they work. Spanning tree attacks can harm the data-plane at Layer 2 therefore using spanning tree security we can mitigate \u201cMan in the Middle\u201d type attacks, protect against changes in the spanning tree topology, protect the \u201cRoot Bridge\u201d and prevent overall network loops.<\/p>\n

Spanning tree BPDU Guard is used to protect access switches from the user community, BPDU Guard will help prevent an unknown device from participating in Spanning Tree and essentially overruling the root bridge thus preventing a STP topology change.<\/p>\n

Out of the box Cisco switches use the original 802.1d Spanning Tree Protocol, which was designed to prevent loops in a network. Switches send BPDU (Bridge Protocol Data Unit) probes into the network every two seconds to discover loops, BPDU frames are also used to help elect the \u201cRoot Bridge\u201d the root bridge is normally the \u201cCore\u201d switch that all the other switches forward frames through.<\/p>\n

The Root Bridge selection is made according to the device that has the lowest \u201cBridge-ID\u201d the Bridge ID is made up of two things \u2013<\/p>\n

The Bridge Priority- every switch is 32769 by default (can be set higher or lower) lower wins!<\/p>\n

The switch\u2019s MAC address \u2013 older\/lower (manufactured date\/numerical\/alphabetical) MAC address wins!<\/p>\n

If a user connects an unknown switch into the network, the switch could potentially have a lower \u201cBridge-ID\u201d that would cause a STP topology change, making the unknown device the new root bridge. All the other switches would then find the best path to the elected root bridge and forward all their traffic via this device. This would be an example of someone accidently causing the STP topology to change, which would severely impact the performance of the network.<\/p>\n

\"\"<\/p>\n

Alternatively, a malicious user with some software could connect themselves onto two switches, send superior BPDU frames and cause the STP topology to change. The malicious user would then become the root bridge and using Wireshark they could capture traffic as it goes through them.<\/p>\n

<\/p>\n

BPDU Guard says, if I see BPDU\u2019s come in on a protected port, I will immediately disable that port and place it into an \u201cerr-disabled\u201d state.<\/p>\n

It is Cisco\u2019s best practice that BPDU Guard should be enabled on all ports connecting to the user community. BPDU Guard can be enabled globally or on specific switch ports.<\/p>\n

Attack Example:<\/strong><\/p>\n

Warning: do not carry out anything outlined in this guide on a live network, and always ensure you have the relevant permissions if you are testing this out for yourself, this should only be done in a lab environment or test network. This document is for the purpose of understanding how these attacks work and how to mitigate against them.<\/p>\n

In the example below, we will take a look at sending in BPDU frames into the network to manipulate the Spanning Tree topology and make the attacker\u2019s machine the \u201cRoot Bridge\u201d the topology has been setup in \u201cGNS3\u201d with \u201cKali-Linux\u201d acting as the attacking machine. For simplicity we will use a single VLAN (VLAN1), basic networking is in place.<\/p>\n

<\/p>\n

Let\u2019s get started!<\/p>\n

Step 1.<\/strong> Let\u2019s take a look at the current STP topology on all the devices,<\/p>\n

CORE-SW<\/strong><\/p>\n

#show spanning-tree<\/p>\n

From the output below we can see that \u201cRapid Spanning Tree\u201d is running on the switch for VLAN 1. The device is acting as the \u201cRoot Bridge\u201d and its priority is \u201c28673\u201d. We can also see that all the ports are in a \u201cDesignated\u201d state, this is normal behaviour for all ports on the root.<\/p>\n

<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

#show spanning-tree<\/p>\n

From the output we can see that the device is participating in \u201cRapid Spanning Tree\u201d for VLAN 1, the \u201cRoot Bridge\u201d is the device with MAC \u201caabb.cc00.0100\u201d (which is the CORE-SW). The device itself has the priority of \u201c32769\u201d and its MAC address is \u201caabb.cc00.0200\u201d. The device has also lit up a \u201cRoot\u201d port which is \u201cE0\/0\u201d this port has the best path to the root bridge.<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

#show spanning-tree<\/p>\n

From the output below we can see that this switch also running \u201cRapid Spanning Tree\u201d for VLAN 1, the \u201cRoot Bridge\u201d is the device with MAC \u201caabb.cc00.0100\u201d (which is the CORE-SW). The device itself has the priority of \u201c32769\u201d and its MAC address is \u201caabb.cc00.0300\u201d. The device has also lit up a \u201cRoot\u201d port which is \u201cE0\/1\u201d this port has the best path to the root bridge. The device is also blocking two redundant ports, \u201cE0\/0\u201d and \u201cE0\/2\u201d in order to prevent a loop.<\/p>\n

<\/p>\n

If the attack is successful we should see the attacker\u2019s machine become the \u201cRoot Bridge\u201d as the BPDU sent by this device will have a lower \u201cBridge-ID\u201d than that of the \u201cCORE-SW\u201d. We should also see blocked port \u201cE0\/0\u201d on \u201cACCESS-SW-2\u201d change its state and become a \u201cRoot\u201d port as its path to the \u201cRoot Bridge\u201d.<\/p>\n

Step 2.<\/strong> Let\u2019s setup debugging on all three switches so that we can see what happens when the attack is carried out.<\/p>\n

CORE-SW <\/strong><\/p>\n

#debug spanning-tree config<\/p>\n

#debug spanning-tree events<\/p>\n

#debug spanning-tree bpdu receive<\/p>\n

#debug spanning-tree general<\/p>\n

#debug spanning-tree root<\/p>\n

<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

#debug spanning-tree config<\/p>\n

#debug spanning-tree events<\/p>\n

#debug spanning-tree bpdu receive<\/p>\n

#debug spanning-tree general<\/p>\n

#debug spanning-tree root<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

#debug spanning-tree config<\/p>\n

#debug spanning-tree events<\/p>\n

#debug spanning-tree bpdu receive<\/p>\n

#debug spanning-tree general<\/p>\n

#debug spanning-tree root<\/p>\n

<\/p>\n

Step 3.<\/strong> From the \u201cKali Linux\u201d machine launch an attack using \u201cYersinia\u201d to send superior BPDU\u2019s into the network.<\/p>\n

#yersinia \u2013I<\/p>\n

<\/p>\n

Step 4.<\/strong> Press \u201cI\u201d to select the interface to use for the attack, highlight \u201ceth0\u201d ensure it is set as \u201cOn\u201d and press \u201cq\u201d to exit<\/p>\n

<\/p>\n

Step 5.<\/strong> Hit the\u00a0\u201cg\u201d\u00a0key to load the attack type, select\u00a0\u201cSTP\u201d\u00a0and hit\u00a0\u201center\u201d<\/p>\n

<\/p>\n

Step 6.<\/strong> Hit the\u00a0\u201cx\u201d\u00a0key to select the attack type and press\u00a0\u201c4\u201d\u00a0to\u00a0\u201cClaiming Root Role\u201d to run the attack.<\/p>\n

<\/p>\n

Yersinia will now send BPDU\u2019s into the network first establishing who the \u201cRoot Bridge\u201d is and then claiming to have a lower \u201cBridge-ID\u201d than the real \u201cRoot Bridge\u201d. The MAC address the kali box will use is shown below in the \u201cBridge-ID\u201d. This is \u201cAABB.CC00.0000\u201d<\/p>\n

<\/p>\n

Step 7.<\/strong> Let\u2019s take a look at the damage by reviewing the debug messages on all three switches.<\/p>\n

CORE-SW<\/strong><\/p>\n

From the output below we can see that \u201cCORE-SW\u201d received a superior BPDU on \u201cE0\/0\u201d therefore it updated its role and changed its state from \u201cDesignated\u201d to \u201cRoot\u201d. The device also received a superior BPDU on \u201cE0\/1\u201d and therefore updated its role and changed its port state from \u201cDesignated\u201d to \u201cAlternate\u201d (Blocked).<\/p>\n

<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

\u201cACCESS-SW-1\u201d received a superior BPDU on \u201cE0\/1\u201d claiming there is a new \u201cRoot Bridge\u201d therefore it updated its role and changed its state from \u201cDesignated\u201d to \u201cRoot\u201d. The device also received a superior BPDU on \u201cE0\/2\u201d and began a dispute as to which port to block. As \u201cACCESS-SW-1\u201d has the same \u201cPriority\u201d as \u201cACCESS-SW-2\u201d the device with the lower MAC address will win and the other side will be blocked. In this case MAC \u201c0200\u201d is lower than \u201c0300\u201d therefore \u201cACCESS-SW-1\u201d wins the dispute and resolves it. Interface \u201cE0\/2\u201d remains as a \u201cDesignated\u201d port.<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

\u201cACCESS-SW-2\u201d receives a superior BPDU on \u201cE0\/0\u201d which is a blocked port, the device now must find the best path to the \u201cRoot Bridge\u201d and therefore changes its role from \u201cBlocked\u201d to \u201cRoot\u201d for \u201cE0\/0\u201d. As we saw earlier on \u201cACCESS-SW-1\u201d a dispute took place as to which side of the redundant link to block, \u201cACCESS-SW-1\u201d won the dispute and interface \u201cE0\/2\u201d on \u201cACCESS-SW-2\u201d was blocked, we can see this below, \u201cEt0\/2\u201d is now blocking. Interface \u201cE0\/1\u201d will change its role from \u201cRoot\u201d to \u201cDesignated\u201d as the other side of the link on \u201cCORE-SW\u201d is being blocked.<\/p>\n

<\/p>\n

The Spanning tree topology has changed and now looks like this:<\/p>\n

<\/p>\n

Step 8.<\/strong> If we take a look at the Spanning Tree configuration we can verify the changes as we have seen in the debug messages.<\/p>\n

CORE-SW<\/strong><\/p>\n

#show spanning-tree<\/p>\n

The \u201cRoot-Bridge\u201d has a priority of \u201c28673\u201d and the following MAC address \u201caabb.cc00.0000\u201d the \u201cCORE-SW\u201d has a priority is \u201c28673\u201d and its MAC address is \u201caabb.cc00.0100\u201d. Although the \u201cPriority\u201d for both devices match, we can see that the MAC address of the newly elected root is lower therefore it won the election and became the root. The \u201cCORE-SW\u201d has also lit up \u201cE0\/0\u201d as its root port as we have seen in the debug messages.<\/p>\n

<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

#show spanning-tree<\/p>\n

On \u201cACCESS-SW-1\u201d we can see that the device knows the newly elected \u201cRoot Bridge\u201d and has identified it with its priority of \u201c28673\u201d and it MAC address of \u201caabb.cc00.0000\u201d the devices has elected \u201cE0\/1\u201d as its root port.<\/p>\n

\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\16.jpg\"<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

#show spanning-tree<\/p>\n

On \u201cACCESS-SW-2\u201d we can see that this device also knows the newly elected \u201cRoot Bridge\u201d and has identified it with its priority of \u201c28673\u201d and it MAC address of \u201caabb.cc00.0000\u201d the devices has elected \u201cE0\/0\u201d as its root port, and blocked the redundant link on \u201cE0\/2\u201d<\/p>\n

<\/p>\n

Step 9.<\/strong> Using Wireshark we can now capture traffic as it passes the \u201cKali-Linux\u201d machine, as a test let\u2019s see if we can see ICMP traffic as we ping \u201cACCESS-SW-2\u201d from the \u201cCORE-SW\u201d. The traffic should go from the \u201cCORE-SW\u201d to \u201cACCESS-SW-1\u201d through the \u201cRoot\u201d (which is the Kali-Linux) and to \u201cACCESS-SW-2\u201d<\/p>\n

On the Kali-box Launch Wireshark and begin a capture.<\/p>\n

#Wireshark<\/p>\n

<\/p>\n

From \u201cCORE-SW\u201d ping \u201cACCESS-SW-2\u201d<\/p>\n

#ping 192.168.1.3 repeat 10<\/p>\n

 <\/p>\n

<\/p>\n

from the Wireshark capture we can see the ICMP packets going from source \u201c192.168.1.1\u201d to destination \u201c192.168.1.3\u201d we can also see the source and destination Layer 2 address. If we were transmitting data, we would be able to sniff the traffic and rebuild the packets.<\/p>\n

<\/p>\n

Let\u2019s protect against this using BPDU Guard<\/p>\n

Global Configuration Example<\/strong><\/p>\n

Step 1.<\/strong> enable BPDU Guard in global configuration mode.<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

#conf t<\/p>\n

#spanning-tree portfast bpduguard default<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

#conf t<\/p>\n

#spanning-tree portfast bpduguard default<\/p>\n

<\/p>\n

Step 2.<\/strong> Configure all the access ports that connect back to the user community as \u201cPortfast\u201d (do not configure any trunk ports or ports that connect to other switches as portfast as they will need to listen out for BPDU\u2019s, also there is risk of causing a loop if switches can\u2019t see BPDU probes).<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

In our case we can just configure \u201cE0\/1\u201d as \u201cPortfast\u201d for \u201cACCESS-SW-1\u201d since this is our only access port. However, you may want to configure this using the range command for all you access ports.<\/p>\n

#int e0\/1<\/p>\n

#spanning-tree portfast<\/p>\n

As we can see the command does come with a warning recommending not to configure portfast on a port that connects back to a switch or hub.<\/p>\n

<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

Again we can just configure \u201cE0\/0\u201d as portfast for \u201cACCESS-SW-2\u201d since this is our only access port.<\/p>\n

#int e0\/0<\/p>\n

#spanning-tree portfast<\/p>\n

<\/p>\n

Step 3. <\/strong>From the Kali-Linux machine lets send some BPDU\u2019s and attempt to introduce the new \u201cRoot\u201d<\/p>\n

On \u201cYersinia\u201d Press \u201cx\u201d to launch the attack and select option \u201c4\u201d<\/p>\n

<\/p>\n

ACCESS-SW-1<\/strong><\/p>\n

Instantly after enabling BPDU Guard we can see that BPDU\u2019s were blocked for interface \u201cE0\/1\u201d coming in from our attacking machine. The port has now been shut down and placed in to \u201cerr-disabled\u201d state. If we want to bring the interface back up, we need to do a \u201cshut\u201d and \u201cno shut\u201d.<\/p>\n

\"23\"<\/p>\n

#show interface status errdisabled<\/p>\n

\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\23.1.jpg\"<\/p>\n

ACCESS-SW-2<\/strong><\/p>\n

Again we can see that BPDU\u2019s were blocked on interface \u201cE0\/0\u201d and the interface was shutdown.<\/p>\n

\"25\"<\/p>\n

#show interface status err-disabled<\/p>\n

\"C:\\Users\\acitjxm\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\25.1.jpg\"<\/p>\n

Port by Port Configuration <\/strong><\/p>\n

Step 1. <\/strong>Enter the configuration mode for the interfaces you wish to configure \u201cBPGU Guard\u201d on and enter the following:<\/p>\n

#conf t<\/p>\n

#interface e0\/0<\/p>\n

#spanning-tree portfast<\/p>\n

#spanning-tree bpduguard enable<\/p>\n

It is ideal to use the range command for multiple ports.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

BPDU Guard, BPDU Filter, Root Guard and Loop Guard are all considered spanning tree security features, they all have different characteristics as to what they<\/p>\n","protected":false},"author":1,"featured_media":642,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,9],"tags":[14,68,67,70,65,23,69],"class_list":["post-606","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-switching","tag-bpdu","tag-bpdu-guard","tag-err-disabled","tag-mim","tag-spanning-tree-2","tag-stp","tag-tagsattack"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=606"}],"version-history":[{"count":3,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/606\/revisions"}],"predecessor-version":[{"id":644,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/606\/revisions\/644"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/642"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}