Attack 1: Demography Over the Basis Bridge
Taking over a basis arch is apparently one of the best confusing attacks. By default, a LAN
switch takes any BPDU beatific from Yersinia at face value. Keep in apperception that STP is trustful,
stateless, and does not accommodate a solid affidavit mechanism. The absence STP bridge
priority is 32768. Once in basis advance mode, Yersinia sends a BPDU every 2 sec with the
same antecedence as the accepted basis bridge, but with a hardly numerically lower MAC address,
which ensures it a achievement in the root-bridge acclamation process. Figure 3-6 shows Yersinia’s
STP advance screen, followed by a appearance command abduction on the LAN about-face beneath attack.
56 Chapter 3: Attacking the Spanning Timberline Protocol
Figure 3-6 Yersinia’s STP Attacks
Example 3-2 shows the aftereffect of the advance on the switch. (The hacker alive Yersinia is
connected to anchorage F8/1.)
Example 3-2 Cisco IOS Command to Display Port-Level STP Details
6K-2-S2#show spanning-tree vlan 123 interface f8/1 detail
Port 897 (FastEthernet8/1) of VLAN0123 is basis forwarding
Port aisle amount 19, Anchorage antecedence 240, Anchorage Identifier 240.897.
Designated basis has antecedence 32891, abode 0050.3e04.9c00
Designated arch has antecedence 32891, abode 0050.3e04.9c00
Designated anchorage id is 240.897, appointed aisle amount 0
Timers: bulletin age 15, advanced adjournment 0, authority 0
Number of transitions to forwarding state: 2
Link blazon is point-to-point by default
Loop bouncer is enabled by absence on the port
BPDU: beatific 29, accustomed 219
6K-2-S2#
! The antecedent command appearance the cachet of the anchorage for a accustomed VLAN, and
! the cardinal of BPDU accustomed on the port. Here, article aberrant is
Let the Games Begin! 57
Notice this bridge’s MAC abode against the MAC generated by Yersinia (0050.3e05.9c00
vs 0050.3e04.9c00). Yersinia wins (04 <>
bridge is amid off anchorage 8/1.
Forging Artificially Low Arch Priorities
It is no botheration for an advance apparatus to accomplish a BPDU with both the antecedence and the bridge
ID set to 0, as Example 3-3 shows.
Such a BPDU is actually absurd to beat, because no about-face would anytime accomplish an
all-0 arch ID.
Two added accessory variations of the demography basis buying affair exist:
• Basis buying attack: another 1. Another confusing advance another could
consist in aboriginal demography over the basis bridge, and again never ambience the TC-ACK bit in
BPDUs aback accepting a TCN BPDU. The aftereffect is a affiliated abortive crumbling of the
entries in the switches’ forwarding tables, possibly consistent in accidental flooding.
! happening: a basis anchorage should about be sending abounding added BPDUs than
! it is receiving. The adverse is demography abode here, advertence suspicious
! activity.
6K-2-S2#sh spanning-tree arch abode | inc VLAN0123
VLAN0123 0050.3e05.9c00
6K-2-S2#
6K-2-S2#sh spanning-tree vlan 123 root
Root Accost Max Fwd
Vlan Basis ID Amount Time Age Dly Basis Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0123 32891 0050.3e04.9c00 19 2 20 15 Fa8/1
6K-2-S2#
Example 3-3 Cisco IOS Command to Verify Basis Arch Status
6K-2-S2#show spanning-tree vlan 123 root
Root Accost Max Fwd
Vlan Basis ID Amount Time Age Dly Basis Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0123 0 0000.0000.0000 19 2 20 15 Fa8/1
6K-2-S2#
Example 3-2 Cisco IOS Command to Display Port-Level STP Capacity (Continued)
58 Chapter 3: Attacking the Spanning Timberline Protocol
• Basis buying attack: another 2. For an alike added abrogating effect, a sequence
where the advance apparatus generates a above BPDU claiming to be the basis followed by
a retraction of that advice abnormal afterwards (see Yersinia’s “claiming added role”
function) could be used. This is affirmed to account lots of action agitate because of
constant accompaniment apparatus transitions, with aerial CPU appliance as a aftereffect and a
potential DoS.
Fortunately, the antitoxin to a basis takeover advance is simple and straightforward.
Two appearance advice baffle a basis takeover attack:
• Basis guard
• BPDU-guard
Root Guard
The basis bouncer affection ensures that the anchorage on which basis bouncer is enabled is the designated
port. Normally, basis arch ports are all appointed ports, unless two or added ports of the
root arch are connected. If the arch receives above BPDUs on a basis guard–enabled
port, basis bouncer moves this anchorage to a root-inconsistent state. This root-inconsistent accompaniment is
effectively according to a alert state. No cartage is forwarded beyond this port. In this way,
root bouncer enforces the position of the basis bridge. See the aboriginal admission in the section,
“References,” for added details.
BPDU-Guard
The BPDU-guard affection allows arrangement designers to accomplish the STP area borders and
keep the alive cartography predictable. Accessories abaft ports with BPDU-guard enabled are
unable to admission the STP topology. Such accessories accommodate hosts alive Yersinia, for
example. At the accession of a BPDU, BPDU-guard disables the port. BPDU-guard
transitions the anchorage into the errdisable state, and a bulletin is generated. See the second
entry in the section, “References,” for added details.
Example 3-4 shows basis bouncer blocking a anchorage accepting a above BPDU.
Example 3-4 Basis Bouncer in Action
6K-2-S2# configure terminal
Enter agreement commands, one per line. End with CNTL/Z.
6K-2-S2(config)# interface fastethernet 8/1
6K-2-S2(config-if)# spanning-tree rootguard
6K-2-S2(config-if)# ^Z
*Dec 30 18:25:16: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Rootguard enabled on
port FastEthernet8/1 VLAN 123.
Dec 30 18:33:41.677: %SPANTREE-SP-2-ROOTGUARD_BLOCK: Basis bouncer blocking anchorage Fa
stEthernet8/1 on VLAN0123.
6K-2-S2#sh spanning-tree vlan 123 ac
Let the Games Begin! 59
If the advance stops, or if it was fortuitous, the anchorage apace moves aback to forwarding. This
can booty as little as three times the accost breach (6 sec, by default) if abandoned a distinct superior
BPDU was received.
Unless absolutely configured to bridge—which is a attenuate occurrence—end stations, such as
PCs alive any array of operating arrangement (OS), IP phones, printers, and so on, should never
generate BPDUs, let abandoned above BPDUs. Therefore, BPDU-guard is, and should be,
usually adopted to basis bouncer on admission ports. BPDU-guard is abundant beneath affectionate than
root guard: It instructs STP to error-disable a anchorage in case any BPDU arrives on it. Afterwards a
port is placed in the error-disabled state, there are two agency to balance from the action:
either through a chiral action (do/do not shut bottomward the port) or through an automatic
recovery timer whose minimum amount is 30 sec. Example 3-5 shows how to configure this
using Cisco IOS on a Catalyst 6500. (As usual, argue your switch’s affidavit for the
exact syntax and availability of the feature.)
VLAN0123
Spanning timberline enabled agreement rstp
Root ID Antecedence 32891
Address 0050.3e05.9c00
This arch is the root
Hello Time 2 sec Max Age 20 sec Advanced Adjournment 15 sec
Bridge ID Antecedence 32891 (priority 32768 sys-id-ext 123)
Address 0050.3e05.9c00
Hello Time 2 sec Max Age 20 sec Advanced Adjournment 15 sec
Aging Time 300
Interface Role Sts Amount Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa8/1 Desg BKN*19 240.897 P2p *ROOT_Inc
Fa8/45 Desg FWD 19 128.941 P2p
Gi9/14 Desg FWD 4 128.1038 P2p
Gi9/15 Desg FWD 4 128.1039 Edge P2p
! “Desg” agency appointed anchorage role; BKN agency cachet blocking;
! FWD agency forwarding. Notice the “ROOT Inc” cachet for anchorage Fa8/1.
Example 3-5 How to Configure BPDU-Guard
6K-2-S2#conf t
Enter agreement commands, one per line. End with CNTL/Z.
6K-2-S2(config)#int f8/1
6K-2-S2(config-if)#spanning-tree bpduguard enable
6K-2-S2(config-if)#exit
6K-2-S2(config)#exit
6K-2-S2#
6K-2-S2(config)#errdisable accretion account bpduguard
6K-2-S2(config)#errdisable accretion ?
Example 3-4 Basis Bouncer in Action (Continued)
continues
60 Chapter 3: Attacking the Spanning Timberline Protocol
cause Accredit absurdity attenuate accretion for application
interval Absurdity attenuate accretion timer value
6K-2-S2(config)#errdisable accretion inter
6K-2-S2(config)#errdisable accretion breach ?
<30-86400> timer-interval(sec)
6K-2-S2(config)#errdisable accretion breach 30
Immediately afterwards a BPDU is accustomed on the port, these letters are printed:
Dec 30 18:23:58.685: %LINEPROTO-5-UPDOWN: Band agreement on Interface
FastEthernet8/1, afflicted accompaniment to down
Dec 30 18:23:58.683: %SPANTREE-SP-2-BLOCK_BPDUGUARD: Accustomed BPDU on port
FastEthernet8/1 with BPDU Bouncer enabled. Disabling port.
Dec 30 18:23:58.683: %PM-SP-4-ERR_DISABLE: bpduguard absurdity detected on Fa8/1,
putting Fa8/1 in err-disable state
If this BPDU was the aftereffect of an accident, the anchorage is adequate 30 sec later:
Dec 30 18:24:28.535: %PM-SP-4-ERR_RECOVER: Attempting to balance from bpduguard
err-disable accompaniment on Fa8/1
By application the afterward command, it is accessible to globally accredit BPDU-guard on all
portfast-enabled ports:
6K-2-S2(config)#spanning-tree portfast bpduguard ?
default Accredit bdpu bouncer by absence on all portfast ports
Portfast
Portfast is a port-based ambience that instructs the anchorage on which it is enabled to bypass the
listening and acquirements phases of STP. The aftereffect is that the anchorage anon moves to
forwarding, accepting, and sending traffic. The ambience is about activated to ports where
end accessories are attached, such as laptops, printers, servers, and so on.
Unlike basis guard, BPDU-guard is not bound abandoned to basis takeover attempts. Any incoming
BPDU disables the port—period. On abounding Cisco IOS versions, BPDU-guard no longer
requires a anchorage to be portfast-enabled.