All Cisco-Network Study Notes: Attack 2: DoS Application a Flood of Config BPDUs

Attack 2: DoS Application a Flood of Config BPDUs

Attack cardinal 2 in Yersinia (sending conf BPDUs) is acutely potent. With the cursors

GUI enabled, Yersinia generated almost 25,000 BPDUs per additional on our analysis machine

(Intel Pentium 4 apparatus active Linux 2.4–20.8). This acutely low cardinal is more

cause Accredit absurdity attenuate accretion for application

interval Absurdity attenuate accretion timer value

6K-2-S2(config)#errdisable accretion inter

6K-2-S2(config)#errdisable accretion breach ?

<30-86400> timer-interval(sec)

6K-2-S2(config)#errdisable accretion breach 30

Example 3-5 How to Configure BPDU-Guard (Continued)

Let the Games Begin! 61

than acceptable to accompany a Catalyst 6500 Supervisor Engine 720 active 12.2(18)SXF down

to its knees, with 99 percent CPU appliance on the about-face processor:

6K-3-S720#remote command about-face appearance proc cpu | incl second

CPU appliance for bristles seconds: 99%/86%; one minute: 99%; bristles minutes: 76%

At that point, austere ancillary furnishings alpha to happen. HSRP suffered from connected flapping

during the attack:

6K-3-S720#

Dec 30 18:59:21.820: %STANDBY-6-STATECHANGE: Vlan448 Group 48 accompaniment Standby ->

Active

6K-3-S720#

The attack’s purpose is fulfilled: The about-face is bound DoS’d. Unless BPDU-guard is

enabled, audition this advance is not easy. Although it could, as the 802.1w specification

suggests,6 the STP does not accuse about administration bags of admission BPDUs. It just

tries to action as abounding as it can until its processing ability is exhausted. Aerial CPU

utilization and an acutely aerial and bound accretion calculation of accustomed BPDUs off a

given anchorage announce a BPDU calamity attack, as Archetype 3-6 shows.

Frequent transitions of a anchorage from blocking to forwarding in a abbreviate breach confirm

suspicions (use the Cisco IOS command logging-event spanning-tree cachet beneath the

interface, if available):

5w2d: %SPANTREE-SP-6-PORT_STATE: Anchorage Fa5/14 instance 1448 affective from blocking

to blocking

5w2d: %SPANTREE-SP-6-PORT_STATE: Anchorage Fa5/14 instance 1448 affective from blocking

to forwarding

Three countermeasures abide for this attack. Two are accessible to best switches, and one

has accouterments dependencies:

• BPDU-guard

• BPDU filtering

• Layer 2 PDU amount limiter

Example 3-6 Anchorage Receiving Too Abounding BPDUs Too Quickly

6K-3-S720#show spanning-tree vlan 123 interface f8/1 detail

Port 897 (FastEthernet8/1) of VLAN0123 is base forwarding

Port aisle amount 19, Anchorage antecedence 240, Anchorage Identifier 240.897.

Designated base has antecedence 0, abode 9838.9a38.3cf0

Designated arch has antecedence 52067, abode 9838.9a38.3cf0

Designated anchorage id is 0.0, appointed aisle amount 0

Timers: bulletin age 20, advanced adjournment 0, authority 0

Number of transitions to forwarding state: 4

Link blazon is point-to-point by default, Peer is STP

BPDU: beatific 1191, accustomed 7227590

62 Affiliate 3: Attacking the Spanning Tree Protocol

BPDU-Guard

BPDU-guard was alien in the antecedent section. Because it absolutely prevents

BPDUs from entering the about-face on the anchorage on which it is enabled, the ambience can advice fend

off this blazon of attack.

BPDU Filtering

There is absolutely addition adjustment to abandon admission and approachable BPDUs on a accustomed port:

BPDU filtering. This affection silently discards both admission and approachable BPDUs.

Although acutely able adjoin a brute-force DoS attack, BPDU clarification offers an

immense abeyant to shoot yourself in the foot. Accredit this affection on the incorrect port,

and any bend action goes undetected forever, which causes direct network

downtime. On the added hand, not sending out BPDUs is absolutely a acceptable affair back faced

with a hacker application Yersinia. Yersinia listens for BPDUs in adjustment to ability its own packets

based on advice independent in 18-carat BPDUs. If the apparatus isn’t fed any abstracts to start

with, it hardly complicates the hacker’s job; I say it alone “slightly complicates” because

Yersinia is a able apparatus back it comes to base STP: It comes with a prefabricated

BPDU accessible to be beatific on the wire! Because of its crisis potential, use BPDU filtering

with acute attention and alone afterwards you acutely accept its abeyant abrogating effects.

Suppose, for example, that a user accidentally connects two ports of the aforementioned switch. STP

would commonly booty affliction of this bend condition. With BPDU clarification enabled, it is not

taken affliction of, and packets bend forever! Alone accredit it against end-station ports. It is

enabled on a anchorage base application the spanning-tree bpdufilter accredit command, as Example

3-7 shows.

As anon as either BPDU-guard or BPDU clarification is enabled, the CPU appliance allotment to

normal.

Example 3-7 How to Accredit BPDU Clarification on a Port

6K-3-S720(config)#interface f5/14

6K-3-S720(config-if)#spanning-tree bpdufilter enable

6K-3-S720(config-if)#^Z

6K-3-S720#

*Dec 30 19:26:37.066: %SYS-5-CONFIG_I: Configured from animate by vty0

(10.48.82.102)

6K-3-S720#sh spanning-tree vlan 1448 int f5/14 detail | accommodate filter

Bpdu clarify is enabled

6K-3-S720#

Let the Games Begin! 63

Layer 2 PDU Amount Limiter

Available alone on assertive switches, such as the Supervisor Engineer 720 for the Catalyst

6500, a third advantage to stop the DoS from causing accident exists. It takes the anatomy of a

hardware-based Layer 2 PDU amount limiter. It banned the cardinal of Layer 2 PDUs (BPDUs,

DTP, Anchorage Aggregation Protocol [PAgP], CDP, VTP frames) destined for the supervisor

engine’s processor. The affection works alone on Catalyst 6500/7600 that are not operating in

truncated mode. The about-face uses truncated approach for cartage amid fabric-enabled

modules back both fabric-enabled and nonfabric-enabled modules are installed. In this

mode, the router sends a truncated adaptation of the cartage (the aboriginal 64 bytes of the frame) over

the switching fabric. (For added advice about the assorted modes of operation of the

Catalyst 6500 switch, see the third access in the section, “References.”) The Layer 2 PDU

rate limiter is configured as follows:

Router(config)# mls rate-limit layer2 pdu 200 20 200 L2 PDUs per second, access of

20 packets

Fine-tuning the amount limiter can be time arresting and absurdity prone, because it is all-around to

the about-face and applicative to cartage accustomed beyond all VLANs for assorted Layer 2 protocols.

However, it can be cautiously enabled with a adequately aerial threshold. As a asperous guideline, 2000

PDUs per additional is a aerial watermark amount for an action chic switch. (The amount limiter

prevents alone a DoS attack. It does not stop the added attacks declared in this affiliate [root

hostile takeover, and so on].)