RE: STP mitm attack idea

From: Guillermo Marro Bruno <gmmarro@flowgate.net>
To: bugtraq <bugtraq@securityfocus.com>
Cc: xperience@interia.pl,dwilliam@london.ca
Subject: RE: STP mitm attack idea
Date:


>
 
> Shutting down the port is useful for security in the way that it helps
> prevent the type of attack that Xperience has described. When BPDU Guard
> is implemented the port will be shut down if any Spanning Tree packets
> are seen. It is risky turning off Spanning Tree as any loops in the
> network will create a denial of service by causing broadcast traffic to
> be sent out every port on the switch in a continuous loop. An
> interesting thing to note is what happens if a cable is plugged into two
> ports on a switch, essentially creating a loop. For this reason when
> BPDU is implemented and a port comes up it will send out two Spanning
> Tree packets. The opposing port sees these packets and shuts down. One
> other feature of BPDU guard is that it can be configured to stay in an
> error state for a specified period of time by using the "errdisable
> recovery cause bpduguard" command. When configured using the "errdisable
> recovery interval xxx" This allows the port to return to normal usage
> after the error condition has been resolved. Another reason to implement
> these features is that it prevents Access ports from "sharing" Spanning
> Tree information and "leaking" the network topology. From a security
> stand point it might be useful disabling CDP on Access ports as well.

In complex L2 network topologies, physical link redundancy is good, but
logical link redundancy is not. Thus we need R/STP.

In my eyes, BPDU guard and Root Guard are somehow effective measures but
they tend to focus on L2 issues coming from a L3-ish philosophy ('think
first and then connect the plug'). When you plug a cord on a switch you
want it to be as plug-and-play as possible, you don't want to think
about port configuration issues, it's L2 after all!. 
By using Cisco's countermeasures we are constraining the very intent of
STP.
The true solution that unfortunately no vendors seem to explore is
adding BPDU message authentication (crypto-based). It's no trivial, it'd
demand more initial configuration, but it's the only reasonably strong
approach.

BTW, the attack described by Xperience, it's a variation of a
tree-segmentation attack. See page 24 in:

http://seclab.cs.ucdavis.edu/papers/Marro_masters_thesis.pdf

In the case you can get some sort of direct link between C and D
(wireless?), the attack would be much more stealth and efficient.

Cheers,

-G

-- 
...................................................
Guillermo Marro
F l o w g a t e  Consulting
Maipu 778 - Piso 1 - Of 10
(2000) Rosario - Santa Fe - ARGENTINA
TEL: +54-341-4112511
http://www.flowgate.net 

PGP Fingerprint:
8EFD D853 00A4 B247 2F36  692F 4242 4C02 C0BF 67DB
http://pgp.dtype.org/






Copyright © 1995-2018 LinuxRocket.net. All rights reserved.