Lecture3 Secured Network Design W.Lilakiatsakun
Spanning Tree Protocol (STP) Attack on Spanning Tree Protocol Topics
Spanning Tree Protocol (STP)
Redundancy (1)
Redundancy (2)
Examine Redundancy (1)
Examine Redundancy (2)
Issues with Redundancy- layer2 loop (1) LAYER 2 Loop Ethernet frames do not have a time to live (TTL) like IP packets traversing routers. Broadcast frames are forwarded out all switch ports, except the originating port. This ensures that all devices in the broadcast domain are able to receive the frame. If there is more than one path for the frame to be forwarded out, it can result in an endless loop.
Issues with Redundancy - layer2 loop (2)
Issues with Redundancy - layer2 loop (3)
Issues with Redundancy - layer2 loop (4)
Issues with Redundancy - layer2 loop (5)
Issues with Redundancy – broadcast storm (1) Broadcast storm A broadcast storm occurs when there are so many broadcast frames caught in a Layer 2 loop that all available bandwidth is consumed. Consequently, no bandwidth is available bandwidth for legitimate traffic, and the network becomes unavailable for data communication.
Issues with Redundancy – broadcast storm (2)
Issues with Redundancy – Duplicate Unicast frame (1) Duplicate Unicast Frames Unicast frames sent onto a looped network can result in duplicate frames arriving at the destination device.
Issues with Redundancy – Duplicate Unicast frame (2)
Issues with Redundancy – Duplicate Unicast frame (3)
Issues with Redundancy – Duplicate Unicast frame (4)
STP Topology (1) STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. Blocking the redundant paths is critical to preventing loops on the network. The physical paths still exist to provide redundancy, but these paths are disabled to prevent the loops from occurring. If the path is ever needed to compensate for a network cable or switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active.
STP Topology (2)
STP Topology (3)
STP Algorithm (1) STP uses the Spanning Tree Algorithm (STA) to determine which switch ports on a network need to be configured for blocking to prevent loops from occurring. The STA designates a single switch as the root bridge and uses it as the reference point for all path calculations. All switches participating in STP exchange BPDU frames to determine which switch has the lowest bridge ID (BID) on the network. The switch with the lowest BID automatically becomes the root bridge for the STA calculations.
STP Algorithm (2)
After the root bridge is selected, the STA calculates the shortest path to the root bridge. Each switch uses the STA to determine which ports to block. The STA considers both path and port costs when determining which path to leave unblocked. The path costs are calculated using port cost values associated with port speeds for each switch port along a given path. The sum of the port cost values determines the overall path cost to the root bridge. If there is more than one path to choose from, STA chooses the path with the lowest path cost.
STP - BPDU
BPDU Process (1) Each switch in the broadcast domain initially assumes that it is the root bridge for the spanning-tree instance, so the BPDU frames sent contain the BID of the local switch as the root ID. By default, BPDU frames are sent every 2 seconds after a switch is booted; that is, the default value of the hello timer specified in the BPDU frame is 2 seconds. Each switch maintains local information about its own BID, the root ID, and the path cost to the root.
BPDU Process (2)
BPDU Process (3) When adjacent switches receive a BPDU frame, they compare the root ID from the BPDU frame with the local root ID. If the root ID in the BPDU is lower than the local root ID, the switch updates the local root ID and the ID in its BPDU messages. Also, the path cost is updated to indicate how far away the root bridge is. If the root ID in the BPDU is higher than the local root ID, the switch discard the BPDU frame
BPDU Process (4)
BPDU Process (5)
BPDU Process (6) After a root ID has been updated to identify a new root bridge, all subsequent BPDU frames sent from that switch contain the new root ID and updated path cost. As the BPDU frames pass between other adjacent switches, the path cost is continually updated to indicate the total path cost to the root bridge. Each switch in the spanning tree uses its path costs to identify the best possible path to the root bridge.
BPDU Process (7)
BPDU Process (8)
BPDU Process (9)
BPDU Process (10)
BPDU Process (11)
BPDU Process (12)
Bridge ID field (1) The bridge ID (BID) is used to determine the root bridge on a network. The BID field of a BPDU frame contains three separate fields: bridge priority, extended system ID, and MAC address. Each field is used during the root bridge election.
Bridge ID field (2)
Bridge ID field (3) Bridge Priority The bridge priority is a customizable value that you can use to influence which switch becomes the root bridge. The switch with the lowest priority, which means lowest BID, becomes the root bridge (the lower the priority value, the higher the priority). The default value for the priority of all Cisco switches is The priority range is between 1 and 65536; therefore, 1 is the highest priority.
Bridge ID field (4) Extended System ID The early implementation of STP was designed for networks that did not use VLANs. There was a single common spanning tree across all switches. When VLANs started became common for network infrastructure segmentation, STP was enhanced to include support for VLANs. As a result, the extended system ID field contains the ID of the VLAN with which the BPDU is associated.
Bridge ID field (5) When the extended system ID is used, it changes the number of bits available for the bridge priority value, so the increment for the bridge priority value changes from 1 to Therefore, bridge priority values can only be multiples of The extended system ID value is added to the bridge priority value in the BID to identify the priority and VLAN of the BPDU frame.
Bridge ID field (6) MAC Address When two switches are configured with the same priority and have the same extended system ID, the switch with the MAC address with the lowest hexadecimal value has the lower BID. Initially, all switches are configured with the same default priority value. The MAC address is then the deciding factor on which switch is going to become the root bridge. This results in an unpredictable choice for the root bridge.
Bridge ID field (7) It is recommended to configure the desired root bridge switch with a lower priority to ensure that it is elected root bridge. This also ensures that the addition of new switches to the network does not trigger a new spanning-tree election, which could disrupt network communication while a new root bridge is being selected.
Bridge ID field (8) Priority Based Decision
Bridge ID field (9) MAC Based Decision
Port Roles (1) Root Port The root port exists on non-root bridges and is the switch port with the best path to the root bridge. Root ports forward traffic toward the root bridge. The source MAC address of frames received on the root port are capable of populating the MAC table. Only one root port is allowed per bridge. In the example, switch S1 is the root bridge and switches S2 and S3 have root ports defined on the trunk links connecting back to S1.
Port Roles (2)
Port Roles (3) Designated Port The designated port exists on root and non-root bridges. For root bridges, all switch ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment. If multiple switches exist on the same segment, an election process determines the designated switch, and the corresponding switch port begins forwarding frames for the segment. Designated ports are capable of populating the MAC table.
Port Roles (4) Non-designated Port The non-designated port is a switch port that is blocked, so it is not forwarding data frames and not populating the MAC address table with source addresses. A non-designated port is not a root port or a designated port. For some variants of STP, the non-designated port is called an alternate port. In the example, switch S3 has the only non-designated ports in the topology. The non-designated ports prevent the loop from occurring.
Port Roles (5)
Port Roles (6) Disabled Port The disabled port is a switch port that is administratively shut down. A disabled port does not function in the spanning-tree process.
Port Roles (7) When determining the root port on a switch, the switch compares the path costs on all switch ports participating in the spanning tree. The switch port with the lowest overall path cost to the root is automatically assigned the root port role because it is closest to the root bridge. In a network topology, all switches that are using spanning tree, except for the root bridge, have a single root port defined.
Port Roles (8) When there are two switch ports that have the same path cost to the root bridge and both are the lowest path costs on the switch, the switch needs to determine which switch port is the root port. The switch uses the customizable port priority value, or the lowest port ID if both port priority values are the same.
Port Roles (9)
Path cost to the root bridge (1) The path information is determined by summing up the individual port costs along the path from the destination to the root bridge. The default port costs are defined by the speed at which the port operates. 10-Gb/s Ethernet ports have a port cost of 2, 1-Gb/s Ethernet ports have a port cost of 4, 100-Mb/s Fast Ethernet ports have a port cost of 19, 10-Mb/s Ethernet ports have a port cost of 100.
Path cost to the root bridge(2) Default port cost
Path cost to the root bridge (4)
Path cost to the root bridge (5)
Port Role Decision (1)
Port Role Decision (2)
Port Role Decision (3)
Port Role Decision (4)
Port Role Decision (5)
Port Role Decision (6)
Port Role Decision (7)
Port States (1) STP introduces five port states Blocking The port is a non-designated port and does not participate in frame forwarding. The port receives BPDU frames to determine the location and root ID of the root bridge switch and what port roles each switch port should assume in the final active STP topology.
Port States (2) Listening STP has determined that the port can participate in frame forwarding according to the BPDU frames that the switch has received thus far. At this point, the switch port is not only receiving BPDU frames, it is also transmitting its own BPDU frames and informing adjacent switches that the switch port is preparing to participate in the active topology.
Port States (3) Learning The port prepares to participate in frame forwarding and begins to populate the MAC address table. Forwarding The port is considered part of the active topology and forwards frames and also sends and receives BPDU frames. Disabled The Layer 2 port does not participate in spanning tree and does not forward frames. The disabled state is set when the switch port is administratively disabled
Port States (4)
Spanning Tree Timer Hello time: 2 seconds Forward-delay time: 15 seconds Maximum-aging time: 20 seconds Transmit hold count: 6 BPDUs During a topology change, a port temporarily implements the listening and learning states for a specified period called the forward delay interval.(15seconds) These values allow adequate time for convergence in a network with a switch diameter of seven.
Spanning Tree Timer
PortFast (1) PortFast is a Cisco technology. When a switch port configured with PortFast is configured as an access port, that port transitions from blocking to forwarding state immediately, bypassing the typical STP listening and learning states.
PortFast (2)
PortFast (3) PortFast Configuration
PortFast (4) Verify PortFast
STP Topology Change (1) When a change is detected, the switch notifies the root bridge of the spanning tree with Topology Change Notification (TCN) Then, the root bridge replies back with Topology Change Acknowledgement (TCA) Then, the root bridge then broadcasts the information into the whole network with Topology Change (TC).
STP Topology Change (2)
STP Topology Change (3) It starts to send out its configuration BPDUs with the topology change (TC) bit set. As a result, all switches become aware of the topology change and can reduce their aging time to forward delay. Switches receive topology change BPDUs on both forwarding and blocking ports. The TC bit is set by the root for a period of max age + forward delay seconds, which is 20+15=35 seconds by default.
STP Topology Change (4)
Cisco and STP Variants
Send BPDU messages from attacker to force spanning tree recalculations Impact as DoS Send BPDU messages to become root bridge The hacker then sees frames Impact as MITM, DoS, etc Attacking on STP (1)
Attacker sends BPDU advertising itself with a bridge priority of zero Attacker becomes root bridge Spanning Tree recalculates GE (Gigabit Ethernet) backbone becomes FE (Fast Ethernet) Attacking on STP (2)
Example on BPDU Attack (1) What happen if an attacker (in this instance a laptop) spoof a BPDU with a lower priority? CR:
Example on BPDU Attack (2) The attacker (red laptop) will be the new root bridge and the spanning-tree topology change. With this new topology, Ciscozine3 and Ciscozine4 use only Ciscozine1 to switch packets, while Ciscozine2 is not used by the access switches (Ciscozine3 and Ciscozine4)! Moreover the election of the attacker as root causes the Gigabit Ethernet link that connects the two core switches (Ciscozine1 and Ciscozine2) to block, causing suboptimal network.
The administrator can set the root bridge priority to zero in an effort to secure the root bridge position, but there is no guarantee against a bridge with a priority of 0 and a lower MAC address. Note: The temporary introduction and subsequent removal of STP devices with low (0) bridge priority cause a permanent STP recalculation. Cisco has implemented three different solutions: BPDU Guard, BPDU Filtering and Root Guard. Mitigating BPDU Attack (1)
BPDU Guard The STP PortFast BPDU guard enhancement allows network designers to enforce the STP domain borders and keep the active topology predictable. The devices behind the ports that have STP PortFast enabled are not able to influence the STP topology. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured. The BPDU guard transitions the port into errdisable state, and a message appears on the console. Mitigating BPDU Attack (2)
BPDU Guard To enable BPDU guard globally on the switch, use this command: Ciscozine3(config)#spanning-tree portfast bpduguard default To enable PortFast BPDU guard on a specific switch port, use this command: Ciscozine3(config)#spanning-tree bpduguard enable Use the following command to verify the BPDU configuration: Ciscozine3#show spanning-tree summary totals *The STP PortFast BPDU guard was introduced in Cisco IOS Software Release 12.1 Mitigating BPDU Attack (3)
BPDU Filtering When configured globally, PortFast BPDU filtering applies to all operational PortFast ports. Ports in an operational PortFast state are supposed to be connected to hosts, that typically drop BPDUs. If an operational PortFast port receives a BPDU, it immediately loses its operational PortFast status. In that case, PortFast BPDU filtering is disabled on this port and STP resumes sending BPDUs on this port. Mitigating BPDU Attack (4)
BPDU Filtering PortFast BPDU filtering can also be configured on a per- port basis. When PortFast BPDU filtering is explicitly configured on a port, it does not send any BPDUs and drops all BPDUs it receives. Mitigating BPDU Attack (5)
BPDU Filtering To enable PortFast BPDU filtering globally on the switch, use this command: Ciscozine3(config)#spanning-tree portfast bpdufilter default To enable PortFast BPDU filtering on a specific switch port, use this command: Ciscozine3(config-if)#spanning-tree bpdufilter enable To verify the configuration on the switch, use this command: Ciscozine3#show spanning-tree summary Mitigating BPDU Attack (6)
BPDU Root guard The root guard ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together. If the bridge receives superior STP Bridge Protocol Data Units (BPDUs) on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. This root-inconsistent state is effectively equal to a listening state. No traffic is forwarded across this port. In this way, the root guard enforces the position of the root bridge. Mitigating BPDU Attack (7)
BPDU Root guard To enable Root Guard on a specific switch port, use this command: Ciscozine3(config-if)#spanning-tree rootguard Root guard is available in Cisco IOS Software Release 12.0(5)XU and later. Mitigating BPDU Attack (8)
BPDU guard and root guard are similar, but their impact is different. BPDU guard disables the port upon BPDU reception if PortFast is enabled on the port. The disablement effectively denies devices behind such ports from participation in STP. You must manually reenable the port that is put into errdisable state or configure errdisable-timeout. BPDU Guard VS STP Root Guard (1)
Root guard allows the device to participate in STP as long as the device does not try to become the root. If root guard blocks the port, subsequent recovery is automatic. Recovery occurs as soon as the offending device ceases to send superior BPDUs. BPDU Guard VS STP Root Guard (2)