STP Manipulation Attack Mitigation Steps
Stop! If you are unfamiliar with spanning tree protocol (STP) operation, now is the time for you to review the subject from the CCNA prerequisite material. Pay particular attention to the role of the root bridge in the spanning tree, as well as the role that Bridge Protocol Data Units (BPDUs) play in electing the root bridge.
In an STP manipulation attack, an attacker connects to a switch port and either directly themselves, or through the use of a rogue switch, attempts to manipulate Spanning Tree Protocol (STP) parameters to become the root bridge. Because the root bridge is responsible for calculating the spanning tree from topology changes advertised by non-root bridges, attackers see a variety of frames that they would normally not see.
To perform this attack, the attacker needs only to inject BPDU frames with a Bridge ID (BID) that is lower than the current root bridge into the network. Recall that the BID is made up of a 16-bit Bridge Priority + 48-bit MAC address. If the attacker selects a bridge priority (range 0–65535) that is lower than the existing root bridge, they will become root. The default priority for a Cisco Catalyst switch is 32768. The attacker could simply guess this, or they could find out what the priority is for the STP root bridge by using a protocol analyzer on a switch port, recognizing that such multicast traffic is flooded by the switch.
You might have heard about another spanning-tree protocol called Per VLAN Spanning Tree Plus (PVST+). One of the features of PVST+ is its ability to elect a different root bridge per VLAN. Its use is very common in large switched networks with multiple VLANs. With PVST+, the first 16 bits of the bridge ID have been remapped to include the VLAN ID and other information. Thus, not all 16 bits are used to define the bridge priority. The attacker could learn what type of bridge ID is being used by using a protocol analyzer on a switch port and examining the BPDUs. Then, they need to only inject frames with the more attractive bridge ID per the protocol used in an attempt to become the root bridge.
There are three features that can be used together or separately to mitigate STP manipulation attacks. (They are most effective when used together.) These features are as follows:
- The Portfast feature, which disables spanning tree on a port.
- The BPDU guard feature, which guards against learning erroneous STP information on a port.
- The Root Guard feature, which explicitly disables the root bridge election on a port.
STP Manipulation Attack Mitigation: Portfast
An important first step to mitigate this type of attack is to ensure that the attacker can only guess information about the network topology and can’t directly read it. For example, any port that is not participating in the STP calculation can be put in port fast mode. This prevents the switch from putting that interface in blocking mode.
Be very sure that this switch port is not part of a topological loop before you put it in port fast mode. Portfast means that you think you are smarter than STP, which, unfortunately (for many of us) is not the case!
This command enables portfast globally on all non-trunking ports:
Catalyst1(config)#spanning-tree portfast default If you want to turn on portfast selectively on an interface, use this command: Catalyst1(config-if)#spanning-tree portfast
STP Manipulation Attack Mitigation: BPDU Guard
As a second step toward mitigating an STP attack, consider setting up BPDU guard on an interface. With BPDU guard enabled, an interface can be put into a blocking state when it receives a BPDU. This seems a bit severe, like cutting your nose off to spite your face, but remember that any security policy is a balance between usability and security. With BPDU guard enabled, an attacker will be unable to force root bridge election because the BPDU will be refused on the port that they are connected to. It is also used to enforce the boundaries of the spanning tree, recognizing that typically it is only in parts of a network where loop-causing redundancies might be deployed. To enable BPDU guard globally on all ports where portfast is enabled, use the following command:
Catalyst1(config)#spanning-tree portfast bpduguard default Intuitively, BPDU guard complements portfast and can only be enabled on ports where portfast has been enabled in any case. To verify BPDU guard, use the following command: Catalyst1#show spanning-tree summary Switch is in pvst mode Root bridge for: VLAN0001-VLAN0002, VLAN0010 Extended system ID is enabled Portfast Default is enabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is disabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is disabled Configured Pathcost method used is short Name Blocking Listening Learning Forwarding STP Active ---------------------- -------- --------- -------- ---------- ---------- VLAN0001 0 0 0 8 8 VLAN0002 0 0 0 12 12 VLAN0010 0 0 0 10 10 ---------------------- -------- --------- -------- ---------- ---------- 3 vlans 0 0 0 30 30
The preceding command output indicates that portfast and BPDU guard are enabled on that switch.
STP Manipulation Attack Mitigation: Root Guard
The third step is to enable the root guard feature. The root guard feature is enabled on a per-interface basis. If enabled, the switch will examine any received BPDU on that interface and compare it with the current root bridge. If the BID is superior to that of the current root bridge, the port is moved to a root-inconsistent state (effectively a listening state) and ceases to pass traffic. This effectively mitigates an STP attack. When the superior BPDUs cease, the port transitions back to a normal mode. Here is the command to enable root guard on an interface:
Catalyst1(config-if)#spanning-tree guard root