VLAN Hopping
   HOME

TheInfoList



OR:

VLAN hopping is a
computer security exploit An exploit is a method or piece of code that takes advantage of Vulnerability (computer security), vulnerabilities in software, Application software, applications, Computer network, networks, operating systems, or Computer hardware, hardware, typic ...
, a method of attacking networked resources on a
virtual LAN A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer ( OSI layer 2).IEEE 802.1Q-2011, ''1.4 VLAN aims and benefits'' In this context, virtual refers to a p ...
(VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be mitigated with proper switch port configuration.


Switch spoofing

In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g.
Multiple VLAN Registration Protocol Multiple Registration Protocol (MRP), which replaced Generic Attribute Registration Protocol (GARP), is a generic registration framework defined by the IEEE 802.1ak amendment to the IEEE 802.1Q standard. MRP allows bridges, switches or other simil ...
,
IEEE 802.1Q IEEE 802.1Q, often referred to as Dot1q, is the computer network, networking standard that supports virtual local area networking (VLANs) on an IEEE 802.3 Ethernet network. The standard defines a system of VLAN tagging for Ethernet frames and the ...
,
Dynamic Trunking Protocol The Dynamic Trunking Protocol (DTP) is a proprietary link layer protocol developed by Cisco Systems for the purpose of negotiating trunking on a link between two VLAN-aware switches, and for negotiating the type of trunking encapsulation to be u ...
) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.


Mitigation

Switch spoofing can only be exploited when interfaces are set to negotiate a trunk. To prevent this attack on
Cisco IOS The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems Cisco Systems, Inc. (using the trademark Cisco) is an American ...
, use one of the following methods: 1. Ensure that ports are not set to negotiate trunks automatically by disabling DTP:
Switch (config-if)# switchport nonegotiate
2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports
Switch (config-if)# switchport mode access


Double tagging

In a double tagging attack, an attacker connected to an 802.1Q-enabled port prepends two VLAN tags to a frame that it transmits. The frame (externally tagged with VLAN ID that the attacker's port is really a member of) is forwarded without the first tag because it is the native VLAN of a trunk interface. The second tag is then visible to the second switch that the frame encounters. This second VLAN tag indicates that the frame is destined for a target host on a second switch. The frame is then sent to the target host as though it originated on the target VLAN, effectively bypassing the network mechanisms that logically isolate VLANs from one another. However, possible replies are not forwarded to the attacking host (unidirectional flow).


Mitigation

Double tagging can only be exploited on switch ports configured to use ''native VLANs''. Trunk ports configured with a ''native VLAN'' don't apply a VLAN tag when sending these frames. This allows an attacker's fake VLAN tag to be read by the next switch. Double tagging can be mitigated by any of the following actions (incl. IOS example): * Simply do not put any hosts on VLAN 1 (the default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port *:
 Switch (config-if)# switchport access vlan 2
* Change the native VLAN on all trunk ports to an unused VLAN ID. *:
Switch (config-if)# switchport trunk native vlan 999
* Explicit tagging of the native VLAN on all trunk ports. ''Must be configured on all switches in network autonomy.'' *:
Switch(config)# vlan dot1q tag native


Example

As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN2. Hosts on VLAN2 are allowed access to the web server; hosts from outside VLAN2 are blocked by layer 3 filters. An attacking host on a separate VLAN, called VLAN1(Native), creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 under the header tagging the packet as belonging to VLAN1. When the packet is sent, the switch sees the default VLAN1 header and removes it and forwards the packet. The next switch sees the VLAN2 header and puts the packet in VLAN2. The packet thus arrives at the target server as though it were sent from another host on VLAN2, ignoring any layer 3 filtering that might be in place.


See also

*
Private VLAN Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains network switch, switch ports that are restricted such that they can only communicate with a given uplink. The restricted ports are called ''p ...


References

{{Reflist Computer network security Ethernet