PVLAN Attacks

A broadcast storm occurs when a network system is overwhelmed by continuous multicast or broadcast traffic. When different nodes are sending/broadcasting data over a network link, and the other network devices are rebroadcasting the data back to the network link in response, this will eventually cause the whole network to melt down and lead to the failure of network communication.

Even though PVLANs are a common mechanism to restrict communications between systems on the same logical IP subnet, they are not always 100 percent secure. PVLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. One network attack capable of bypassing the network security of PVLANs involves the use of a proxy to bypass access restrictions to a PVLAN.

In this network attack against private VLANs, frames are forwarded to a host on the network connected to a promiscuous port such as a router. The network attacker sends a packet with the source IP and MAC address of attacker device, a destination IP address of the target system, but a destination MAC address of the router (Figure 1). The switch forwards the frame to the switch port of the router. The router routes the traffic, rewrites the destination MAC address as that of the target, and sends the packet back out. Now the packet has the proper format and is forwarded to the target system. This network attack allows only for unidirectional traffic because any attempt by the target to send traffic back will be blocked by the PVLAN configuration. If both hosts are compromised, static Address Resolution Protocol (ARP) entries could be used to allow bidirectional traffic.

PVLAN Attacks

Figure 1: PVLAN Attack


Configure access control lists (ACLs) on the router port to mitigate PVLAN attacks. An example of using ACLs on the router port is if a server farm segment existed on subnet and target A was in the server farm, then configuring the ACL (Figure 1) on the default gateway would mitigate the PVLAN proxy attack.