STP Manipulation

STP protocol is used in switched networks to prevent the creation of bridging loops in an Ethernet network topology. Upon bootup, the switches begin a process of determining a loop-free topology. The switches identify one switch as a root bridge and block all other redundant data paths.

By manipulating the STP root bridge determination calculations, network attackers hope to spoof their system as the root bridge in the topology. To do this, the network attacker broadcasts out STP configuration and topology change bridge protocol data units (BPDUs) in an attempt to force spanning-tree recalculations. The BPDUs sent out by the system of the network attacker announce that the attacking system has a lower bridge priority. If successful, the network attacker becomes the root bridge and can see a variety of frames. By transmitting spoofed STP frames, the network attacker causes the switches to initiate spanning-tree recalculations that then result in having all of the interfaces in the system of the network attacker to be in the forwarding mode.

STP Attacks

Figure 1: STP Vulnerabilities Manipulation Attack

Mitigation

To mitigate STP manipulation, use the root guard and the bpdu-guard enhancement commands to enforce the placement of the root bridge in the network and enforce the STP domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the network. The STP BPDU guard is designed to allow network designers to keep the active network topology predictable. While BPDU guard may seem unnecessary given that the administrator can set the bridge priority to zero, there is still no guarantee that it will be elected as the root bridge. This is because there might be a bridge with priority zero and a lower bridge ID (BID). BPDU guard is best deployed toward user-facing ports to prevent rogue switch network extensions by an attacker.