VLAN Hopping

A VLAN hopping attack occurs when an attacker sends out packets destined for a system on a different VLAN that cannot normally be reached by the attacker. This traffic is tagged with a different VLAN ID (VID) to which the attacker belongs. Or, the attacking system may be trying to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between other VLANs.

VLAN Hopping is an exploitation method used to attack a network with multiple VLANs. It is an attack that involves an attacking system to deploy packets. These packets have a destination of a system on a separate VLAN which would, in normal circumstances, not be accessible by the attacker. VLAN Hopping attacks are primarily conducted within the Dynamic Trunking Protocol (DTP). Often, VLAN Hopping attacks are directed at the trunking encapsulation protocol (802.1q or ISL).

Malicious traffic used for VLAN Hopping is tagged with a VLAN ID destined outside the VLAN on which the system conducting the attacks belongs to. An attacker can also attempt to behave and look like a switch, which will negotiate trunking, allowing the attacker to not only send, but receive traffic across more than one VLAN.

There are two common methods of VLAN Hopping; Switch Spoofing and Double Tagging.

Switch Spoofing

A Switch Spoofing attack is used to exploit the network by configuring a system to mimic a switch. This is not always an easy attack to perform, as it requires the attacker to be able to emulate itself as ISL or 802.1q, thus signaling with Dynamic Trunk Protocol signaling. This attack method allows a malicious user to mimic a machine as a switch with a trunking port. If the attack is successful, it then has a membership across all VLANs.

VLAN Attack1

Figure 1: VLAN Hopping attack with switch spoofing

 

Double Tagging

Double Tagging is an attack which postulates that the attacker tags transmitted frames, with split headers, both of which as 802.1q headers. This will allow the frames to be forwarded into the wrong VLAN. Double Tagging works because the first switch that the frames reach strips the first of the two 802.1q headers, and then forwards the frame with the second header destined for the victim VLAN. The conclusion of the stripped first 802.1q header is that the frame is forwarded with the inner header, out of all switch ports, and trunk ports that are configured with the native VLAN where the attacker resides. The secondary switch will then forward the stripped frame to the second VLAN identifier, thus VLAN Hopping occurs.

DHCP Attacks2

Figure 2: VLAN Hopping attack with double tagging

Mitigation

You can mitigate VLAN hopping attacks by putting all user ports into access mode using the switchport mode access command. Several other modifications to the VLAN configuration are also recommended. One of the more important elements is to use dedicated VLAN IDs as the active (allowed) VLANs for all trunk ports. Also, disable all unused switch ports and place them in an unused VLAN.

  • Configure the port as static access port;
  • Ensure that the ports are not set to negotiate trunks automatically;
  • Do not put any hosts on VLAN 1 (the default VLAN);
  • Change the native VLAN on all trunk ports to an unused VLAN ID;
  • Explicit tagging on the native VLAN on all trunk ports.