Common VLAN attack Parsing

VLAN-based attack methods are used by hackers Based on VLAN technology. How can they take effective preventive measures in the face of these innovative attacks? In this article, we will introduce the hacker's attack methods and the defense measures we can take for the networks managed by the application VLAN technology.

Currently, common VLAN attacks include:

VLAN attack 1.802.1Q and ISL flag attack

A flag attack is a malicious attack. using it, users on one VLAN can access another VLAN illegally. For example, if you configure the vswitch port to DTP (dynamic trunk protcol) auto to receive the forged DTP (dynamic trunk protcol) group, it will become the TRUNK port, and may receive traffic to any VLAN. Therefore, malicious users can communicate with other VLANs through controlled ports. Sometimes, even if you only receive common groups, the switch port may violate your original intention, such as the all-around trunk port (for example, receiving groups from other local VLANs ), this phenomenon is often called VLAN leakage ".

For such attacks, you only need to set the DTP (dynamic trunk protcol) on all untrusted ports (untrusted ports) to "off" to prevent such attacks. Software and Hardware running on Cisco Catalyst 2950, Catalyst 3550, and Catalyst 4000 series switches can also implement appropriate traffic classification and isolation on all ports.

VLAN attack 2. Dual-encapsulation 802.1Q/nested VLAN attack

Inside a vswitch, VLAN numbers and identifiers are expressed in Special extended formats. The purpose is to keep the forwarding path end-to-end VLAN independent without losing any information. Outside the vswitch, the labeling rules are defined by ISL, 802.1Q, and other standards.

ISL is a Cisco proprietary technology and is a compact form of the extended grouping header used in devices. Each group will always receive a tag without the risk of missing tags, which improves security.

On the other hand, the IEEE Committee of 802.1Q decided that to achieve downward compatibility, it is best to support the intrinsic VLAN, that is, any VLAN that is not explicitly associated with the 802.1Q link. This VLAN is implicitly used to receive all unlabeled traffic on the 802.1Q port.

This function is desired by the user, because the 802.1Q port can directly communicate with the old port 802.3 through sending and receiving unlabeled traffic. However, in all other circumstances, this function may be very harmful, because during transmission through the 802.1Q link, the group associated with the local VLAN will lose its flag, for example, the service level (802.1 p bits) is lost ).
　
First strip, and then send back the attacker's 802.1q frame. vlan a and vlan B data include the trunk vlan B data of the intrinsic VLAN.

Note: Only when the intrinsic VLAN of the trunk is the same as that of the attacker can the trunk be used.

When a dual-encapsulation 802.1Q group happens to switch from a device with the same VLAN as the trunk channel to the network, the VLAN IDs of these groups cannot be retained end to end, because the 802.1Q trunk channel will always modify the group, that is, remove the external tag. After the external tag is deleted, the internal tag becomes the unique VLAN identifier of the group. Therefore, if two different tags are used for dual encapsulation of the group, the traffic can jump between different VLANs.

This situation will be considered as misconfiguration, because the 802.1Q standard does not force users to use the intrinsic VLAN in these cases. In fact, the proper configuration should always be used to clear the local VLAN from all 802.1Q trunk channels (set it to 802.1q-all-tagged mode to achieve the same effect ). When the local VLAN cannot be cleared, the unused VLAN should be selected as the local VLAN for all trunk channels and cannot be used for any other purposes. STP, DTP (dynamic trunk protcol), and UDLD protocols should be the only legal user of the local VLAN, and their traffic should be completely isolated from all data groups.

VLAN attack 3. VLAN jump attack

A virtual LAN (VLAN) is used to segment broadcast domains. VLANs are often used to provide additional security for the network, because computers on one VLAN cannot communicate with users on another VLAN without explicit access. However, the VLAN itself is not enough to protect the environment security. malicious hackers can skip from one VLAN to another even without authorization.

VLAN hop attacks rely on dynamic trunk protocol (DTP (dynamic trunk protcol )). If there are two interconnected switches, DTP (dynamic trunk protcol) can negotiate the two to determine whether they will become 802.1Q relay, the negotiation process is completed by checking the port configuration status.

VLAN hop attacks fully utilize the DTP (dynamic trunk protcol). In a VLAN hop attack, hackers can fool computers and impersonate another switch to send fake DTP (dynamic trunk protcol) Negotiation messages, announce that it wants to be a relay. After a real switch receives the DTP (dynamic trunk protcol) message, it thinks it should enable the 802.1Q relay function. Once the relay function is enabled, the information flow through all VLANs is sent to the hacker's computer.

After relay is established, hackers can continue to test the information flow, or add 802.1Q information to frames to specify the VLAN to which the attack traffic is sent.

VLAN attack 4. VTP attack

VLAN relay Protocol (VTP) is a management Protocol that reduces the number of configurations in the switching environment. For VTP, The vswitch can be a vtp server, VTP client, or VTP transparent switch. The vtp server and VTP client are discussed here. Each time you modify the configuration of a vswitch in vtp server mode, The VTP configuration version increases by 1, whether it is to add, modify, or remove a VLAN, when the VTP client sees that the configuration version number is greater than the current version number, it automatically synchronizes with The vtp server.

A malicious hacker can use VTP to remove all VLANs on the Network (except the default VLAN), so that the hacker can access the same VLAN where each user is located. However, the user may still be in different CIDR blocks, so a malicious hacker needs to change his IP address to enter the same CIDR Block of the host he wants to attack.

As long as a malicious hacker connects to a vswitch and establishes a relay between the computer and the switch, The VTP can be fully utilized. A hacker can send a VTP message to a vtp server whose configuration version is later than the current one, which causes all switches to be synchronized with the computers of the malicious hacker, this removes all non-default VLANs from the VLAN database.

We can see how fragile the VLAN is when we launch these attacks. Fortunately, if the switch configuration is incorrect or inappropriate, can cause unexpected behavior or security problems. The following describes the key points that must be paid attention to when configuring vswitches.