) Vswitch attack method description

Attackers can exploit the vswitch vulnerability as follows:

I. Spanning Tree attack

Spanning Tree Protocol (STP) can prevent loops in redundant switching environments. If the network has a loop, it will become congested, resulting in a broadcast storm, resulting in inconsistent Mac tables, and eventually cause the network to crash.

All switches using STP share information through the Bridge Protocol Data Unit (BPDU). BPDU are sent every two seconds. When a vswitch sends a BPDU, it contains the name of the bridge ID, which combines the configurable priority (default value: 32768) with the basic MAC address of the vswitch. A vswitch can send and receive these BPDU to determine which vswitch has the lowest bridge ID, and the vswitch with the lowest bridge ID becomes the root bridge ).

The root bridge is like a community grocery store in a town. Every town needs a grocery store, and every citizen needs to determine the best way to reach the grocery store. A route that is longer than the optimal route is not used unless the main channel is blocked.

The root bridge works in a similar way. Each Other switch determines the optimal route for returning the root bridge based on the cost, which is based on the value allocated for the bandwidth. If any other route finds that the bypass mode does not form a loop (for example, if a problem occurs on the main route), it is set to the blocking mode.

Malicious hackers use STP to launch DoS attacks. If a malicious hacker connects a computer to more than one switch and sends a specially designed BPDU with a low bridge ID, the hacker can fool the switch to think it is the root bridge, this will cause STP to reconverge and cause the loop and network crash.

Ii. Mac table flood attacks

The switch works by recording the Mac source address when the frame enters the switch. The MAC address is related to the port on which the frame enters, therefore, the information flow to the MAC address will be sent only through this port. This can improve bandwidth utilization, because the information flow does not need to be sent from all ports, but only from the ports to be received.

The MAC address is stored in the content addressable memory (CAM). Cam is a kb reserved memory dedicated to storing MAC addresses for fast query. If a malicious hacker sends a large number of data packets to the cam, the switch will start to send a large number of information streams to various places, thus laying a hidden danger and even causing the switch to crash in a Denial-of-Service attack.

Iii. ARP attacks

ARP (addressresolutionprotocol) Spoofing is a common method used in session hijacking attacks. The Address Resolution Protocol (ARP) uses layer-7 physical MAC addresses to map layer-7 logical IP addresses. If the device knows the IP address but does not know the MAC address of the requested host, it sends an ARP request. ARP requests are usually sent in the form of broadcasts so that all hosts can receive them.

Malicious hackers can send spoofed ARP replies to obtain information flows sent to another host. Assume that Jimmy is also on the Internet and tries to obtain the information stream sent to this legal user. Jimmy spoofs the ARP response and claims that he is the host of the IP address 10.0.0.55 (MAC address: 05-1c-32-00-a1-99, legal users also use the same MAC address to respond. The result is that the vswitch has two ports related to the Mac table address on the Mac surface, and all frames sent to the MAC address are sent to the legitimate user and hacker Jimmy at the same time.