VLAN attacks are attacks by hackers based VLAN technology adopted in the face of these new guise of attacks, how to take effective preventive measures? In this article, the application for the VLAN network management technology, introduced hacker attacks and we can take defensive measures.
Current common VLAN attacks are the following:
VLAN attacks 1.802.1Q and ISL tagging attacks
Tagging attacks of malicious attacks, the use of it, a user on a VLAN can illegally access another VLAN. For example, if a switch port configured to DTP (DYNAMIC TRUNK PROTCOL) auto, for receiving a forgery DTP (DYNAMIC TRUNK PROTCOL) packet, then it will become trunk port, and possible to receive traffic from any access to the VLAN. Thus, a malicious user can VLAN communication port controlled by the other. Sometimes even if only receiving normal packet, the switch port may be contrary to their original purpose, like the trunk port operates as versatile (e.g., a packet received from another outside the local VLAN), a phenomenon commonly referred to as "VLAN leakage."
For this attack, simply all untrusted ports (does not meet the conditions of the trust) DTP (DYNAMIC TRUNK PROTCOL) on the set to "Off" to prevent the invasion of such an attack. Cisco Catalyst 2950, Catalyst 3550, Catalyst 4000 and running on the Catalyst 6000 Series Switch Software and hardware can also implement appropriate traffic classification and isolation on all ports.
2. Package attack double VLAN 802.1Q / attacks nested VLAN
Inside the switch, VLAN numbers and identity is represented by a special extended format, the purpose is to allow end-to-VLAN forwarding path remains independent, and without any loss of information. In the external switch, marked by the rules or the like ISL 802.1Q standard.
ISL belong to Cisco proprietary technology, is a compact form of the extended packet header of equipment used in each packet always get a mark, there is no risk of loss of identity, which can improve security.
On the other hand, the development of the IEEE 802.1Q Commission decided to achieve backward compatibility, preferably supports native VLAN, which supports the upper link 802.1Q tag any explicit irrelevant VLAN. This is used for implicitly VLAN receive all traffic on a port untagged 802.1Q.
This capability is desired by the user, because with this feature, 802.1Q ports can directly talk to the old port 802.3 by sending and receiving untagged traffic. However, in all other cases, this function can be very harmful, because 802.1Q link transmission via the packet associated with the native VLAN lose their tags, such as the loss of its service level (802.1p bits).
First release, and then returned to the attacker 802.1q frame, VLAN A, VLAN B data including the roads native VLAN A data VLAN B
Note: Only the same roads which the native VLAN with the attacker, will play a role.
When a dual-package 802.1Q packet happens native VLAN VLAN from the trunk into the network of the same device, VLAN identification of these packets will not retain the end, because the packet will always 802.1Q trunk modifications, i.e., peeled off the outside thereof mark. After deleting external tags, internal tags will be the only VLAN identifier of the packet. Thus, if two different markers double encapsulated packet traffic can jump between different VLAN.
This case will be considered a misconfiguration, as 802.1Q standard is not to force users to use the native VLAN in these cases. In fact, you should always use the appropriate configuration is to clear all the local 802.1Q VLAN trunk (it is set to 802.1q-all-tagged mode can achieve the same effect). Can not be cleared when the native VLAN, VLAN is not used should be selected as the local roads all the VLAN, the VLAN and not for any other purpose. STP, DTP (DYNAMIC TRUNK PROTCOL) and UDLD protocols such should be the only legitimate local user VLAN, and it should be completely isolated from the flow of all data packets.
VLAN hopping attack attack 3.VLAN
Virtual LAN (VLAN) is a method for segmenting broadcast domains. VLAN is also often used to provide additional security for the network because the computers on a VLAN can not communicate with users on VLAN no clear access to another. However VLAN itself is not sufficient to protect the safety of the environment, malicious hackers through VLAN hopping attack, even if unauthorized, can jump from one VLAN to another VLAN.
VLAN hopping attacks (VLAN hopping) rely on the Dynamic Trunking Protocol (DTP (DYNAMIC TRUNK PROTCOL)). If there are two interconnected switches, DTP (DYNAMIC TRUNK PROTCOL) it is possible to negotiate both, are determined not to be 802.1Q trunk, the negotiation process is accomplished by checking the status of the port configuration.
VLAN hopping attack takes full advantage of DTP (DYNAMIC TRUNK PROTCOL), the VLAN hopping attacks, hackers can trick computer, pretending to be another switch to send a false DTP (DYNAMIC TRUNK PROTCOL) negotiation messages, announced that it wanted to become a relay; real the switch receives the DTP (DYNAMIC TRUNK PROTCOL) message, that it should enable 802.1Q relay function, and once the relay function is enabled, a hacker will be sent to the computer through the VLAN all traffic.
After the relay established, hackers can continue to detect the flow of information, you can also be added to the frame 802.1Q information, specify which wanted to attack traffic sent VLAN.