1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313
|
$Id: README 2 2006-04-03 21:04:25Z tomac $
Spanning Tree
-------------
#1: DOS attack sending conf BPDUs
Let's send some conf BPDUs claiming be root!!! By sending continously conf BPDU with root pathcost 0, randomly
generated bridge id (and therefore the same root id), and some default values for other fields, we try to
annoy the switches close to us, causing a DoS when trying to parse and recalculate their STP engines.
Source MAC: randomly generated.
Destination MAC: 01:80:c2:00:00:00
Bridge ID: 8000:source_mac
Root ID: 8000:source_mac
Hello time: 2
Forward delay: 15
Max age: 20
Root pathcost: 0
<output from the cisco log>
01:20:26: STP: VLAN0001 heard root 32768-d1bf.6d60.097b on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-9ac6.0f72.7118 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-85a3.3662.43dc on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-3d84.bc1c.918e on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b2e2.1a12.dbb4 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-4ba6.2d45.5844 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-deb0.4f14.7288 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-4879.8036.0e24 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-2776.e340.9222 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-299e.de76.c07d on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-d38b.bc5b.e90d on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-78ee.0205.afdb on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b32b.e969.81b1 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-b16b.c428.88a3 on Fa0/8
01:20:26: STP: VLAN0001 heard root 32768-dd01.1436.9044 on Fa0/8
</output>
#2: DOS attack sending tcn BPDUs
This attack sends continously tcn BPDUs causing the root switch to send conf BPDUs acknowledging the change.
Besides, the root switch will send topology change notifications to the members of the tree, and they will
have to recalculate their STP engine to learn the new change.
Source MAC: randomly generated.
Destination MAC: 01:80:c2:00:00:00
<output from the cisco log>
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
01:35:39: STP: VLAN0001 Topology Change rcvd on Fa0/8
</output>
#3: NONDOS attack Claiming Root Role
Now our aim is to get the root role of the tree. How can we accomplish this issue? Just listening to the network
to find out which one is the root role, and start sending conf BPDU with lower priority to become root.
Source MAC: same one as the sniffed BPDU.
Destination MAC: same one as the sniffed BPDU.
Bridge ID: the sniffed one slightly modified to have a lower priority
Root ID: 8000: same as bridge id.
Hello time: same one as the sniffed BPDU.
Forward delay: same one as the sniffed BPDU.
Max age: same one as the sniffed BPDU.
Root pathcost: same one as the sniffed BPDU.
<output from the cisco log>
01:58:48: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/8
01:58:48: supersedes 32769-000e.84d5.2280
01:58:48: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/8, cost 19
</output>
#4 NONDOS attack Claiming a non-root role
We pretend to be another weird switch playing with STP and praising our root id :)
#5 DOS attack causing eternal root elections
By sending config BPDUs autodecrementing their priority, we can cause infinite root elections in the STP tree.
It would be something similar to recount the election's votes to determine the winner (do you remember Florida?)
<output from the cisco log>
00:20:21: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
00:20:21: supersedes 32769-000e.84d5.2280
00:20:21: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
00:20:23: STP: VLAN0001 heard root 32769-000e.84d3.2280 on Fa0/9
00:20:23: supersedes 32769-000e.84d4.2280
00:20:23: STP: VLAN0001 new root is 32769, 000e.84d3.2280 on port Fa0/9, cost 19
00:20:25: STP: VLAN0001 heard root 32769-000e.84d2.2280 on Fa0/9
00:20:25: supersedes 32769-000e.84d3.2280
00:20:25: STP: VLAN0001 new root is 32769, 000e.84d2.2280 on port Fa0/9, cost 19
00:20:27: STP: VLAN0001 heard root 32769-000e.84d1.2280 on Fa0/9
00:20:27: supersedes 32769-000e.84d2.2280
00:20:27: STP: VLAN0001 new root is 32769, 000e.84d1.2280 on port Fa0/9, cost 19
00:20:29: STP: VLAN0001 heard root 32769-000e.84d0.2280 on Fa0/9
00:20:29: supersedes 32769-000e.84d1.2280
00:20:29: STP: VLAN0001 new root is 32769, 000e.84d0.2280 on port Fa0/9, cost 19
00:20:31: STP: VLAN0001 heard root 32769-000e.84cf.2280 on Fa0/9
00:20:31: supersedes 32769-000e.84d0.2280
00:20:31: STP: VLAN0001 new root is 32769, 000e.84cf.2280 on port Fa0/9, cost 19
00:20:33: STP: VLAN0001 heard root 32769-000e.84ce.2280 on Fa0/9
00:20:33: supersedes 32769-000e.84cf.2280
00:20:33: STP: VLAN0001 new root is 32769, 000e.84ce.2280 on port Fa0/9, cost 19
00:20:35: STP: VLAN0001 heard root 32769-000e.84cd.2280 on Fa0/9
00:20:35: supersedes 32769-000e.84ce.2280
00:20:35: STP: VLAN0001 new root is 32769, 000e.84cd.2280 on port Fa0/9, cost 19
00:20:37: STP: VLAN0001 heard root 32769-000e.84cc.2280 on Fa0/9
00:20:37: supersedes 32769-000e.84cd.2280
00:20:37: STP: VLAN0001 new root is 32769, 000e.84cc.2280 on port Fa0/9, cost 19
00:20:39: STP: VLAN0001 heard root 32769-000e.84cb.2280 on Fa0/9
00:20:39: supersedes 32769-000e.84cc.2280
00:20:39: STP: VLAN0001 new root is 32769, 000e.84cb.2280 on port Fa0/9, cost 19
</output>
#6 DOS Attack causing root dissapearance
This time we try to exhaust the root election proccess. We manage to become root in the STP tree,
but we stop sending config BPDUs until it reaches max_age seconds (usually 20), forcing a new
election proccess.
<output from the cisco log>
02:02:43: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
02:02:43: supersedes 32769-000e.84d5.2280
02:02:43: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
02:03:03: STP: VLAN0001 we are the spanning tree root
02:03:04: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
02:03:04: supersedes 32769-000e.84d5.2280
02:03:04: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
02:03:04: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:06: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:08: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:10: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:12: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:14: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:16: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:18: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:20: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:22: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:24: STP: VLAN0001 we are the spanning tree root
02:03:24: STP: VLAN0001 heard root 32769-000e.84d4.2280 on Fa0/9
02:03:24: supersedes 32769-000e.84d5.2280
02:03:24: STP: VLAN0001 new root is 32769, 000e.84d4.2280 on port Fa0/9, cost 19
02:03:24: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:26: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:28: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:30: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:32: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:34: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:36: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:38: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:40: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:42: STP: VLAN0001 sent Topology Change Notice on Fa0/9
02:03:44: STP: VLAN0001 we are the spanning tree root
</output>
Mitigations (Cisco only)
------------------------
- Use port security and disable STP in those ports that don't require STP.
For information about port security, please check the following url:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a0080150bcd.html
- If you are using the portfast feature in your STP configuration, enable also the BPDU guard for avoiding these
attacks when the port automatically enters the forwarding state:
http://www.cisco.com/warp/public/473/65.html
- Use the root guard feature for avoiding rogue devices to become root:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00800ae96b.shtml
Further reading
---------------
- Guillermo Marro's nice Master Thesis:
http://seclab.cs.ucdavis.edu/papers/Marro_masters_thesis.pdf
- Oleg K. Artemjev, Vladislav V. Myasnyankin. Fun with the Spanning Tree Protocol
http://olli.digger.org.ru/STP
CDP
---
Cisco devices have always spoken a different language to communicate among them,
to tell everybody that they are alive and which nifty features they have. CDP
stands for Cisco Discovery Protocol. By means of this particular language, Cisco
devices set up a virtual world where everyone is happy and ther is no crime at
all. Or at least it seems to be this way, since many network administrators
aren't worried for CDP yet. Although some of information that can be sent in a
CDP packet is still undocumented (CDP is a propietary protocol and it seems that
Cisco does not want to give details about it), at least one old attack (that it
is still valid) is known, and there is a public implementation (FX did it!).
This attack is a DoS trying to exhaust the device memory so that it can't
allocate more memory for any device process. How can we do it? Simply sending
CDP packets with bogus data simulating real Cisco devices. The target device
will begin to allocate memory in its CDP table to save the new neighbor
information, but without knowing that it is going to have thousands or millions
of new friends.
Other attack implemented in the current code is the ability to set up a new
virtual Cisco device that it is designated only for make a little mess, trying
to confuse network administrators.
Screenshot of the attack running:
Output of a Cisco 2503 router:
athens#sh mem
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor 4873C 3893444 3893444 0 0 0
I/O 400000 2097152 2097088 64 64 64
<log>
%SCHED-3-THRASHING: Process thrashing on watched queue 'CDP packets' (count 57).
-Process= "CDP Protocol", ipl= 6, pid= 9
-Traceback= 3159232 31594DE 3201660
%LANCE-5-COLL: Unit 0, excessive collisions. TDR=7
%SCHED-3-THRASHING: Process thrashing on watched queue 'CDP packets' (count 57).
-Process= "CDP Protocol", ipl= 6, pid= 9
-Traceback= 3159232 31594DE 3201660
%SYS-2-MALLOCFAIL: Memory allocation of 100 bytes failed from 0x3201B3E, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 9
-Traceback= 314E8A4 314FA06 3201B46 32016C8
%SCHED-3-THRASHING: Process thrashing on watched queue 'CDP packets' (count 57).
-Process= "CDP Protocol", ipl= 6, pid= 9
-Traceback= 3159232 31594DE 3201660
%SYS-2-MALLOCFAIL: Memory allocation of 100 bytes failed from 0x3201B3E, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 9
-Traceback= 314E8A4 314FA06 3201B46 32016C8
%SYS-2-MALLOCFAIL: Memory allocation of 100 bytes failed from 0x3201B3E, pool Processor, alignment 0
-Process= "CDP Protocol", ipl= 0, pid= 9
-Traceback= 314E8A4 314FA06 3201B46 32016C8
</log>
And a couple of minutes later after killing the attack, the router surprisingly gets halted for several seconds,
and then kicks you out of the terminal :)
<log>
%SYS-3-CPUHOG: Task ran for 16884 msec (69/69), Process = Exec, PC = 3158D42
-Traceback= 3158CEE 3158D4A 30F7330 30F742A 30FF3A4 30FEF76 30FEF1C 3116860
</log>
Output of a Cisco 2950 switch:
00:06:08: %SYS-2-MALLOCFAIL: Memory allocation of 224 bytes failed from 0x800118D0, alignment 0
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: I/O Free: 32 Cause: Not enough free memory
-Process= "CDP Protocol", ipl= 0, pid= 26
-Traceback= 801DFC30 801E1DD8 800118D8 80011218 801D932C 801D9318
00:06:08: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:09: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:10: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:11: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:12: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:13: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:14: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:15: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:16: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:17: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:18: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:19: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:20: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:21: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:22: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:23: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:38: %SYS-2-MALLOCFAIL: Memory allocation of 140 bytes failed from 0x801E28BC, alignment 0
Pool: Processor Free: 0 Cause: Not enough free memory
Alternate Pool: I/O Free: 32 Cause: Not enough free memory
-Process= "Calhoun Statistics Process", ipl= 0, pid= 21
-Traceback= 801DFC30 801E1DD8 801E28C4 801F13BC 801F1470 802F7C90 802F9190 802F9788 801D932C 801D9318
00:06:38: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:39: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:40: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:41: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:42: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:44: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:45: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:46: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:47: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:48: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:49: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:50: ../src-calhoun/strata_stats.c at line 137: can't not push event list
00:06:59: %SYS-3-CPUHOG: Task ran for 2076 msec (11/10), process = Net Background, PC = 801ABD40.
-Traceback= 801ABD48 801D932C 801D9318
And then, the CDP process is totally down, even when we stop the attack. No more CDP babies...
|