Home > Articles > Cisco Network Technology > Security > Attacking the Spanning Tree Protocol

Attacking the Spanning Tree Protocol

Chapter Description

Conducting STP attacks is now within the reach of a wide population, thanks to the availability of point-and-shoot attacks tools. Fortunately, simple features widely available on a range of switches, such as BPDU-guard, provide effective measures against spanning-tree–based exploits.

Summary

Conducting STP attacks is now within the reach of a wide population, thanks to the availability of point-and-shoot attacks tools, such as Yersinia. Elaborated two decades ago, the protocol didn't include security as a critical component of its design. This lack of consideration for security attracted hackers' attention all over the world, as recently shown at Black Hat Europe 2005, for example.5 The only vaguely reassuring fact is that, to perform an attack, a miscreant needs direct connectivity with the LAN infrastructure. Nonetheless, STP attacks are extremely disruptive because the protocol lays the foundation for most modern LANs. Attacks can cause traffic black holes, DoS attacks, excessive flooding, redirection of traffic to the hacker's computer, and more. Fortunately, simple features widely available on a range of switches, such as BPDU-guard, provide effective measures against spanning-tree–based exploits.