VLAN hopping

VLAN hopping is a computer security exploit, a method of attacking networked resources on a Virtual LAN (VLAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are two primary methods of VLAN hopping: switch spoofing and double tagging. Both attack vectors can be easily mitigated with proper switchport configuration.

Switch spoofing

In a switch spoofing attack, an attacking host imitates a trunking switch by speaking the tagging and trunking protocols (e.g. Multiple VLAN Registration Protocol, IEEE 802.1Q, VLAN Trunking Protocol) used in maintaining a VLAN. Traffic for multiple VLANs is then accessible to the attacking host.

Mitigation

Switch spoofing can only be exploited when interfaces are set to negotiate a trunk. To prevent this attack, use one of the following methods^[1]:

1. Ensure that ports are not set to negotiate trunks automatically.

Switch(config-if)# switch trunk nonegotiate

2. Ensure that ports that are not meant to be trunks are explicitly configured as access ports

Switch(config-if)# switch mode access

Double tagging

In a double tagging attack, an attacking host prepends two VLAN tags to packets that it transmits. The first tag (which corresponds to the VLAN that the attacker is really a member of) is stripped off by a first switch the packet encounters, and the packet is then forwarded. The second, false, tag is then visible to the second switch that the packet encounters. This false VLAN tag indicates that the packet is destined for a host on a second, target VLAN. The packet is then sent to the target host as though it originated on the target VLAN bypassing the network mechanisms that logically isolate VLANs from one another.

Mitigation

Double Tagging can only be exploited when switches use "Native VLANs"^[2]. Ports with a specific access VLAN (the native VLAN) don't apply a VLAN tag when sending frames, allowing the attackers fake vlan tag to be read by the next switch. It is always good practice to do one of the following (With sample IOS interface configuration): 1. Simply do not put any hosts on VLAN 1 (The default VLAN). i.e, assign an access vlan other than VLAN 1 to every access port

 Switch(config-if)# switch access vlan 2

2. Change the native VLAN on all trunk ports to an unused VLAN ID.

Switch(config-if)# switchport trunk native vlan 999

3. Explicit tagging of the native VLAN on all trunk ports.

Switch(config-if)# switchport trunk native vlan tag

Example

As an example of a double tagging attack, consider a secure web server on a VLAN called VLAN1. Hosts on VLAN1 are allowed access to the web server; hosts from outside the VLAN are blocked by layer 3 filters. An attacking host on a separate VLAN, called VLAN2, creates a specially formed packet to attack the web server. It places a header tagging the packet as belonging to VLAN2 on top of another header tagging the packet as belonging to VLAN1. When the packet is sent, the switch on VLAN2 sees the VLAN2 header and removes it, and forwards the packet. The VLAN2 switch expects that the packet will be treated as a standard TCP packet by the switch on VLAN1. However, when the packet reaches VLAN1, the switch sees a tag indicating that the packet is part of VLAN1, and so bypasses the layer 3 handling, treating it as a layer 2 packet on the same logical VLAN. The packet thus arrives at the target server as though it was sent from another host on VLAN1, ignoring any layer 3 filtering that might be in place.

See also

• Private VLAN

Notes

1. Boyles, 2010, p. 163.
2. Boyles, 2010, p. 162.

References

• Rik Farrow. "VLAN Insecurity". http://rikfarrow.com/Network/net0103.html. Retrieved 2011-03-19. 
• "Configuration Examples Related to VLAN Features". Cisco Systems. http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/catalyst1900_2820/version8.00.03/scg/AleakyV.html. Retrieved 2011-03-19. 
• "Response to BugTraq - 802.1q Trunking/VLAN Security". Cisco Systems. http://www.cisco.com/en/US/products/hw/switches/ps663/products_security_notice09186a0080264647.html. Retrieved 2011-03-19. 
• "VLAN Security White Paper". Cisco Systems. http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml. Retrieved 2011-03-19. 
• Boyles, Tim (2010). CCNA Security Study Guide. Sybex.