VLAN Hopping - how real is the threat?

Hi,

I've been reading up on the subject of VLAN hopping and am trying to understand exactly what the impact of such a threat is and how it can be mitigated.

Assuming double-tagging from a host using 802.1q (and not switch spoofing via auto trunking) and outer tag is same as native VLAN of switch trunks:

  • host sends double-tagged frames to switch with outer tag same as native VLAN
  • switch strips native VLAN tag when sends across trunk link to other switch.
  • other switch then sends frame to the target VLAN host - VLAN has been 'hopped'

Now if the above happened surely the only thing that can be done is a unidirectional attack i.e. DoS as theres no way for any communication to happen back from the target host (as that is not double tagging) - is this correct? I guess you'd need at least 2 switches to make this happen in any case so that the stripped frame crosses the trunk link?

Also using standard best practices of setting an unused VLAN as the native VLAN on trunk links, or tagging all dot1q vlans (vlan dot1q tag native) would prevent this from happening in the first place.

Finally, if the switch ports were configured as 'access' ports only (switchport mode access) and trunking was off (switchport nonegotiate) if that port received a tagged frame would it drop it i.e. switchport access vlan 10 is configured. User sends double tagged frame with outer frame as VLAN 1 - is this dropped immediately?

Appreciate any comments/thoughts

Comments

  • As you correctly stated, VLAN hopping attacks (injecting traffic into different L2 broadcast domain) are classified in two types

    1) converting an access link into trunk and breaking into another VLAN by using tagged headers

    2) using double-tagging and native-vlan to strip the outer header in order to get into another VLAN (inner header) 

    The first attack my succeed against a catalyst switch either if the switchport is configured as dynamic or static trunk, and the second one may succeed when native VLANs match between trunk ports. Like you mentioned, disabling DTP, setting port modes to static access and tagging native VLANs would effectively prevent the above mentioned VLAN hopping attacks. 

    I think it's makes more sense to focus on the other more dangerous L2 attacks (e.g. STP attack, ARP spoofing, MAC flooding), since VLAN hopping attack is pretty basic and does not involve too much configuration step to mitigate.

Sign In or Register to comment.