Solved: Re: Adam,

AdamBudzinski · ‎02-22-2016

Hello guys,

Two questions:

1) double-tagging work in one direction

What would be the reason of performing this type of attack ? DoS?

2) Works when attackers pc is connected a switch port that resides in the same VLAN as the native VLAN of the trunk

from what I understood it's true that even access ports can accept tagged frames (so it would even work in case of an access port, correct)?

3) this type of attack is not as easy as stopping basic VLAN hopping attacks.

How can I prevent this type of attacks ? Changing the default native VLAN to any different unused VLAN is the only way to handle it ?

Looking forward hearing from you guys !

Best regards

Adam

Anthony LaRosa · ‎02-22-2016

Adam,

To start off, keep in mind that double-tagging starts when an attackers send a frame to a connected switchport with two VLAN tags in the header.

1. Double-tagging allows you to reach the victim a switch away from the attacker.

2. Correct, access ports will accept tagged frames.

If the attacker is connected to an access port as mentioned, it will accept the first tag of the frame.

If the attacker is connected to a Dot1Q trunk, the first tag matches the native vlan. The second tag matches the destination VLAN that is desired for the attack.

Now the switch receives the attackers frames, and the first tag is stripped. Now the second tag is forwarded out all of the switches trunks for the destination VLAN. The second tag was never stripped, so the receiving switch see it and forwards it to the ports that are in that VLAN.

3. Yes, assigning the native to an unused VLAN is one of the mitigation steps.

A few things:

Remove access ports from default VLAN 1
Assign the native VLAN to an unused VLAN

Additional considerations:

ISL encapsulation does not use native VLAN, Dot1Q does.
All native VLAN traffic can be tagged, therefore disabling untagged traffic

Regards,

Anthony

View solution in original post

Anthony LaRosa · ‎02-22-2016