Spanning Tree Protocol and Its Security Issues

Making protocols at layer 2 or otherwise Spanning Tree Protocol represents a great percent of attacks originating within the organisation. Using Ethernet PAUSE frames alongside STP makes networks more vulnerable to attacks. Most STP security threat issues include; becoming root, changing STP timers, modifying STP active topology, generating persistent and Change Notification (TCN) messages¹. Trejo is his statement argues that ‘these resurging threats cause switched networks to be brought down completely, achieving a Distributed Denial of Service Attack, by sending malicious Ethernet Pause frames’⁹. It’s often difficult to evaluate these malicious codes but some critical attacks have left traces and some techniques that can be used for prevent further damage. In such cases, Cisco Network Equipment should build a comprehensive and efficient security infrastructure that will better level security through best STP and network management practices. Trejo further adds that these recommendations should be translated into security policies and included in the existing Intrusion Detection/Prevention System’⁹.

Since many information security attacks performed over communication infrastructures are known to have their source within the organisation, protocols that operate at layer 2 (Spanning Tree Protocol- the foundation of upper layers) should be verified to ensure the security of the networks. Cisco Network Equipments needs to understand STP protocol used in switched networks full operation and obtain logical topology free of loops from a physical topology containing loops full operation and discover possible security flaws as I have recommended below². Another security threat to be looked into is the frequent triggering active topology reconfiguration that forces some ports to block, listening and learning and forwarding states. Given that ports in a state are different than the forwarding state do not forward user frames, a degradation of the network service becomes evident if this is attempted^{3 ,4}.

A network must consider robustness-which is an option to offer services in case of failures on equipment or communication links. And in this case, Redundancy guarantees the robustness of a system. The advent of STP has allowed physical loops to achieve redundancy without creating table corruption by allowing ports of switch transition through a series of states before forwarding to user frames. Although the benefits are evident, STP has clear disadvantages. For example, creation of loops that can result to corruption of MAC address tables results to hacktivism. These include; disabled; blocking; listening; learning and forwarding. In disabled stage; a port does not forward user frames to participants and to STP. The Learning process however does not add new dynamic entries in the station location into MAC address table while the blocking stage, the port does not forward user frames and does not add new dynamics entries to the station location of MAC address table. In Listening stage; port does not forward user frames. BPDUs received are processed according to STP and the port remains in this stage for as long as 15 seconds by default allowing transition back to the blocking state. The same sequence happens to learning, and forwarding states.

STP Attack Scenarios

1. Becoming Root; Here, a BPDU can be easily send into the switched network by an intruder using the highest priority value equal to 1. The BPDU system can easily consider these configurations as valid and processed by other switches since STP processes requires no authentication. Repeating this every 2 seconds (Hello Timer) allows an intruder to win root elections which places him as the new root for the STP active topology.
2. Changing active topology; In this scenario, when a STP topology has been previously designed making communication links high speed while lower speed links as redundant links, an attacker can send appropriate BPDUs into the network changing active topology by making high speed links redundant links. Here, an Intruder easily becomes root of the new active topology.
3. Persistent TCN Messages; The only messages seen transversing are those sent by the root node. An intruder might trigger the TCN mechanism by turning them on and off is special configuration is not applied. When an intruder becomes root and change STP timer values, he can also trigger the Forward Delay timer which is set very low value, send a TCM message every Max Age plus Forward Delay seconds making the MAC addresses table in every switch of tholl[\   e network to age out continuously. These malicious codes affects network performance and Cisco Network equipment should timely detect these errors and correct them.
4. Lost partial network connectivity is making IT services unavailable causing STP protocol failure and broadcast storm.

Recommendations

1. Creating network parameter baseline such as STP values with threshold for topology change frequency, timers and Root Identifiers as well as Ethernet PAUSE frames frequency could help minimise these attacks
2. Continuously monitoring STP timers and Root Identifiers by triggering an security alarm system in-case of unauthorised changes are detected
3. Monitoring switch ports where flow control is on and triggering security alarm in case numbers of PAUSE frames reaches a threshold. For instance if an intruder reduces the pause-time parameter and increase the frequency of PAUSE frames, the alarm will be configured.
4. STP route switch should be configured with a priority of 1 and a backup root configured with a priority of 2 instead of using default values.
5. Selecting reliable STP switched networks such that whenever configurations BPDU Messages coming from root are only BPDU messages seen in the network. Also, the Root Identifier and frequency values must match the parameters recorded in the network baseline as Legitimate Ethernet Pause/STP frames will not affect this values.
6. Once you identify suspicious or rather unstable (too many reconfigurations of the active topology) on a STP switched network, trigger a security alarm. Malicious Ethernet PAUSE frames will automatically induce instability.
7. Configure the port fast feature (4) ⁵if its indeed transported by NOS, on ports with attached end user stations only
8. Turning off flow control in switch ports is important
9. Disabling the change detection parameters if supported by NOS in ports where it is known to a single user and station attached, avoiding unnecessary topology change notification procedure.

STP can properly and continuously be monitored to avoid network degradation by detecting authorised intrusion and misuse of Ethernet PAUSE frames.

Bibliography

Biswanath, Mukherjee., & Todd Heberlein. 1994. “Network Intrusion Detection.” IEEE Network.

Cisco Systems. 2010. “Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard.” Web.

Innella, Paul., & McMillan, Oba. 2001. “An Introduction to Intrusion Detection Systems. Tetrad Digital Integrity,LLC.” Web.

Trejo, Luis. 2005. Spanning Tree Protocol Management: Best Practices. In ACNS 2005, 3rd International Conference on Applied Cryptography and Network Security. Industrial and Short-Papers Track., New York, NY: Columbia University.

Wayne, Lewis. 2003. Multilayer Switching Companion Guide. Cisco Press.

Footnotes

1. Trejo, Luis. 2005. Spanning Tree Protocol Management: Best Practices. In ACNS 2005, 3rd International Conference on Applied Cryptography and Network Security. Industrial and Short-Papers Track., New York, NY: Columbia University.
2. Wayne, Lewis. 2003. Multilayer Switching Companion Guide. Cisco Press.
3. Innella, Paul., & McMillan, Oba. 2001. “An Introduction to Intrusion Detection Systems. Tetrad Digital Integrity,LLC”. Web.
4. Biswanath, Mukherjee., & Todd Heberlein. 1994. “Network Intrusion Detection”. IEEE Network.
5. Cisco Systems. 2010. “Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard”. Web.