What Is VLAN Hopping Attacks?
VLAN hopping is a type of network attack that exploits certain properties of the VLAN (Virtual Local Area Network) setup, particularly on switches, to gain unauthorized access to traffic of other VLANs that would normally be restricted.
VLANs are used to segment network traffic, with the purpose of increasing security and performance by separating different types of traffic or users. However, in a VLAN hopping attack, an attacker manipulates VLAN tagging mechanisms to bypass these controls.
Each VLAN consists of a single broadcast domain. VLANs work by labelling packets with an identification header. Configured Ports on the network switch can only receive packets that are part of the VLAN. The VLAN information may be carried between switches in a LAN using trunk ports.
Trunk ports have access to all VLANs by default. They route traffic for multiple VLANs across the same physical link. Two types of trunks are used: 802.1q and ISL.
The trunking mode on a switch port may be detected using Dynamic Trunk Protocol (DTP), which automatically recognizes whether the adjacent device to the port is capable of trunking. If so, it synchronizes the trunking mode on the two ends.
The DTP state on a trunk port may be set to auto, on, off, desirable, or non-negotiable. The DTP default on most switches is auto.
One of the areas of concern with Layer 2 security is the variety of methods by which traffic that is sent from one VLAN may be captured or redirected to another VLAN, this is formally known as VLAN hopping.
Attackers or unauthorized persons use VLAN hopping attacks to bypass a Layer 3 device when communicating from one VLAN to another. The attack works by taking advantage of or exploiting an incorrectly configured trunk port.
VLAN hopping type of attack works mostly on a multi-switch environment, where a trunk link could be exploited to transmit the packets.
There are two different types of VLAN hopping attacks:
1. Switch spoofing—The network attacker configures a system to disguise itself as a switch by emulating either ISL or 802.1q and DTP signalling. This makes the attacker appear to be a switch with a trunk port and therefore a member of all VLANs.
2. Double tagging—Another way the VLAN hopping attack occurs is by labelling the transmitted frames with two 802.1q headers. Most switches today perform only one level of decapsulation. So when the first switch sees the double-tagged frame, it strips the first tag off the frame and then forwards with the inner 802.1q tag to all switch ports in the attacker’s VLAN also all trunk ports.
Both methods are effective because they exploit default configurations and behaviors of many switches.
How To Stop or Prevent VLAN Hopping Attacks.
To prevent VLAN hopping attacks :
* Always use dedicated VLAN IDs for all trunk ports.
* Disable all unused ports and place them in an unused VLAN.
* Set all user ports to the non-trunking mode by disabling DTP. Use the switchport mode access command in the interface configuration mode.
*For backbone switch-to-switch connections, explicitly configure trunking.
* Do not use the user native VLAN as the trunk port native VLAN.
* Do not use VLAN 1 as the switch management VLAN.
Regularly update and patch network devices to address any known vulnerabilities.
IP Routing Protocol