Blog

Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?

Which type of VLAN-hopping attack may be prevented by designating an unused VLAN as the native VLAN?

  • DTP spoofing
  • DHCP spoofing
  • VLAN double-tagging
  • DHCP starvation

The correct answer is VLAN double-tagging.

Detailed Explanation

VLAN hopping is a type of network attack that exploits the configurations and weaknesses of VLANs (Virtual Local Area Networks) in a network, allowing an attacker to access traffic on other VLANs to which they should not have access. Among the various VLAN hopping attacks, VLAN double-tagging is one of the most common forms. This attack relies on manipulating VLAN tags in Ethernet frames to gain access to unauthorized VLANs.

Designating an unused VLAN as the native VLAN is a recommended countermeasure against this type of attack. Let’s break down how VLAN double-tagging works, why it’s dangerous, and how using an unused VLAN as the native VLAN helps in preventing this attack.

What is VLAN Double-Tagging?

VLAN double-tagging is an attack that takes advantage of the way VLAN tagging is processed in network devices, particularly on trunk links between switches. In this attack, the attacker manipulates the VLAN tags in a crafted Ethernet frame to bypass the normal security controls of VLANs.

Typically, an Ethernet frame may contain a single VLAN tag, which identifies the VLAN the frame belongs to. This tag is stripped off at the trunk port and processed accordingly. However, in VLAN double-tagging attacks, an attacker crafts a frame with two VLAN tags—one outer tag and one inner tag:

  1. Outer Tag: This is the VLAN tag of the attacker’s VLAN (let’s say VLAN 10).
  2. Inner Tag: This is the tag of the target VLAN that the attacker wants to send traffic to (let’s say VLAN 20).

When this double-tagged frame reaches a switch, the switch first removes the outer VLAN tag (in this case, VLAN 10) because it is the VLAN of the attacker’s access port. After stripping the outer tag, the switch forwards the frame to all VLANs on the trunk link. However, the inner tag (VLAN 20) remains intact. As a result, the frame appears to belong to VLAN 20 as it reaches the next switch, which then forwards it as part of VLAN 20’s traffic.

This allows the attacker to bypass VLAN boundaries and send traffic to a VLAN they are not authorized to access.

Steps of a VLAN Double-Tagging Attack

  1. Crafting the Double-Tagged Frame: The attacker creates a frame with two VLAN tags. The outer tag corresponds to the VLAN of the access port the attacker is connected to (attacker’s VLAN), and the inner tag corresponds to the VLAN the attacker wants to access (target VLAN).
  2. Transmission to the Switch: The attacker sends the double-tagged frame through a trunk or access port. The first switch strips the outer VLAN tag because it corresponds to the native VLAN (or the VLAN of the attacker’s port).
  3. Forwarding the Frame: After stripping the outer tag, the switch forwards the frame to all ports on the trunk link, treating it as part of the native VLAN traffic. The inner tag is still present, making the frame appear as if it belongs to the target VLAN.
  4. Arrival at the Target VLAN: The next switch in the path processes the frame and forwards it to the devices in the target VLAN based on the inner tag, completing the attack.

How Does Designating an Unused VLAN as the Native VLAN Help?

The native VLAN is a special concept in VLAN configurations, especially on trunk links. The native VLAN is the VLAN that does not require tagging when it traverses a trunk link. By default, many switches configure VLAN 1 as the native VLAN, which is a significant security risk because VLAN 1 is often used for management traffic.

By designating an unused VLAN as the native VLAN, you reduce the risk of a successful VLAN double-tagging attack. Here’s why:

  1. Mitigating the Attack Vector: VLAN double-tagging relies on the attacker sending a frame with an outer tag that matches the native VLAN. If the native VLAN is actively used in the network, an attacker can craft frames that will blend in with legitimate traffic. However, if the native VLAN is an unused VLAN (let’s say VLAN 999), the attacker cannot easily craft frames that use this VLAN without being immediately noticeable. Any traffic tagged with the unused VLAN would be suspicious because that VLAN should not be carrying any legitimate traffic.
  2. Preventing Untagged Traffic from Being Forwarded: When the native VLAN is set to an unused VLAN, any traffic that arrives untagged (or tagged with the native VLAN) is either dropped or forwarded to a VLAN that is not in use. This reduces the chance that the attacker’s traffic will be forwarded to the target VLAN.
  3. Breaking the Chain of Double-Tagging: Since the attack depends on the outer tag being stripped and the inner tag being used for forwarding, an unused native VLAN means that the first tag-stripping event would result in the frame being placed on a VLAN that has no active devices. This effectively breaks the chain of the double-tagging attack and isolates the attacker’s frame.

Other Mitigation Techniques for VLAN Hopping

While designating an unused VLAN as the native VLAN is an effective countermeasure against VLAN double-tagging, it is just one of several best practices for securing VLANs. Some additional techniques include:

  1. Disable DTP (Dynamic Trunking Protocol): VLAN hopping can also occur through DTP spoofing, where an attacker tricks a switch into forming a trunk link and thereby gains access to multiple VLANs. Disabling DTP on all access ports prevents this form of attack.
  2. Manually Assign Trunks: Instead of allowing switches to dynamically negotiate trunks, network administrators should manually configure trunk links and explicitly define which VLANs are allowed on those trunks.
  3. Disable Unnecessary VLANs on Trunks: Limit the VLANs allowed on trunk ports to only those necessary for the operation of the network. By reducing the number of VLANs on a trunk, you minimize the surface area for potential VLAN hopping attacks.
  4. Enable VLAN Access Control Lists (VACLs): VACLs can be used to filter traffic between VLANs and prevent unauthorized access to certain VLANs. This adds another layer of protection against VLAN hopping.
  5. Use Private VLANs (PVLANs): In some cases, private VLANs can isolate hosts within the same VLAN, preventing direct communication between devices unless explicitly allowed. This helps in further segregating traffic and protecting against VLAN hopping.
  6. Implement Port Security: Port security can restrict the number of MAC addresses that can be learned on an access port, which helps prevent rogue devices from being added to the network.

Conclusion

VLAN double-tagging is a sophisticated attack that takes advantage of the way VLAN tags are processed on switches, particularly on trunk links. However, this attack can be mitigated by configuring an unused VLAN as the native VLAN. By doing this, you reduce the risk of the attacker’s crafted frames being forwarded to unauthorized VLANs.

In addition to setting an unused native VLAN, network administrators should follow other VLAN security best practices, such as disabling DTP, using VACLs, and limiting the VLANs allowed on trunks. Implementing these measures ensures a more secure network infrastructure, making it harder for attackers to exploit VLAN vulnerabilities.