VLAN Hopping Attack

VLAN Hopping Attack

VLAN

VLAN is simply a group of devices on one or more LANs that are configured to communicate as if they were attached to the same wire, when in fact they are located on a number of different LAN segments. Because VLANs are based on logical instead of physical connections, they are extremely flexible.

figure 1: VLAN

we can define VLAN simply as one or many virtual bridges within a switch. Each virtual bridge you create in the switch defines a new broadcast domain (VLAN). Traffic cannot pass directly to another VLAN (between broadcast domains) within the switch or between two switches. To interconnect two different VLANs, you must use routers or Layer 3 switches.

VLAN Hopping 

VLAN hopping is simply a method of attacking network resources on a VLANs (Virtual LAN). The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible. There are mainly two methods by which we can perform VLAN hopping attack which are:

1. switch spoofing

2. Double tagging 

1. Switch Spoofing 
switch spoofing attack is possible when there a VLAN trunk mode is enabled or access/desirable.

figure 2: DTP  access/desirable

 In above figure, Dynamic trunk protocol (DTP) is access/desirable which means VLAN hopping attack is possible. This would happen if a trunk port was set to auto and the attacker sent spoofed DTP (Dynamic Trunking Protocol) frames or connected a rogue switch to the switch-port.

How to prevent switch Spoofing Attack:

we can prevent switch spoofing (VLAN Hopping) attack by the following means 

• disable the DTP and hard-code all the access port as access port 
• never leave the access port in "dynamic desirable" or in "trunk " mode 

2. Double tagging

Double tagging is another types of VLAN hopping attack in which an attacker is connected to an interface which belongs to the native VLAN of a trunk port. Double tagging attack is unidirectional.

figure 3: Double tagging attack scenario

Double tagging VLAN hopping attack takes advantage 802.1Q tagging and tag removal process of many types of switches. Many switches remove only one 802.1Q tag. In Double tagging attack, an attacker changes the original frame to add two VLAN tags. An outer tag, which is of his own VLAN and an inner hidden tag of the victim's VLAN. Here the attacker's PC must belong to the native VLAN of the trunk link.

How to prevent Double Tagging Attack: 

•          Put native VLAN of the trunk port different from user VLANs.