Attacks on layer two of the OSI model (II): Spanning Tree Protocol
The purpose of Spanning Tree Protocol (STP) is avoiding network loops when interconnecting network segments. Only one unique path can exist from one device to another. Each STP packet is called BPDU (Bridge Protocol Data Unit), and we can identify it by looking at its format: an IEEE 802.3 packet with a 802.2 header and with destination MAC 01:80:C2:00:00:00.
Two types of BPDU exist: Configuration and Topology Change Notification (TCN). The first one is sent periodically and shows the network configuration, whilst the second one is sent each time a network change is detected (a port is enabled/disabled). More information about STP can be found in IEEE Standard 802.1D.
The main weakness of STP is lack of authentication and control. Every device, every person or attacker can send a BPDU and participate in the protocol. In order to understand the attacks it is necessary to know the format of Configuration BPDU:
- PID (2 bytes): Protocol, always zero
- Version (1 byte): STP version, can be zero (STP), one (RSTP) or three (MSTP)
- Message type (1 byte): BPDU type: configuration (0x00) or TCN (0x80)
- Flags (1 byte): several port settings (useful for RSTP) and a bit for notifying a topology change
- Root ID (8 bytes): root device ID
- Root path cost (4 bytes): cost of the path to the root device
- Bridge ID (8 bytes): BPDU sender ID
- Port ID (2 bytes): port number (IEEE or Cisco STP BPDU) from which the BPDU is sent
- Message age (2 bytes): amount of time which has elapsed since root sent the configuration message on which the current one is based
- Maximum age (2 bytes): when the current configuration message should be deleted
- Hello time (2 bytes): time between sending two configuration BPDUs
- Forward delay (2 bytes): time that bridges should wait before transitioning to a new state after a topology change.