and PAUSE Frames DDoS Attacks: Their Efficient Mitigation

Luis A. Trejo1, Ra´ul Monroy1, and Rafael L´opez Monsalvo2

1 Department of Computer Science, Tecnol´ogico de Monterrey, Campus Estado de M´exico Carr. Lago de Guadalupe, Km. 3.5, Estado de M´exico, 52926, Mexico [email protected], [email protected] 2 Forˆet Network Consulting Carlos Bustamante 9B, Estado de M´exico, 53100, Mexico 159 E. 33rd Street Suite 3, New York, NY 10016, U.S.A. [email protected]

Abstract. Making protocols at layer 2 of the OSI model less vulnerable against computational attacks has become essential. They represent a great percentage of attacks being originated within the organization. Recently, several attacks using Ethernet PAUSE frames in combina- tion with well known Spanning Tree Protocol (STP) attacks have been reported. We believe that STP can be properly configured and continuously monitored so as to avoid any network degradation due to an undetected intrusion and misuse of Ethernet PAUSE frames (802.3x). In this paper, the main STP security threats that an intruder can exploit are presented: becoming root, modifying the STP active topology, changing STP timers, and generating persistent Topology Change Notification (TCN) messages. Also, a switched network can be brought down completely, hence achieving a Distributed Denial of Service Attack, by sending malicious Ethernet PAUSE frames. These threats were fully implemented in laboratory and general recommendations to attain a better level of security through best STP and network management practices were derived. Furthermore, some recommendations can be translated into security policies and incorporated as part of an existing Intrusion Detection/Prevention System. Keywords: Spanning Tree Protocol, Distributed DoS, 802.1D, 802.1w, 802.3x, Network Man- agement, Ethernet Flow Control, Layer 2 Attacks, Intrusion Detection Systems

1 Introduction

Many information security attacks performed over the communications infrastructure of an organization are known to have their source within the organization. Special attention to information security attacks arising at layer 2 of the OSI model has increased in a very important manner [6]. This is the case of layer 2 attacks that take advantage of publicly known vulnerabilities at this layer. A computer’s system security is considered to be as strong as its weakest link. Considering that OSI layer 2 is the foundation of upper layers, verifying security at this point becomes essential. One of the main goals of this research is the study of protocols that operate at layer 2 (such as the Spanning Tree Protocol (STP), and the 802.3x standard) in order to under- stand their full operation and to discover possible security flaws. In this manner, general recommendations and best administrative practices can be derived, hence increasing the level of security of the network. STP is a protocol used in switched networks to obtain a logical topology free of loops from a physical topology containing loops [1, 14]. It offers the administrator the benefits of a redundant topology without the risk caused by physical loops. The main known STP threats that an intruder can take advantage of are: becoming root, modifying the STP active topology, changing STP timers, and generating persistent Topology Change Notification (TCN) messages [13]. Another important threat that can be exploited by an intruder consists of the frequent triggering of the active topology reconfig- uration, forcing some ports to go to the blocking, listening, learning, and forwarding states. Given that ports in a state different than the forwarding state do not forward user frames, a degradation of the network service becomes evident.

On the other hand, 802.3x is a pause-based flow control mechanism basically used to reduce the receiving packet rate coming from a peer device in order to avoid packet loss. Recently, several attacks using 802.3x frames in combination with well known Spanning Tree Protocol (STP) attacks have been reported [8].

We fully implemented in our networking laboratory the above STP threats and 802.3x attacks. Our results are detailed in the following sections. We proved that replicating the attack scenarios on a production environment is a very simple task, which is a result of great concern, since in some cases the network service had been brought completely down. Therefore, recommendations in order to attain a better level of security through best man- agement practices become essential. Furthermore, some recommendations can be translated into security policies and incorporated as part of an existing Intrusion Detection System [7, 10].

Many of the aspects discussed in this paper also apply to 802.1w [2, 5, 11] networks, which is the standard that describes the Rapid Spanning Tree Protocol (RSTP). Marro in [9] describes a very detailed study on R/STP (RSTP and STP) vulnerabilities and proposes efficient countermeasures to be included as part of any new R/STP implementation. He built SToP, a tool that allows modifying any field in the BPDU message and is capable of generating BPDU packets at a high rate thus very quickly flooding a network. The tool was mainly used to validate on a controlled environment the assumptions made about R/STP security flaws and their mitigation. Howard [6] gives an overview of layer 2 protocols, including R/STP, that are susceptible to attacks and thus compromise upper layers of an organization’s IT infrastructure.

Paper overview This paper is organized as follows. In the previous section, a valid jus- tification for studying layer 2 attacks was presented, choosing as a starting point for our research, the STP protocol and 802.3x. Then main threats were introduced pointing out the need of general recommendations aiming at improving security at layer 2. In Section 2, the pause-based flow control mechanism for Ethernet implementations, as specified by 802.3x, is explained. In Section 3, a quick review of the STP protocol is introduced. In Section 4, the STP attack scenarios we implemented in laboratory are described and in Section 5, DDoS attacks using 802.3x frames on a STP active topology are presented. In Section 6 general recommendations for improving security at layer 2 are given. Finally, Sections 7 and 8 present our conclusions and ongoing research along with a brief description of the laboratory equipment used to implement the different attack scenarios. 2 Ethernet Flow Control

The standard 802.3x [3] is a supplement to the ANSI/IEEE 802.3 standard, where a mech- anism for pause-based flow control is added. The main purpose of flow control is to reduce the receiving packet rate at some point in the network in order to avoid packet loss. Flow control is achieved by means of special MAC Control frames, known as PAUSE frames. MAC Control frames are distinguished from other MAC frames, i.e. data frames, only by their Length/Type field; in this case, the Length/Type field value is set to 0x88-08. Therefore, a PAUSE frame is defined as a MAC Control frame and an Opcode value of 0x00-01 (see Fig. 1). A device is capable of supporting multiple flow control modes. These modes are sym- metric flow control (SFC), asymmetric flow control (AFC), and no flow control at all. In SFC mode, PAUSE frames may flow in either direction. In AFC mode, they may flow only in one direction, whether that direction is towards the local device or away from the local device.

Destination Address (6) Source Address (6) Length/Type (2) MAC Control Opcode (2) MAC Control Parameters (variable) Reserved [Zeroes padding] (variable)

Fig. 1. MAC Control frame format. The number in parenthesis represents the number of octets used. The last two fields together add to 44 octets.

2.1 Transmission of a PAUSE frame A device wishing to reduce the receiving packet rate, sends a PAUSE frame to its peer device indicating the period of time the transmitting device should stop sending data frames. This time is specified in the MAC Control Parameters field. The generated PAUSE frame will contain the following values: 1. A globally-assigned 48 bit 01-80-C2-00-00-013 , as the destination ad- dress, or the unicast address of the peer device. 2. The MAC Control Opcode = 0x00-01, indicating a PAUSE frame. 3. A two-octet MAC Control Parameter, known as pause time, indicating the length of time for which the peer device is requested to inhibit data frame transmission. The pause time is measured in units of pause quanta, which is equal to 512 bit times of the particular Ethernet implementation. The range of possible pause time values is 0 to 65,535 pause quanta. For example, if pause time is set to 0x00-0A, then the time requested to inhibit transmission would be equal to 5,120 bit times. For a 10- im- plementation, this corresponds to 0.512 µs. Table 1 shows different inhibition times for a pause time of 0xFF-FF. 3 The multicast address is reserved for use of MAC Control PAUSE frames. IEEE 802.1D-conformant bridges will not forward frames sent to this multicast destination address, regardless of the state of the bridges ports. Table 1. Total time a device stops sending using a maximum pause time value for different Ethernet implementations.

Ethernet pause time pause quanta Total inhibition time 10 Gbps 0xFF-FF 0.0512 µs 3.35 ms. 1 Gbps 0xFF-FF 0.512 µs 33.55 ms. 100 Mbps 0xFF-FF 5.12 µs 333.53 ms.

2.2 Reception of a PAUSE frame

Upon reception of a valid PAUSE frame, the device will start a timer called pause timer, and will set the timer to the time specified by the received pause time parameter multiplied by pause quanta of the particular Ethernet implementation. The timer is reset to the new value regardless of its current setting, i.e., new PAUSE frames operations override earlier PAUSE frame operations. When the timer is non-zero, the device inhibits the transmission of data frames. The timer counts down to zero at which point the transmission of data frames is resumed. As a final remark, a PAUSE frame cannot be used to inhibit transmission of MAC Control frames and shall only be sent between ports configured in full-duplex mode.

3 The STP Protocol: a Quick Review

A network in its design, must consider robustness, that is, the option to offer a service in presence of failures either on equipment or on a communications link. Redundancy is a way to guarantee the robustness of the system. Even if the benefit is evident, a redundant topol- ogy has a clear disadvantage: the creation of cycles or loops which can result in broadcast storms or corrupt the MAC address tables. In a Switched LAN environment, the existence of physical loops might be required to achieve redundancy. The Spanning Tree Protocol (STP) will allow for this without creating broadcast storms or table corruption. STP, as specified in [1], has the main goal of calculating the minimum spanning tree of a given graph; the resulting tree is free of cycles and it is of minimal cost. In this section a quick overview of STP protocol will be given.

3.1 STP BPDU message format

A BPDU (Bridge Protocol Data Unit) is the Protocol Data Unit used by STP and consists of fields shown in Fig. 2. The description of each field follows.

Protocol Identifier. Identifies the Spanning Tree Protocol and has a value of 0x00-00. Protocol Version Identifier. Represents the version of the Spanning Tree Protocol, its value is currently 0x00. BPDU Type. It takes a value of 0x00 when denoting a Configuration BPDU, and a value of 0x80 when denoting a Topology Change Notification. Flags. The less significant bit in Flags is used to advertise the network that a topology change is currently in process (Flags = 0x01). The most significant bit in Flags is used to acknowledge a topology change notification (Flags = 0x80). Protocol Identifier (2) Protocol Version Identifier (1) BPDU Type (1) Flags (1) Root Identifier (8) Root Path Cost (4) Bridge Identifier (8) Port Identifier (2) Message Age (2) Max Age (2) Hello Time (2) Forward Delay (2)

Fig. 2. BPDU format. The number in parenthesis represents the number of octets used.

Root Identifier. Represents the identification of the switch that acts as the root node in the spanning tree. It is conformed by the concatenation of a priority value (2 octets) and the MAC address of the switch (6 octets). The priority of a switch is a configurable value from 0 to 65,535. Root Path Cost. The cost from the switch to reach the root node of the spanning tree. Bridge Identifier. Represents the identification of the switch sending the BPDU message. It is conformed by the concatenation of a priority value (2 octets) and the MAC address of the switch (6 octets). Priority is a configurable value from 0 to 65,535. Port Identifier. Represents the identification of a switch port sending the BPDU message. It is conformed by the concatenation of a priority value (1 octet) and the number of the port (1 octet). The priority of a switch port is a configurable value from 0 to 255. Message Age. The BPDU age since its generation from the root node. Max Age. The maximum amount of time used by a switch to store information from a received BPDU in case of BPDUs cease to arrive due to packet lost or network failure. Hello Time. The time interval representing the frequency of BPDU transmission. Forward Delay. The time spent by a port in the listening and learning STP states. Also, the time used by a switch to age out dynamic entries in the MAC address table in case a topology configuration is taking place.

3.2 STP decision sequence

The following decision sequence is used by the Spanning Tree Protocol to determine that a received BPDU message on a port supersedes a previously stored BPDU, presumed to be the best known so far:

Case 1. It contains a Root Identifier of higher priority, or Case 2. It contains a Root Identifier of the same priority, and a lower Root Path Cost, or Case 3. It contains a Root Identifier and a Root Path Cost of the same value, and a Bridge Identifier of higher priority, or Case 4. It contains a Root Identifier, a Root Path Cost, and a Bridge Identifier of the same value, and a Port Identifier of higher priority. If one of the four cases holds, then the received BPDU supersedes and thus replaces the latest stored BPDU. This decision sequence is used during the STP operation described below.

3.3 STP operation At start up, ports of a switch transition through a sequence of states before forwarding user frames. Theses states are disabled, blocking, listening, learning and forwarding (see Fig. 3). Next, a brief explanation of each state is given.

Disabled Blocking Listening Learning Forwarding

Fig. 3. STP transition states.

Disabled. A port in this state neither forwards user frames nor participates in the Span- ning Tree Protocol. The Learning process does not add new dynamic entries about station location into the MAC address table.

Blocking. A port in this state does not forward user frames. Received BPDUs are processed according to the Spanning Tree Protocol. The Learning process does not add new dynamic entries about station location into the MAC address table. Ports remain in this state for a time interval equal to the Max Age parameter, 20 seconds by default, and then transition to the Listening state.

Listening. A port in this state does not forward user frames. Received BPDUs are processed according to the Spanning Tree Protocol. Also BPDUs can be submitted for transmission. The Learning process does not add new dynamic entries about station location into the MAC address table. The port is included by the switch in the computation of the active topology. During this state, the active topology is built (see below). Ports remain in this state for a time interval equal to the Forward Delay parameter, 15 seconds by default. Ports that are part of the active topology transition to the next state, that is, the Learning state. Other ports transition back to the blocking state.

Learning. A port in this state does not forward user frames. Received BPDUs are processed according to the Spanning Tree Protocol. Also BPDUs can be submitted for transmission. The Learning process starts adding new dynamic entries about station location into the MAC address table. The port is included by the switch in the computation of the active topology. Ports remain in this state for a time interval equal to the Forward Delay parameter, 15 seconds by default, and then transition to the Forwarding state. Forwarding. User frames are forwarded. Received BPDUs are processed according to the Spanning Tree Protocol. Also BPDUs can be submitted for transmission. The Learning process continues to add dynamic entries about new station location into the MAC address table. The port is included by the switch in the computation of the active topology.

During the Listening state, a three-step process takes place to build the active topology; these are:

1. Root Election. When the switch is turned on, BPDU messages are sent by the switch through every connected port at a regular time interval; by default every 2 seconds (the Hello Timer). At start up, every switch believes itself as being the root of the tree, hence setting the Root Identifier to the value of its own Bridge Identifier for BPDUs being transmitted. This initial BPDU is stored as the better BPDU known so far for a port. If a better BPDU is received in a switch port, then the switch stops sending BPDU information on that port. At the end, after the root election phase has concluded, only one switch will continue speaking: the one that has gained elections and become root, normally the switch with highest Bridge Identifier. 2. Root Port Election. Every switch selects a root port, based on the lowest cost to reach the root. 3. Designated Port Election. A designated port acts as the only means for forwarding traffic between a network segment to which the node is attached and the root node. The election of the designated port is based on the lowest cost to reach the root from that port. In case of a tie, the STP decision sequence described in Section 3.2 is applied.

4 STP Attack Scenarios

The following four STP attack scenarios were fully implemented in a controlled laboratory environment. They implement the main STP threats mentioned in Section 1.

4.1 Becoming root A BPDU can easily be sent into the switched network by an intruder using the highest priority, i.e. using a priority value equal to 1. The BPDU will be considered as valid and processed by other switches since no authentication mechanisms are involved among the STP processes. Doing this every 2 seconds (Hello Timer) allows the intruder to win root elections and to place him as the new root of the STP active topology. See [12] for implementation details.

4.2 Changing the active topology Let us assume that an STP topology has been previously designed. Further assume that communications links of high speed are to be used as part of the active topology and lower speed links as redundant links. An attack will succeed by sending appropriate BPDUs into the network, hence changing the active topology by making high speed links redundant links. As mentioned in the previous section, the intruder can easily become root of the new active topology. As a result, the core traffic will follow a path that is not the one initially planned for, using very likely lower speed links to forward core traffic. In Figure 4, the sequence of events are shown, where thick lines represent high speed links and normal lines links of lower bandwidth, normally used for redundancy.

Switch 1 Switch 1

Switch 2 blocked Switch 3 Switch 2 x Switch 3 a) b)

Switch 1 Switch 1

blocked x blocked Switch 2 x Switch 3 Switch 2 Switch 3 c) d) BPDU BPDU

Attacker Attacker

Fig. 4. Change of the STP active topology. a) Complete graph with redundant link between Switch 2 and 3. b) Expected active topology after STP convergence. c) An attacker sends a BPDU with priority = 1 and wins elections. d) The active topology is reconfigured changing the normal flow of traffic.

4.3 Changing timers

The STP timers, Hello, Max Age, and Forward Delay are controlled by root and can be changed through normal management action. An intruder, after becoming root, can easily send appropriate BPDUs and set values for timers using any value in the range 0x00-00 to 0xFF-FF; the decimal value representing 1/256 of a second4. All STP switches on the network will accept the values proposed by the intruder. A direct consequence of this is the modification of the time spent by a port in the blocking, listening and learning states, during reconfiguration. The negative effects should become evident when setting the Max Age and Forward Delay timers to their maximum value, i.e. 255 seconds, and the Hello timer to its minimum, i.e. 1/256 of a second (user

4 Two octets are used for each timer. BPDU octets 30 and 31 for Max Age; 32 and 33 for Hello Time, and 34 and 35 for Forward Delay frames are not forwarded for a longer period than default, for ports in a state other than the forwarding state). There is already a general network service degradation when changing root through nor- mal management action. In tested scenarios, there is a service disruption on some network segments of approximately 30 seconds in duration. This natural behavior degrades consid- erably when an intruder becomes root and changes STP timers at will. For example, using a combination of Max Age = 60, Forward Delay = 90, Hello Time = 2 the network service can go down for a time period of 5 minutes. There is a special case reported in [12]. Under the above conditions, the network went down due to a broadcast storm and a created physical loop. The previous results are dependent on the implementation and the NOS version.

4.4 Persistent TCN Messages

During a stable network operation, the only BPDUs seen traversing the network are those sent by the root node. Whenever a switch detects a physical failure in any of the LANs it is attached to, the switch sends through its root port a Topology Change Notification (TCN) (BPDU type = 0x80). The first switch receiving the TCN sends back a Topology Change Acknowledgment (BPDU with Flags = 0x80) to the switch sending the advertisement. This procedure is repeated until the TCN message reaches the root. The switch root then sends a Topology Change (TC) message (BPDU with Flags = 0x01) through all of its designated ports for a time period of Max Age plus Forward Delay seconds. Intermediate switches will receive the TC message from their root port and propagate the message out of their designated ports. This procedure assures that all switches in the network will be aware of the current topology change. Switches receiving a TC message use the value of Forwarding Delay to age out dynamic entries more quickly to avoid inconsistencies in their MAC address tables. Attached user end stations might trigger the TCN mechanism by turning them on and off if basic special configuration is not applied. In previous sections we discussed how and intruder can become root and change STP timer values at will. Now, assume the Forward Delay timer is set to a very low value. The intruder can now send a TCN message every Max Age plus Forward Delay seconds making the MAC addresses table in every switch of the network to age out continuously. The network performance can be seriously affected if the intrusion is not timely detected and corrected.

5 DDoS Attacks Using Malicious Ethernet PAUSE Frames

Recently, several distributed denial of service attacks using Ethernet PAUSE frames in com- bination with well known Spanning Tree Protocol (STP) vulnerabilities have been reported. Forˆet Network Consulting was recently called upon a 4,000 users company who had lost partial network connectivity, making IT services unavailable, including mission critical ap- plications. The crisis lasted for a period of about 4 hours due to an STP protocol failure and a broadcast storm affecting simultaneously more than 10 switches, including switches at the core. In order to better understand such attack scenarios we undertook the task of recreating in laboratory situations where a combination of both protocols (STP and Ethernet flow control) could result in serious network degradation. Our experimental results showed two straightforward denial of service attacks described below. We are assuming that Ethernet flow control is on in every port of a LAN switch, either in SFC or AFC mode. Also, we considered STP has already converged and there is an active STP topology with at least one port in the blocking state; in other words, a physical loop is being managed correctly by STP and at least one redundant link has been deployed.

Isolating the root of the STP active topology

The procedure is as follows: A sequence of PAUSE frames is injected towards designated ports in the root switch of the STP tree. This will inhibit transmission of BPDU configu- ration messages by root. PAUSE frames are configured using a maximum pause time value of 0xFF-FF. A PAUSE frame is sent every 3 ms. on a 10Gbps port, every 30 ms. on a 1Gbps port, and every 300 ms. on a 100Mbps port. Indeed, any value less than the total inhibition time shown in Table 1 will achieve the same result. At this point, user frames are not forwarded by root resulting immediately in a DDoS attack. After 20 seconds, root ports on other switches will transition from a forward state to a listening state and enter the new root election process. As long as the original root switch continues to receive ma- licious PAUSE frames, that switch and its links will be, in a way, isolated from the rest of the network. A new STP active topology is reconfigured and user data communication is reestablished after STP convergence. However, network service degradation is observed. The reason of this network degradation, if not properly monitored, is hard to detect.

Inducing an STP failure

In this attack scenario, the first step consists in locating a segment containing a blocking port, as a result of STP convergence. Normally, this segment is a redundant link on the LAN topology. Next, a sequence of PAUSE frames is injected in that segment. This will inhibit transmission of BPDU configuration messages coming from root and being forwarded by the designated switch5. PAUSE frames are configured using a maximum pause time value of 0xFF-FF and sent using the same frequency as described in the first scenario. At this point, user frames are not forwarded by the designated switch resulting immediately in a DDoS attack for users attached to that segment. After 20 seconds, the port in the blocking state will transition to a listening state, entering to a new root election process, and transition finally to the forwarding state, resulting in a STP failure since a physical loop has been created. During the state of STP failure, the network is imminently susceptible to a broadcast storm and finally to a complete network degradation. Furthermore, a more complex and structured distributed denial of service attack can be accomplished by performing simultaneously both scenarios; the first one executing on segments directly attached to root, and the second one being replicated in every segment of the network containing at least one port in the blocking state (i.e. in every redundant link).

6 Best Management Practices and Recommendations

After our previous discussion and experimental results it is evident that using the default STP configuration on a switched LAN might lead to a poor network performance. Further-

5 Recall that a switch containing a designated port is also known as the designated switch. more, without continuous monitoring of the network, an intruder can very easily bring the network down by taking advantage of publicly known STP vulnerabilities and misuse of Ethernet PAUSE frames. Our recommendation is to follow some if not all of the following network management practices:

1. Create a network parameter baseline including STP values such as timers, Root Identifier and a threshold for topology change frequency. Consider also a threshold for Ethernet PAUSE frames frequency. 2. Monitor STP timers and Root Identifier. Trigger a security alarm in case that non authorized changes are detected. 3. Monitor switch ports where flow control is on. Trigger a security alarm in case that the number of PAUSE frames seen reaches a threshold. The attacker might reduce the pause time parameter and increase the frequency of PAUSE frames; therefore, the alarm shall be configured accordingly. 4. Configure the STP root switch with a priority of 1 and a backup root switch with a priority of 2, instead of using default values (in some systems they are set to 0x20-00 and 0x40-00 respectively). 5. Identify an stable STP switched network. An STP switched network is considered stable whenever Configuration BPDU Messages coming from root are the only BPDU messages seen in the network. Also, the BPDU messages are seen at a frequency of every Hello Time seconds. The frequency and Root Identifier values must match the parameters recorded in the network parameter baseline. Legitimate Ethernet PAUSE frames will not affect these values. 6. Identify an unstable STP switched network and trigger a security alarm. An STP switched network is considered unstable whenever too many reconfigurations of the ac- tive topology take place. This is translated into BPDUs with a Root Identifier other than the one previously recorded. Also, TCN and TC BPDUs are seen in the network with a frequency above the threshold registered in the network parameter baseline. Malicious Ethernet PAUSE frames will induce instability. 7. Configure the port fast feature [4] (if supported by NOS) on ports with attached end user stations only. 8. Turn off flow control in switch ports where it is not needed. 9. Disable the change detection parameter (if supported by NOS) in ports where it is known a single user end station is attached, therefore avoiding unnecessary topology change notification procedures.

Recommendations 2 and 4 preclude the possibility of some STP attack scenarios, namely becoming root, changing the active topology and timers. The persistent TCN message attack is handled by recommendation 9. Recommendations 3 and 8 protect against PAUSE frame attacks. Clearly, implementation of recommendation 6 reduces the possibility of successfully achieve any of the attack scenarios discussed in this paper.

7 Further Work and Conclusions

In a switched LAN, a proper configuration becomes very important in order to guarantee the expected network performance. A good network configuration can be achieved by following some general recommendations as the ones discussed so far. On the other hand, continuous monitoring of the network becomes essential. Intrusion Detection Systems (IDS) as well as Intrusion Prevention Systems (IPS) [7, 10] must exist as part of the security tools used by any organization. The recommendations stated in the previous section can be translated into security policies and made part of the IDS/IPS rules. Further work is highly recommended concerning this issue. Some switch vendors will have SFC/AFC mode on by default; others might have flow control mechanisms off by default. Make sure to configure flow control according to specific network requirements. There exist administrative reasons to turn flow control mechanisms on in some ports, thus making these ports susceptible to PAUSE frames/STP attacks as described above. New STP implementations should include basic authentication mechanisms for the exchange of reliable BPDU configuration messages. Message-Digest Algorithm version 5 (MD5), one of the most widely used secure hash algorithm, can be easily integrated as a configuration parameter to allow sending BPDU messages in a more secure way, and without creating a very important overhead on the protocol process. Once a security mechanism like MD5 is embedded into the STP implementation, becoming root of a switched network will not be as straightforward as it is nowadays. RSTP, as specified in IEEE 802.1w, is considered a new fast-convergence version of STP. Nevertheless, authentication mechanisms during the exchange of BPDU messages were not included. Even though the topology change mecha- nism, including detection and propagation, has been completely redefined in RSTP, many of the concepts discussed so far also apply to RSTP management. Furthermore, an RSTP switch can fall back to 802.1D when talking to a STP-only legacy switch.

8 Laboratory Equipment

The scenarios were implemented using the following equipment:

– 2 Switches Catalyst 3560 Series. IOS (tm) C3560 Software (C3560-I9-M), Version 12.2(20) EX – 3 Switches Catalyst 2950 Series. IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(11)EA1 – 4 A-21m IBM Laptops, running Fluke’s Protocol Inspector, EDV, and 1 LINUX-based A-21m IBM Laptop

Acknowledgments

This research has been possible thanks to the financial support and resources provided by the networking and security group of the ITESM CEM (register number: ITESM CCEM- 0302-05).

References

1. ANSI/IEEE Std 802.1D, 1998 Edition: ISO/IEC 15802-3: 1998. Part 3: Media Access Control (MAC) Bridges 2. ANSI/IEEE Std 802.1w-2001. Amendment to IEEE Std 802.1D, 1998 Edition: (ISO/IEC 15802-3:1998) and IEEE Std 802.1t-2001. Part 3: Media Access Control (MAC) Bridges. Amendment 2: Rapid Reconfiguration 3. ANSI/IEEE Std 802.3x-1997 and IEEE Std 802.3y-1997. Supplements to ISO/IEC 8802-3: 1996 [ANSI/IEEE Std 802.3, 1996 Edition] 4. : Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard http://www.cisco.com/en/US/products/hw/switches/ps708/ products configuration guide chapter09186a00800c65dc.html#1020704 5. Cisco Systems: Understanding Rapid Spanning Tree Protocol (802.1w). July 2004 http://www.cisco.com/en/US/tech/tk389/tk621/technologies white paper 09186a0080094cfa.shtml 6. Howard, Connie: Layer 2: The Weakest Link. Security Considerations at the . Packet Vol 15, No. 1. First Quarter 2003 http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac222/ about cisco packet feature09186a0080142deb.html 7. Innella Paul, McMillan Oba: An Introduction to Intrusion Detection Systems. Tetrad Digital Integrity, LLC, December 6, 2001 http://www.securityfocus.com/infocus/1520 8. Rafael L´opez, and Luis A. Trejo: Malicious Ethernet PAUSE frames and Countermeasures in a Pro- duction Environment. Technical Report No. 86 (Networking and Security Group). ITESM-CEM, DCC. June 2006 9. Marro, Guillermo Mario: Attacks at the Data Link Layer. Master Thesis in Computer Science.University of California-Davis, 2003 10. Biswanath Mukherjee, L. Todd Heberlein, and Karl N. Levitt: Network Intrusion Detection. IEEE Network, May/June 1994 11. Regale, Chiara: Switching: Planting New Spanning Trees. Implementing IEEE 802.1w and 802.1s. Packet Vol 15, No. 3. Third Quarter 2003 http://www.cisco.com/en/US/about/ac123/ac114/ac173/ac224/ about cisco packet technology0900aecd800b19a4.html 12. Trejo, Luis A.: Layer 2 Attacks and Countermeasures: Case of the Spanning Tree Protocol. Technical Report No. 58 (Networking and Security Group). ITESM-CEM, DCC. August 2004 13. Trejo, Luis A.: Spanning Tree Protocol Management: Best Practices. ACNS 2005, 3rd International Con- ference on Applied Cryptography and Network Security. Industrial and Short-Papers Track. Columbia University, New York, NY. June 7-10, 2005 14. Wayne, Lewis: Multilayer Switching Companion Guide. Cisco Press, 2003 15. EFM Consortium: The Ethernet in the First Mile Consortium. InterOperability Laboratory. Research Computing Center. University of New Hampshire. Annex 31B Pause Test Suite. Version 1.0. Technical Document, January 23, 2004 http://www.iol.unh.edu/consortiums/efm