VLAN, short for Virtual Local Area Network is a customized network created by more than one local area network allowing devices which are connected with different networks to be grouped in one network hence VLANs allow seamless communication and organizations benefit from this as it is cost-effective, offers flexible network configuration and decreases admin efforts. However, these networks are equally susceptible to cyber-attacks, such attacks against VLANs are termed VLAN hopping attacks.
VLAN hopping is when an attack is made on the VLAN networks by sending network packets to a port which cannot be accessed by a device of any sort. The modus operandi of a VLAN hacker is purely to gain access to all the active VLANs. In VLAN hopping, once a breach has been made on one VLAN network, it makes it possible for attackers to further breach into the rest of the VLANs which are connected to that specific network.
What is trunking in networking
Simply defined, network trunks are links which help simultaneously carry multiple signals to provide network access between one point to the other. Trunking is an extremely vital element of the VLAN. VLAN trunking is nothing but a bridge between two devices that carry more than one VLAN. In VLAN trunking, you can reach your configured VLAN throughout the whole network.
There are two methods of VLAN hopping attacks:
- a) Switch Spoofing
- b) Double Tagging
- A) Switch Spoofing: This is a type of VLAN hopping attack wherein the attacker manipulates the switch to create a trunking link between the attacker and the switch. Such attacks take place only when the system is in “dynamic auto” or “dynamic desirable” mode. When any one of these modes is active in the victim’s system, the attacker can send a DTP packet allowing them to negotiate a trunk port with a switch.
- B) Double Tagging: The double tagging attack is when an attacker can add or modify tags on the ethernet. The hacker transmits data from one switch to another by sending frames with two 802.10 tags meant for the attacking switch and victim switch each. These packets manipulate the victim switch into believing that the frame was sent on purpose and then the target switch sends this frame to the victim port.
What are the three techniques for mitigating VLAN hopping?
VLAN security is crucial to ensure the organization’s data is secured and not hampered by any hacker. There are a few techniques to maintain healthy security hygiene, inactive interfaces must be switched off and kept in the “parking lot” VLAN. You must make it a practice to manually configure access ports and also try to avoid using VLANs on trunk ports. Since the switches are the most vulnerable to switch spoofing and double tagging attacks, proper configuration of these switches will mitigate the consequences.
To mitigate a switch spoofing attack, you must switch off the Dynamic Trunking Protocol on those switches which do not require a trunk. Further, ports which do not need a trunk should be converted into an access port. To prevent double tagging attacks, do not put any hosts on VLAN 1, explicit tagging of the native VLAN for all trunk ports should be enabled and lastly, the native vlan must be an unused VLAN Id on all ports.
CCoE Hyderabad a joint venture between the Government of Telangana and DSCI aims to encourage innovation, entrepreneurship and capabilities in cybersecurity and privacy. We as an organization aim to kick start India’s IT industry by incubating startups, conducting workshops, and product showcases in experience zones and collaborating with local, national, and international initiatives to create safe and secure cyberspace in India.