HSRP / VRRP Attack
What is HSRP / VRRP Attack?
HSRP / VRRP AttackAn attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic.
HSRP (Cisco Hot Standby Router Protocol) and the IETF-standard VRRP (Virtual Router Redundancy Protocol) provide first-hop redundancy by electing an Active/Master router that owns a virtual IP. Both protocols rely on multicast hello messages whose election is decided by a priority value. An attacker on the LAN who sends crafted HSRP or VRRP frames (Yersinia, scapy) with priority 255 can take over the role and have all default-route traffic from the subnet sent to their host, enabling MITM, traffic mirroring and selective blackholing. HSRPv1 uses clear-text MD5 'cisco' by default; VRRPv2 supports plaintext or MD5. Defenses: configure strong HSRP/VRRP authentication (key-chain MD5 or VRRPv3 with IPsec), use ACLs to filter HSRP/VRRP multicast on user ports, monitor priority changes, and segment user VLANs from infrastructure protocols.
● Examples
- 01
Yersinia HSRP attack sending priority-255 hellos to become Active for VLAN 10's HSRP group.
- 02
VRRP advertisement with priority 255 that takes the Master role and redirects gateway traffic to the attacker.
● Frequently asked questions
What is HSRP / VRRP Attack?
An attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic. It belongs to the Attacks & Threats category of cybersecurity.
What does HSRP / VRRP Attack mean?
An attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic.
How do you defend against HSRP / VRRP Attack?
Defences for HSRP / VRRP Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HSRP / VRRP Attack?
Common alternative names include: HSRP hijack, VRRP hijack, First-hop redundancy attack.