HSRP / VRRP Attack
What is HSRP / VRRP Attack?
HSRP / VRRP AttackAn attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic.
HSRP (Cisco Hot Standby Router Protocol) and the IETF-standard VRRP (Virtual Router Redundancy Protocol) provide first-hop redundancy by electing an Active/Master router that owns a virtual IP. Both protocols rely on multicast hello messages whose election is decided by a priority value. An attacker on the LAN who sends crafted HSRP or VRRP frames (Yersinia, scapy) with priority 255 can take over the role and have all default-route traffic from the subnet sent to their host, enabling MITM, traffic mirroring and selective blackholing. HSRPv1 uses clear-text MD5 'cisco' by default; VRRPv2 supports plaintext or MD5. Defenses: configure strong HSRP/VRRP authentication (key-chain MD5 or VRRPv3 with IPsec), use ACLs to filter HSRP/VRRP multicast on user ports, monitor priority changes, and segment user VLANs from infrastructure protocols.
● Examples
- 01
Yersinia HSRP attack sending priority-255 hellos to become Active for VLAN 10's HSRP group.
- 02
VRRP advertisement with priority 255 that takes the Master role and redirects gateway traffic to the attacker.
● Frequently asked questions
What is HSRP / VRRP Attack?
An attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic. It belongs to the Attacks & Threats category of cybersecurity.
What does HSRP / VRRP Attack mean?
An attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic.
How does HSRP / VRRP Attack work?
HSRP (Cisco Hot Standby Router Protocol) and the IETF-standard VRRP (Virtual Router Redundancy Protocol) provide first-hop redundancy by electing an Active/Master router that owns a virtual IP. Both protocols rely on multicast hello messages whose election is decided by a priority value. An attacker on the LAN who sends crafted HSRP or VRRP frames (Yersinia, scapy) with priority 255 can take over the role and have all default-route traffic from the subnet sent to their host, enabling MITM, traffic mirroring and selective blackholing. HSRPv1 uses clear-text MD5 'cisco' by default; VRRPv2 supports plaintext or MD5. Defenses: configure strong HSRP/VRRP authentication (key-chain MD5 or VRRPv3 with IPsec), use ACLs to filter HSRP/VRRP multicast on user ports, monitor priority changes, and segment user VLANs from infrastructure protocols.
How do you defend against HSRP / VRRP Attack?
Defences for HSRP / VRRP Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for HSRP / VRRP Attack?
Common alternative names include: HSRP hijack, VRRP hijack, First-hop redundancy attack.
● Related terms
- attacks№ 1072
Spanning-Tree Protocol Attack
A Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 944
Rogue DHCP Server
An unauthorized DHCP server connected to a network that hands out IP configurations to clients, intentionally or accidentally redirecting traffic to attacker-controlled infrastructure.
- attacks№ 1207
VLAN Hopping
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.