Spanning-Tree Protocol Attack
What is Spanning-Tree Protocol Attack?
Spanning-Tree Protocol AttackA Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS.
STP attacks abuse the trust 802.1D/802.1w Spanning-Tree gives to BPDU (Bridge Protocol Data Unit) frames. By emitting BPDUs with a very low bridge priority, an attacker can be elected as the new root bridge, causing the switch network to reconverge and route a large share of traffic through the attacker's port - ideal for MITM. Continuous BPDU flooding can also force constant reconvergence and effectively DoS the segment. Tools like Yersinia, ettercap and scapy implement these techniques. Defenses: enable BPDU Guard on access ports (shuts the port on BPDU receipt), Root Guard on designated ports, BPDU Filter where appropriate, and use storm control plus 802.1X to restrict who can reach the switch fabric.
● Examples
- 01
Yersinia 'sending RAW Conf BPDU' attack that turns the attacker into root bridge of a Cisco network.
- 02
BPDU flood to force constant topology recomputation and degrade the LAN.
● Frequently asked questions
What is Spanning-Tree Protocol Attack?
A Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS. It belongs to the Attacks & Threats category of cybersecurity.
What does Spanning-Tree Protocol Attack mean?
A Layer-2 attack that injects forged BPDU frames to manipulate the Spanning-Tree topology, often electing the attacker's host as the root bridge to enable MITM or DoS.
How does Spanning-Tree Protocol Attack work?
STP attacks abuse the trust 802.1D/802.1w Spanning-Tree gives to BPDU (Bridge Protocol Data Unit) frames. By emitting BPDUs with a very low bridge priority, an attacker can be elected as the new root bridge, causing the switch network to reconverge and route a large share of traffic through the attacker's port - ideal for MITM. Continuous BPDU flooding can also force constant reconvergence and effectively DoS the segment. Tools like Yersinia, ettercap and scapy implement these techniques. Defenses: enable BPDU Guard on access ports (shuts the port on BPDU receipt), Root Guard on designated ports, BPDU Filter where appropriate, and use storm control plus 802.1X to restrict who can reach the switch fabric.
How do you defend against Spanning-Tree Protocol Attack?
Defences for Spanning-Tree Protocol Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Spanning-Tree Protocol Attack?
Common alternative names include: BPDU attack, Root bridge spoofing, STP root takeover.
● Related terms
- attacks№ 1207
VLAN Hopping
A switch attack that lets a host send or receive frames in a VLAN it should not belong to by abusing trunking negotiation or 802.1Q double tagging.
- attacks№ 363
DTP Attack
An attack that abuses Cisco Dynamic Trunking Protocol on an access port to negotiate a trunk with the switch and gain access to multiple VLANs.
- attacks№ 062
ARP Spoofing
A local-network attack that sends forged ARP messages to bind the attacker's MAC address to another host's IP, redirecting traffic through the attacker.
- attacks№ 312
DHCP Spoofing
An attack in which an adversary replies to DHCP requests with crafted offers to push a malicious gateway, DNS server, or other options to victim clients.
- attacks№ 492
HSRP / VRRP Attack
An attack that injects forged HSRP or VRRP messages with a higher priority to become the active gateway for a subnet and intercept traffic.
● See also
- № 313DHCP Starvation