Terms of Use For FixedByVonnie

By proceeding to access fixedByVonnie.com, you expressly acknowledge, and agree to, all of the following:

fixedByVonnie.com is a personal website and blog owned by Security Plus Pro LLC, which is being presented for informational purposes only. The views on this website are solely those of the website owner (and not those of any employer or of any professional associations affiliated with the website owner).  Any views expressed in this website and any information presented on this website, or in any of its blog entries, should not be relied on for any purpose whatsoever other than as the personal opinions of the website owner.  The website owner expressly disclaims any and all liability for any information presented on this site.  The owner of this website and its blog posts shall not be held liable, and shall be held harmless, for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.  The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action, from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so solely at your own risk.

Destroying a Cisco Switch with CDP Flooding - fixedByVonnie

Destroying a Cisco Switch with CDP Flooding

This is an easy Denial of Service (DoS) attack to launch.  We’re going to use the Cisco Discovery Protocol (CDP) to bring a switch to its knees.  It literally only took me 5 minutes to completely destroy this enterprise class switch.

Watch, learn and be afraid.

Normally CDP is used by network engineers to view the network topology.  For example, if you log into a switch and type:

show cdp neighbors

you’ll see directly connected devices that are also using CDP.  It’s a basic verification tool.

show cdp neighbors

I just cleared the CPU table on my switch so my table is empty but normally you’ll see useful data about other devices on your network.

If I do a show cdp traffic I can see there’s hardly anything going on.  Activity is minimal.

show cdp traffic

But what happens if you start flooding my switch with thousands of CDP messages?

Destroying a Cisco switch with CDP flooding

We can freeze the operating system running on the switch which effectively blocks anyone from remotely managing the switch. We can also lock up the CPU which causes the switch to start dropping network traffic.  But that’s not the only thing a CDP flood does.

When a switch is overwhelmed and can no longer forward frames it will start to forward frames out all ports just like a hub.

This means an attacker could fire up a protocol analyzer such as Wireshark and start sniffing and collecting sensitive data on your network.   Why?  Because normally a switch only forwards frames directly to the destination MAC so a user capturing frames on switchport 2 will only see frames on switchport 2.  But when the MAC address table fills up the switch starts forwarding frames out all ports which makes it really easy for an intruder to see things he shouldn’t see.

When the MAC address table overflows the switch will start dropping frames.

Let’s look at the CPU  before the attack:

show process cpu sorted | include CPU|PID Runtime|CDP Protocol

Show switch CPU usage

The output is showing us that for the past five seconds our CPU usage was a mere 0.08%.

Now let’s kick open Yersinia in Kali Linux and destroy the switch.

yersinia -G

Click Launch attack in the upper left corner of the Yersinia GUI

Yersinia Launch Attack

In the CDP tab, pick flooding CDP table from the list.

Yersinia CDP Flood

Yersinia immediately starts pelting the switch with over 2000 CDP frames per second!

Flooded CDP

Now let’s return to the switch to see the damage we did.

show cdp neighbors now shows tens of thousands of bogus devices all originating from Yersinia.

This is very very very bad.

If you don’t believe me just look at the CPU on our switch.

Yersinia destroying a switch with CDP frames

Do you see that little part where it says CPU utilization for five seconds is 99%/100%?

Yup; the CPU is done.

The Bottom Line

So how do you stop something like this? One way to obviate a CDP flood attack is to disable CDP on the entire switch:

config t
no cdp run

or you can pick specific interfaces that don’t need it

config t
int gi3/0/1
no cdp enable

The other more viable option is to enable port security on the switch.  I explained how to do this in my article on DHCP starvation attacks.  The idea is that you can confine access to a switchport to a specific layer 2 MAC address.  Since the Kali box running Yersinia isn’t an approved MAC address it wouldn’t be permitted to launch the attack.

What do you think about this?  Have you ever seen someone fry a switch with a CDP flood?


Connect with Vonnie on Twitter

Posted in Hardware, What Is Tagged with: ,