Attacks on Spanning Tree Protocol with Yersinia

October 31, 2010

Recent Spanning Tree Protocol (STP) attack:

Tool being shown:

Attack 1: Taking over the root bridge

  • Never set the TC-ACK bit when receiving TCN BPDUs–> unnecessary flooding
  • Keep switching between root bridge and other roles – excessive load on processor


  • Root guard
  • BPDU-guard

Root ownership attack countermeasure – Root guard

  • Ensures that the port on which root guard is enabled is the designated port. Normally, root bridge ports are all designated ports, unless two or more ports of the root bridge are connected together.
  • If the bridge receives superior BPDUs on a root guard-enabled port, root guard moves this port to a root-inconsistent STP state. It is effectively equal to a listening state. No traffic is forwarded across this port.
  • Configured on a per-port basis
  • May be enabled on all ports where root bridges should not appear

Root ownership attack countermeasure – BPDU-Guard

  • Devices behind ports with BPDU-guard enabled are unable to influence the STP topology. Such devices include hosts running Yersinia, for example. At the reception of a BPDU, BPDU-guard disables the port. BPDU-guard transitions the port into the errdisable state, and a message is generated.
  • Unlike root guard this disable the ports when any BPDU is received.

Attack 2 – DoS using a Flood of Config BPDUs

Yesinia can generates approximately 25,000 BPDUs per sec on a test machine (Intel Pentium 4 machine running Linux 2.4-20.8), enough to bring a Catalyst 6500 Supervisor Engine 720 running 12.2(18)SXF to a 99 percent CPU utilization on the switch processor


  • BPDU-guard
  • BPDU filtering – disallow BPDUs in both directions. Should only be enabled on workstations facing ports.
  • Layer 2 PDU rate limiter

Attack 3 – DoS using a Flood of TCN BPDUs – unnecessary flooding

  • BPDU-guard
  • BPDU filtering

Attack 4 – Simulating a Dual-Homed Switch

  • BPDU-guard
  • BPDU filtering

Info on Spanning Tree Protocol

Every port is associated with a cost. Can auto-assign based on link speed (inversely proportional)
At the base of the tree is a root bridge – The switch with the lowest bridge ID (a concatenation of a 16-bit user-assigned priority and the switch’s MAC address) is elected as the root-bridge.


Every switch in the domain claims itself as the root throughout the network by means of Bridge Protocol Data Units (BPDU).
When receiving a BPDU from a neighbor, a bridge compares the sender’s bridge ID with its own to determine which switch has the lowest ID. Only the one with the lowest ID keeps on generating BPDUs
continues until a single switch wins the designated root-bridge election.
Root bridge advertises a path cost of 0. When a port receives a BPDU it adds it’s cost to the path cost in the BPDU before forwarding.

Roles of ports

Root Port – One per non-root bridge. It is the port that leads to the root bridge with the shortest path cost.
When two BPDUs are received on a switch because of redundant links in the network, the one with the higher cost is logically disabled—it is put in blocked mode.
The bridge that is responsible for forwarding packets on a given segment is called the designated bridge. It is the one that has the lowest root path cost on that segment. It’s port connected to that segment is a designated port

RPC = Root Path Cost (cost to root switch)

Root Port = Port used to get to root

How do we calculate cost to root?

You only add a cost when you send out on a port. Then that port becomes the new root RPC

Tiebraker – if multiple ports that have same root path cost, you pick the on that has lowest root number

A root should only have destination ports (DP). Ports that are neither a destination or root port should be blocked.

There is a tie braker for the DP on segment 5 (between BR5 and BR4), because BR4 has the lowest port number it wins. The other ports in the segment are dropped from the tree.

Example of calculating a spanning tree:

Calculate the new spanning tree after BR1 is down

The first thing you have to do is designate the new root.

We define p=200 as root because “At the base of the tree is a root bridge – The switch with the lowest bridge ID (a concatenation of a 16-bit user-assigned priority and the switch’s MAC address) is elected as the root-bridge.” It has a root cost of 0 and no root ports (as they go to the root).

Which port does p=300 use to get to root? It uses the 4 on the bottom to get to 500 and then 2 to get to 200, total 6, so RPC=6.

Port States

Disabled: The port is electrically inactive and does not send or receive any traffic. Once enabled, the port transitions to the next state (blocking).
Blocking: Discards all data frames except BPDUs.
Listening: Switches listen to BPDUs to build the loop-free tree. Data packets are not forwarded (15 sec by default with 802.1D timers).
Learning: Forwarding tables are built using the source MAC addresses of data frames; data frames are not forwarded.
Forwarding: Data traffic. At this point, the port is fully operational.

Network-wide timers

Hello. Time between each BPDU that is sent on a port. Default – 2 sec, but can be tuned to be between 1 and 10 sec.
Forward delay. Time spent in the listening and learning state. Default – 15 sec, can be tuned to be between 4 and 30 sec.
Max age. Controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. Default – 20 sec, can be tuned to be between 6 and 40 sec.
TCN (Topology Change Notification),TCA (TC Ack) and TC BPDU
The spanning tree algorithm will timeout within a minute if a route is blocked, but the switch can take up to 300 seconds to remove the route from its table.
Topology change:
When a port that was forwarding is going down (blocking for instance).
When a port transitions to forwarding and the bridge has a designated port.
The bridge notifies the root bridge of the spanning tree
The root bridge “broadcasts” the information into the whole network.