Spanning Tree Protocol

I was promiscuously sniffing data on a network the other day when I kept coming across a series of packets with a protocol I knew nothing about, with data for setting what seemed to be a root variable. I realized that the protocol was known as Spanning Tree Protocol and it was used to create an acyclic minimum spanning tree out of the networks switches so that packets are never caught in loops. Switches use this protocol in order to determine what ports to open and close in order to establish a cycle free path for packet transmission.

The thing is, the packet was in plain-text and not validated so I decided to do some research to see whether STP in conjunction with MAC spoofing could be used to DOS a network.

Spanning Tree Protocol works by creating a minimum spanning tree of the network switches so no loops are established. The packet flow created is not the minimum spanning tree of the entire network, but a minimum spanning tree from a given node elected to be the root node.

STP is designed to help elect a root node.

This is exploitable because an attacker can disrupt a minimum spanning tree and force a new election. By creating packets from a fake switch and getting elected root node by setting the ID to 1, an attacker can send the networks switches into a constant state of re-election. A more detailed explanation can be found as well as proof of concept code at http://lucastomicki.net/attacking.stp.php.