4.2 Summarize various types of attacks and their impact
Network Attacks
📘CompTIA Network+ (N10-009)
Definition:
VLAN Hopping is a type of network attack where an attacker on one VLAN (Virtual Local Area Network) manages to gain access to traffic on another VLAN, bypassing network segmentation. Essentially, the attacker “jumps” from one VLAN to another without authorization.
VLANs are used in networks to separate devices logically, even if they are physically connected to the same switch. Each VLAN has its own broadcast domain, meaning traffic is usually isolated. VLAN Hopping tries to break that isolation.
How VLAN Hopping Works
There are two main techniques used in VLAN hopping attacks:
- Switch Spoofing
- The attacker tricks the switch into thinking their device is another switch.
- They send trunking protocol messages (like 802.1Q or ISL) to make the switch create a trunk link.
- A trunk link carries traffic for multiple VLANs, so the attacker can access VLANs they shouldn’t.
- This happens when a switch port is configured incorrectly (e.g., a port is set to auto-negotiate trunks).
- A user connects a device to a switch port configured as “dynamic auto” (default on many switches).
- The attacker’s device pretends to be a switch.
- The switch allows the attacker’s device to send and receive traffic from multiple VLANs.
- Double Tagging
- The attacker adds two VLAN tags to the frames they send:
- Outer tag: Matches the attacker’s VLAN (the one they are on).
- Inner tag: Matches the target VLAN (the one they want to access).
- The first switch removes the outer tag but leaves the inner tag intact.
- The frame continues to the target VLAN, effectively allowing the attacker to “hop” to it.
- Works only if the attacker’s VLAN is the native VLAN on the trunk link.
- Native VLAN is VLAN 1 (common default).
- Attacker crafts a frame tagged for VLAN 1 (outer) and VLAN 10 (inner, target VLAN).
- The switch strips VLAN 1 and forwards the packet to VLAN 10.
- Attacker can now see or send traffic in VLAN 10.
- The attacker adds two VLAN tags to the frames they send:
Impact of VLAN Hopping
- Data Breach: Sensitive information on another VLAN can be intercepted.
- Unauthorized Access: Attackers can reach servers, printers, or other devices on restricted VLANs.
- Network Compromise: If attackers reach the management VLAN, they could take control of switches or routers.
- Security Policy Bypass: VLANs are meant to segment traffic, but hopping defeats this control.
How to Prevent VLAN Hopping
- Disable Dynamic Trunking
- Don’t use default “dynamic auto” or “dynamic desirable” for user ports.
- Configure access ports explicitly for a single VLAN.
- Use a Separate Native VLAN
- Change the native VLAN on trunk links to a VLAN not used for user access.
- Avoid using VLAN 1 as the native VLAN.
- Prune Unused VLANs on Trunks
- Only allow VLANs that are needed on trunk links.
- Port Security
- Limit the MAC addresses allowed per port to prevent rogue devices.
- Regular Monitoring
- Use network monitoring to detect unusual traffic patterns or unexpected VLAN traffic.
Exam Tip:
For CompTIA Network+, remember the two main techniques of VLAN Hopping: Switch Spoofing and Double Tagging. Also, know why it’s dangerous (unauthorized access, data breaches) and how to prevent it (disable dynamic trunks, use separate native VLANs, port security).
