Another attack against switches involves intercepting traffic by
attacking the Spanning-Tree Protocol. This protocol is used in switched
networks to prevent the creation of bridging loops in an Ethernet network
topology. Upon bootup the switches begin a process of determining a loop-free
topology. The switches identify one switch as a root bridge and block all other
redundant data paths.
By attacking the Spanning-Tree Protocol, the
network attacker hopes to spoof his or her system as the root bridge in the
topology. To do this the network attacker broadcasts out Spanning-Tree Protocol
Configuration/Topology Change Bridge Protocol Data Units (BPDUs) in an attempt
to force spanning-tree recalculations. The BPDUs sent out by the attacking
system announce that the attacking system has a lower bridge priority. If
successful, the network attacker can see a variety of frames. Figure
illustrates how
a network attacker can use Spanning-Tree Protocol to change the topology of a
network so that it appears that the attacking host is a root bridge with a
higher priority. By transmitting spoofed BPDUs, the network attacker causes the
switches to initiate spanning-tree recalculations. The two switches then
forward frames through the attacking system once it has become the root bridge.