STP – Spanning Tree Protocol

This test checks that the Spanning Tree Protocol (STP) is not available on customer ports. If available, this protocol could be used to perform various attacks in the network, such as redirecting traffic or overloading devices.

No spanning-tree packets should be sent out on customer ports, and any spanning-tree packets received should be silently discarded.

Impact: DoS, MITM

Test process

  • Malicious listens for BPDU packets.
  • Malicious sends BPDU packets (on STP, RSTP, PVST, and MSTP) and keeps listening on the interface if the switch responds.

Fail criteria

  • An STP BPDU packet arrives at Malicious.

References

This test conforms to SEC Access Certification ID "SEC-CM-SPT-1" and to SAVI RFC 6959 section 3.2.3.

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • ISP: A central node on a trusted port.
Have more questions? Submit a request

Comments

Powered by Zendesk