This test checks that the Spanning Tree Protocol (STP) is not available on customer ports. If available, this protocol could be used to perform various attacks in the network, such as redirecting traffic or overloading devices.
No spanning-tree packets should be sent out on customer ports, and any spanning-tree packets received should be silently discarded.
Impact: DoS, MITM
- Malicious listens for BPDU packets.
- Malicious sends BPDU packets (on STP, RSTP, PVST, and MSTP) and keeps listening on the interface if the switch responds.
- An STP BPDU packet arrives at Malicious.
This test conforms to SEC Access Certification ID "SEC-CM-SPT-1" and to SAVI RFC 6959 section 3.2.3.
- Malicious Customer: A customer interface performing malicious actions.
- ISP: A central node on a trusted port.