Double Tagging Attack
An advanced kind of VLAN hopping attack that works at Layer 2 (Data Link Layer) is called a double tagging attack. By taking advantage of the way certain switches handle frames on a trunk link’s native VLAN, an attacker can get around network segmentation and route traffic into a target VLAN that is restricted or segregated.
Delivering packets into a VLAN that the attacker shouldn’t be able to access is the aim of this attack.
How does the Double Tagging Attack work?
The exploit uses two embedded IEEE 802.1Q VLAN tags (also known as double-encapsulation) to build a malicious Ethernet message. A nearby trunk link’s native VLAN must contain an access port to which the attacker is connected.
Two separate steps are involved in the mechanism, spanning two switches:
Frame Creation and the First Switch (Vulnerability Exploitation)
- Frame Crafting: Two VLAN tags are created by the attacker in a frame:
- Outer Tag: Set to the attacker’s access port’s VLAN ID, which is the neighboring trunk’s native VLAN ID.
- Inner Tag: Set to the VLAN ID of the restricted target VLAN (such as a server VLAN) that the attacker wishes to access.
- First Switch Processing (Stripping the Outer Tag): The attacker transmits this frame to the ingress switch, which is the first switch.
- The switch interprets the frame as typical native VLAN traffic since the outer tag corresponds to the native VLAN ID set up on the trunk link.
- Only one tag stripping level is carried out by the switch. The outer VLAN tag is eliminated.
- The switch then assumes that the frame was sent untagged and sends it onto the trunk link.
Frame on the Trunk and the Second Switch (Exploitation)
- Frame Transmission: The inner VLAN tag pointing to the target VLAN is still present in the frame even after it crosses the trunk link.
- Second Switch Processing (The Hop): The frame is received by the second switch, also known as the remote switch.
- A frame with an embedded VLAN tag (the inner tag) is received by the second switch from the trunk.
- This inner tag is interpreted by the second switch as a valid tag that indicates the frame is part of the designated target VLAN.
- The “VLAN Hop” is completed when the second switch eliminates this inner tag and sends the frame to the victim host that is on the target VLAN.
You can also read What is Dynamic Trunking Protocol DTP Spoofing Overview
Key Vulnerability: The Native VLAN
The success of the double tagging attack hinges entirely on the special handling of the native VLAN by the switch.
- The Virtual Local Area Network assigned to transport untagged traffic across a trunk link is known as the native VLAN.
- A switch only completes one tag strip, removing the outer tag and forwarding the frame when it receives a tagged frame with a tag that matches the native VLAN ID. By doing this, the malicious inner tag is made visible to the trunk, where it is interpreted as a valid single-tagged frame by the subsequent switch.
- Allowing untagged traffic on trunk ports or leaving the default VLAN (VLAN 1) as the native VLAN are examples of common misconfigurations.
Attack Limitations and Goals
The Double Tagging attack has notable limitations, primarily concerning bidirectional communication:
- Unidirectional Communication: Most of the time, the attack is one-way. The attacker, who lives on the native VLAN (e.g., VLAN 1), cannot receive the victim’s return traffic, which will only be tagged with the victim’s VLAN ID (e.g., VLAN 20).
- TCP Roadblock: Typically, a complete TCP 3-way handshake cannot be accomplished since the attacker is unable to obtain the required SYN-ACK response. Although theoretical techniques for faking the SYN-ACK exist, they are hindered by the randomization of the TCP sequence and acknowledgment numbers.
- Effective Targets: Connectionless protocols such as UDP are the most vulnerable to the assault. This method can be used by attackers for:
- Conducting targeted attacks with constrained payloads or sending fake frames.
- Using Denial-of-Service attacks or taking advantage of UDP-based services.
How to detect it
- Keep an eye out for unexpected frames from access ports that are VLAN-tagged.
- Keep an eye out for odd MAC/VLAN mappings or frequent MAC transfers in switch logs.
- Make use of IDS/IPS signatures that identify unusual tagging patterns and double-tagged frames.
- Unexpected traffic from a single access port showing up on several VLANs is known as network telemetry.
Mitigation Strategies
Preventing double tagging attacks requires following VLAN security best practices:
| Security Measure | Purpose and Best Practice | Command Example (Cisco) |
|---|---|---|
| Isolate Native VLAN | Do not use the native VLAN (often VLAN 1 by default) for any user or host traffic. Assign the native VLAN to an arbitrary, unused ID. | switchport trunk native vlan 999 (where 999 is unused) |
| Enforce Explicit Tagging | Force the switch to tag all traffic on the native VLAN. This eliminates the core vulnerability by preventing the outer tag from being stripped. | vlan dot1q tag native (Global Configuration Mode) |
| Restrict Trunking | Disable trunk auto-negotiation (DTP is not required for this attack, but disabling it is a best practice). Explicitly define which VLANs are allowed on the trunk port. | switchport mode trunk and switchport nonegotiate |
| Configure Access Ports | Configure user-facing ports explicitly as access ports and disable any dynamic trunking. | switchport mode access |
| Layer 2 Security/ACLs | Implement port security and apply restrictive VLAN ACLs (Access Control Lists) between VLANs to limit service reachability even if traffic successfully hops. | N/A |
| Physical Security | Administratively disable all unused switch ports. | shutdown |
You can also read NAT Table Explained: How It Works, Purpose, & Components