VLAN Hopping

What is the easiest way for an attacker to perform VLAN hopping?

What is VLAN hopping? In a VLAN hopping attack, a hacker connected to one VLAN gains access to other VLANs that they do not have permission to enter. In a secure VLAN, each computer is connected to one switch access port. Each computer can only send traffic to their specific connected port by accessing a single VLAN. However, with VLAN hopping, an attacker is able to send packets to ports that are not normally accessible, penetrating other VLANs. VLAN hopping can be accomplished in one of two ways:

• Switch Spoofing

  With a switch spoofing method, an attacker imitates a trunking switch by using the VLAN’s tagging and trunking protocol (Multiple VLAN Registration Protocol, IEEE 802.1Q, or Dynamic Trunking Protocol). By forming a trunk link, the hacker can gain access to traffic from all of the VLANs. 

• Double Tagging

  VLAN double tagging exploits 802.1Q tagging, taking advantage of the fact that some switches only remove one 802.1Q tag. In a double tagging attack, the hacker appends two VLAN tags rather than the usual one. The outer tag (which belongs to the attack’s own VLAN) is removed, leaving the inner tag of the victim’s VLAN to be forwarded to the trunk link. When the switch encounters the packet, it sees the second tag and allows the hacker access to the victim’s VLAN. 

How does VLAN hopping cause a vulnerability in the network?

VLAN hopping is a significant security threat. It lets malicious actors gain access to networks that they don’t have permission to enter. A hacker can then steal passwords or other protected information; install malware and spyware; spread Trojan horses, worms, and viruses; or corrupt, modify, or delete critical data. To maintain secure VLANs, it’s clear that MSPs need to know how to neutralize this threat. 

How can VLAN hopping be prevented?

Fortunately, there are a few effective methods to prevent VLAN hopping. Different techniques are used to deal with each type of VLAN hopping attack. To prevent switch spoofing, disable Dynamic Trunking Protocol to ensure that ports will not automatically negotiate trunks. You should also make certain that any port that is not intended to be a trunk is explicitly set up to be an access port. 

Double tagging can be prevented using a three-step process. First, avoid putting any hosts on the default VLAN (VLAN 1). Second, be sure that the native VLAN on every trunk port is an unused VLAN ID. Finally, enable explicit tagging of the native VLAN for all trunk ports. 

Check out the rest of our blog to learn about other considerations for a Virtual Local Area Network.