[SCADASEC] Shedding light onf the Layer 2 OSI protocol

David Barroso dbarroso at s21sec.com
Mon Feb 18 12:46:47 CST 2008 

Cisco has some special features like BPDU guard and BPDU root, as well  
as port security that can help you securing your spanning tree. I  
guess that other vendors have something similar.

In general, layer two attacks do exist (STP, trunking, VLAN  
hopping, ...) but some of them can be highly mitigated by just a few  
configuration lines in our switches.

David

El 18/02/2008, a las 19:18, Jake Brodsky escribió:

> And we're using multiple switches and spanning tree to make the best  
> use
> of diverse paths across our plants.  An attack on spanning tree would
> make a mess for us.
>
> As far as I know, there is no way to secure spanning tree protocol.   
> So
> we're relying on physical security and well defined ports on our
> switches to keep everything going.  Yes, it's primitive; but we need
> some way to handle redundant routes between buildings.
>
> For example, the flow information from the intake of a wastewater  
> plant
> is often used in a feed-forward loop to control the mixed-liquor
> recirculation (MLR) pumps and the aeration blowers.  These three  
> things
> are often geographically separated by many hundreds or even  
> thousands of
> feet.  To ensure connections work we use multiple fiber runs through  
> as
> many different duct banks as we can find.  We then assign one link as
> primary and with the others as alternate paths.
>
> Just thought you'd like to know...
>
> Jake Brodsky
>
> David Barroso wrote:
>> Just to add more information, with a simple Spanning Tree attack in a
>> non-secured spanning tree implementation (a normal scenario  
>> nowadays),
>> an attacker can smash down the entire network in less than a minute:
>> you will start seeing looped packets until the network is totally
>> unusable. It is not tightly related to SCADA but more and more SCADA
>> gear run over Layer 2 protocols like Spanning Tree and similar.
>
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec

--
David Barroso Berrueta
S21sec Labs
http://blog.s21sec.com

More information about the scadasec mailing list