SNMP-Based Detection of VLAN Hopping Attack Risk

摘要

Virtual local area network (VLAN) is commonly used to divide a big network into several small network segments. Also, many adopt VLAN for dissecting LANs in order to prevent communications between different VLANs for security and management purposes. It is known that inserting an additional VLAN tag into Ethernet frames, referred to as VLAN hopping attack, can bypass the VLAN-based network separation. There are two preconditions for the attack. The first condition is that a hacker needs to know the destination's VLAN identification number and the second condition is that the attacking system needs to be connected a switch's trunk port that is used for connecting a switch. In this study, we propose an SNMP (Simple Network Management Protocol)-based detection method to effectively find a port and an MAC address that meet the second condition before a VLAN hopping attack begins. Since SNMP is implemented by most network components, our method can be easily deployed to the current VLAN networks.