CDP spoofing

In computer networking, CDP spoofing is a technique employed to compromise the operation of network devices that use Cisco Discovery Protocol (CDP) for discovering neighboring devices. CDP spoofing is a network security threat that can be mitigated by taking precautionary measures.^[1]

History

CDP was created by Cisco in 1994.^[2] Its original intent was to make it easier to find other devices on a network.^[1] CDP may be used between Cisco routers, switches and other network equipment to advertise their software version, capabilities and IP address.^[3]

The two versions of CDP are CDPv1 and CDPv2:

• CDPv1 could discover basic information between networking devices. These devices were only able to receive information about a networking device that was directly connected to it.

• CDPv2 includes more utilities such as checking if errors were made while configuring two devices (e.g.; configuring mismatched native VLANs).^[4]

Usage

CDP is enabled by default on all Cisco routers, switches and servers. The protocol can be disabled across a network; however, if it is disabled on an interface and the encapsulation is changed, it will be re-enabled on that interface.^[5][6] The protocol is most often used to aid network administrators by finding and discovering devices easier. When devices are discovered easier, it can help with certain network problems, device arrangement, network management and other networking tasks.^[1]

Although these can be beneficial features, attackers can accumulate this information about the devices, which leaves the device's type, IP address and IOS version exposed and vulnerable. Attackers can use this information to mimic other devices, steal information and create other various network problems.^[1]

Popeskic recommends disabling CDP on the entire device, rather than just the interfaces, to fully mitigate the threat of CDP Spoofing or attacks through CDP. Some suggest disabling CDP if it is not in use on the device or if it is not a necessity for the device.^[7]

Requirements

• CDP will only function when a packet contains the Subnetwork Access Protocol (SNAP) header. The interface must also support SNAP, for CDP to work on a router, as well. ^[6]

• CDP must have the device's interfaces directly connected, otherwise, CDP cannot detect nor send out advertisements to the other device. ^[4]
• CDP can only be used between Cisco devices. If a connection between a pair consists of only one Cisco device, it can only use the vendor neutral protocol: Link Layer Discovery Protocol (LLDP).^[1]

Commands

Although CDP is enabled by default, if disabled, it can be re-enabled globally (or on all interfaces) with the command: ^[1][4]

(config)# cdp run

To disable it globally:

(config)# no cdp run

To enable it on certain interface(s):

(config-if)# cdp enable

To disable it on certain interface(s):

(config-if)# no cdp enable

In a table, to display whether or not a device has established a connection between another device or devices:

(device name)# show cdp neighbors

Note: This command will show the names of other devices, which ports are connecting the devices, model name/number, and features of the device.^[1]

To show the traffic that is passed between the CDP devices:

(device name)# show cdp traffic

These commands can help mitigate or detect CDP attacks, such as CDP spoofing. It can also help discover flaws within the system, e.g.; mismatched native VLANs, that could be inhibiting the connection between other devices. ^[4]

How CDP works

When a router running CDP receives a CDP packet, it begins to build a table that lists the neighboring devices. Once the devices are discovered, they intermittently send a packet of updated information to each other. This packet contains various information about the interfaces and devices types and names.^[1]

These packets sent through CDP are not encrypted, creating the messages between devices to be easily read through plain-text.^[7]

Spoofing

CDP spoofing is the creation of forged packets to impersonate other devices, either real or arbitrary. This attack is a type of Denial-of-Service (DoS) attack that is used to flood connected devices using CDP. ^[8]

An attacker can exploit this functionality by sending thousands of spoofed CDP packets to the multicast MAC address 01:00:0C:CC:CC:CC to fill neighbor tables in any devices on the network that run CDP.^[9] When this happens, other traffic on the network may be dropped as the device does not have the resources necessary to route it. The device's command line interface may also become unresponsive making it difficult to disable CDP during an ongoing attack.

Some administrators may disable CDP at the cost of not being able to benefit from CDP.

References

1. Routing and switching essentials. Companion guide. Indianapolis, IN: Cisco Press. 2014. ISBN 9781587133183. OCLC 878899739.
2. "LLDP-MED and Cisco Discovery Protocol  [IP Telephony/Voice over IP (VoIP)]". Cisco. Retrieved 2019-06-28.
3. Kehlet, Steve. “Handy Tcpdump Expression to Gather CDP Information -- Steve Kehlet’s Pages,” August 8, 2008. http://www.kehlet.cx/articles/186.html.
4. "Cisco Discovery Protocol (CDP) - 26872 - The Cisco Learning Network". learningnetwork.cisco.com. Archived from the original on 2015-09-28. Retrieved 2019-06-29.
5. EC-Council. Penetration Testing: Network Threat Testing. 1st ed. Clifton Park, New York: Course Technology Cengage Learning, 2011.
6. "Cisco Discovery Protocol Configuration Guide, Cisco IOS Release 15M&T - Cisco Discovery Protocol Version 2 [Support]". Cisco. Retrieved 2020-01-09.
7. Popeskic, Valter (2011-12-16). "CDP Attacks – Cisco Discovery Protocol Attack". How Does Internet Work. Retrieved 2019-06-30.
8. CCNA security. Version 2, Course booklet. Cisco Systems, Inc., Cisco Networking Academy Program. Indianapolis, IN, USA. 2015-11-13. ISBN 9781587133510. OCLC 949366471.
9. Barroso, David (2020-01-03), GitHub - tomac/yersinia: A framework for layer 2 attacks, retrieved 2020-01-09