1
00:00:00,500 --> 00:00:05,600
Another type of land hopping attack is known as double tagging attack.

2
00:00:06,950 --> 00:00:13,460
This type of attack takes advantage of the way that hardware on most switches operate, most switches

3
00:00:13,460 --> 00:00:21,410
perform only one level of Aido to one cue D encapsulation, which allows an attacker to embed a hidden

4
00:00:21,410 --> 00:00:24,230
Aido to one cue tag inside the frame.

5
00:00:25,190 --> 00:00:32,510
This tag allows the frame to be forwarded to a VLAN that the original Aido to one cue tag did not specify.

6
00:00:33,500 --> 00:00:40,490
An important characteristic of the double tagging VLAN hopping attack is that it works even if trunked

7
00:00:40,490 --> 00:00:48,380
ports are disabled because a host typically sends a frame on a segment that is not a trunk link.

8
00:00:51,590 --> 00:00:56,780
So let's see how the double tagging van hopping attack is performed step by step.

9
00:00:58,430 --> 00:01:03,020
The attacker sends a double tagged Aido to dot one keyframe to the switch.

10
00:01:04,120 --> 00:01:10,060
The outer header has the villain tag of the attacker, which is the same as a native villain of the

11
00:01:10,060 --> 00:01:10,720
trunk port.

12
00:01:12,550 --> 00:01:19,120
Normally, a switchboard configured as a trunk port sends and receives VLAN tagged Ethernet frames,

13
00:01:20,140 --> 00:01:24,080
native VLAN is the only VLAN, which is not tagged in a trunk.

14
00:01:24,100 --> 00:01:28,720
In other words, native VLAN frames are transmitted untagged.

15
00:01:30,060 --> 00:01:35,880
The assumption here is that the switch process is the frame received from the attacker as if it were

16
00:01:35,880 --> 00:01:36,900
on a trunk board.

17
00:01:37,740 --> 00:01:41,090
In this example, native land is villain one.

18
00:01:41,650 --> 00:01:43,890
The entire tag is the victim villain.

19
00:01:44,010 --> 00:01:46,140
In this case, it's villain 20.

20
00:01:47,750 --> 00:01:53,570
The frame arrives on the switch, which looks at the first four byte, eight to one cue tag.

21
00:01:54,660 --> 00:01:59,280
The switch sees that the frame is destined for villain one, which is a native villain.

22
00:02:01,000 --> 00:02:07,540
The switch forwards the packet out on all Vilan one Bortz after stripping the vivants Montag.

23
00:02:08,460 --> 00:02:15,270
On the trunk port, the VLAN one tag is stripped and the packet is not red tagged because it's part

24
00:02:15,270 --> 00:02:22,680
of the native VLAN at this point, the VLAN 20 tag is still intact and it has not been inspected by

25
00:02:22,680 --> 00:02:23,700
the first switch.

26
00:02:25,370 --> 00:02:31,730
The second switch looks only at the inner eight to one cue tag that the attacker sent, and so you see

27
00:02:31,730 --> 00:02:34,730
the frame is destined for VLAN 20, the target VLAN.

28
00:02:35,620 --> 00:02:41,740
The second switch sends the frame onto the victim port or floods it, depending on whether there is

29
00:02:41,740 --> 00:02:44,710
an existing MAC address, table entry for the victim's host.

30
00:02:46,240 --> 00:02:53,140
So the best approach to mitigating double tagging attacks is to ensure that the native land of the trunk

31
00:02:53,140 --> 00:02:57,310
ports is different from the VLAN of any user ports.

32
00:02:57,640 --> 00:02:57,970
Right.

33
00:02:58,480 --> 00:03:02,210
In other words, do not let the users use their native land.

34
00:03:02,920 --> 00:03:10,270
In fact, it's considered a security best practice to use a fixed VLAN that is distinct from all user

35
00:03:10,280 --> 00:03:15,790
villans in the switch network as a native VLAN for all eight to one key trunk's.