1
00:00:00,530 --> 00:00:05,570
‫Another type of island hopping attack is known as double tagging attack.

2
00:00:06,980 --> 00:00:13,430
‫This type of attack takes advantage of the way that hardware on most switches operates, most switches

3
00:00:13,430 --> 00:00:21,650
‫perform only one level of 8.2.1 que d encapsulation, which allows an attacker to embed a hidden eight

4
00:00:21,770 --> 00:00:24,200
‫to one Q tag inside the frame.

5
00:00:25,220 --> 00:00:32,480
‫This tag allows the frame to be forwarded to a villain that the original eight on Q Tag did not specify.

6
00:00:33,500 --> 00:00:40,460
‫An important characteristic of the double tagging villain hopping attack is that it works even if trunk

7
00:00:40,460 --> 00:00:48,350
‫ports are disabled because a host typically sends a frame on a segment that is not a trunk link.

8
00:00:51,590 --> 00:00:55,610
‫So let's see how the double tagging van hopping attack is performed.

9
00:00:55,850 --> 00:00:56,740
‫Step by step.

10
00:00:58,520 --> 00:01:02,960
‫The attacker sends a double tagged 8.2.1 Q framed to this, which.

11
00:01:04,120 --> 00:01:10,330
‫The outer header has the velan tag of the attacker, which is the same as a native villain of the trunk

12
00:01:10,330 --> 00:01:10,690
‫port.

13
00:01:12,550 --> 00:01:19,090
‫Normally, a Switch port configured as a trunk port sends and receives land tagged Ethernet frames.

14
00:01:20,140 --> 00:01:24,050
‫Native VLAN is the only villain which is not tagged in a trunk.

15
00:01:24,070 --> 00:01:28,690
‫In other words, native villain frames are transmitted untagged.

16
00:01:30,060 --> 00:01:35,850
‫The assumption here is that the switch process is the frame received from the attacker as if it were

17
00:01:35,880 --> 00:01:36,870
‫on a trunk board.

18
00:01:37,740 --> 00:01:44,760
‫In this example, the native villain as villain one, the inner tag is the victim villain in this case,

19
00:01:44,970 --> 00:01:45,750
‫its villain.

20
00:01:45,750 --> 00:01:46,110
‫20.

21
00:01:47,750 --> 00:01:53,540
‫The frame arrives on the switch, which looks at the first four byte 8.2.1 cue tag.

22
00:01:54,660 --> 00:01:59,250
‫The switch sees that the frame is destined for villain one, which is a native view in.

23
00:02:01,030 --> 00:02:07,540
‫The switch forwards, the pack it out on all the land one ports after stripping the Vive and Montag.

24
00:02:08,460 --> 00:02:15,240
‫On the trunk port, the VLAN one tag is stripped and the packet is not red tagged because it's part

25
00:02:15,240 --> 00:02:16,430
‫of the native velan.

26
00:02:17,100 --> 00:02:23,670
‫At this point, the VLAN toe tag is still intact and it has not been inspected by the first switch.

27
00:02:25,400 --> 00:02:32,150
‫The second switch looks only at the inner 8.2.1 Q tag that the attacker sent and sees that the frame

28
00:02:32,150 --> 00:02:34,700
‫is destined for VLAN 20, the target villain.

29
00:02:35,650 --> 00:02:41,800
‫The second switch sends the frame onto the victim port or flood it, depending on whether there is an

30
00:02:41,800 --> 00:02:44,680
‫existing Mac address table entry for the victim's host.

31
00:02:46,270 --> 00:02:52,780
‫So the best approach to mitigating double tagging attacks is to ensure that the native villain of the

32
00:02:52,780 --> 00:02:57,280
‫trunk ports is different from the villain of any user ports.

33
00:02:57,680 --> 00:02:57,930
‫Right?

34
00:02:58,510 --> 00:03:02,200
‫In other words, do not let the users use their native villain.

35
00:03:02,950 --> 00:03:09,910
‫In fact, it's considered a security best practice to use a fixed villain that is distinct from all

36
00:03:09,910 --> 00:03:11,710
‫user villains in the Switch network.

37
00:03:12,010 --> 00:03:15,760
‫As a native villain for all 8.2.1 Q Trunks.