How does an STP manipulation attack work, and what is the countermeasure?
The attacker broadcasts BPDUs (Bridge Protocol Data Units) with a very low bridge priority, causing the STP (Spanning Tree Protocol) to elect them as the root bridge. All traffic in the switched domain then flows through the attacker. The countermeasure is BPDU Guard, which shuts down any access port that receives a BPDU.
* A forged low-priority BPDU hijacks the root role. *
The attack:
- Attacker connects to an access port and runs software that generates STP BPDUs
- The BPDUs announce a very low bridge priority (e.g., 0) — lower than any legitimate switch
- STP performs a topology recalculation based on the new "root bridge"
- The attacker's device is elected as the root bridge
- All traffic in the STP domain now flows through the attacker — complete network visibility
Why it works: STP was designed for switches to cooperate — it trusts any BPDU it receives. Access ports should never receive BPDUs (only inter-switch links should), but STP has no built-in way to distinguish legitimate switches from attackers.
BPDU Guard (the countermeasure):
! Per-interface:
Switch(config-if)# spanning-tree bpduguard enable
! Globally (applies to all PortFast-enabled ports):
Switch(config)# spanning-tree portfast bpduguard default
What happens: If a BPDU is received on a BPDU Guard-enabled port → the port immediately goes to err-disabled state (shut down). This completely prevents STP manipulation from access ports.
Important: BPDU Guard should only be configured on ports connected to end devices (PCs, phones, printers) — never on inter-switch links, where BPDUs are expected and necessary.
Go deeper:
Spanning Tree Protocol — root election (Wikipedia) — root-bridge election by lowest bridge ID, which clarifies how a forged low-priority BPDU hijacks the root role (countermeasure: BPDU/root guard).