Double tagging definition
Double tagging is a network attack technique that allows a hacker to gain unauthorized access to VLANs (Virtual Local Area Networks). It’s a type of VLAN hopping — attacking a network by sending packets to a VLAN that would not normally be accessible to the hacker. In a double tagging attack, an attacker manipulates the VLAN ID tagging process to insert extra information into a data packet. This typically involves creating a packet with two VLAN tags: one recognized by the attacker’s own VLAN and one by the target VLAN.
See also: VLAN tagging
How double tagging works
- The attacker creates a packet with two VLAN tags. The first (inner) tag is for a target VLAN the attacker wants to access. The second (outer) one is for the attacker’s own VLAN.
- The packet reaches the attacker’s VLAN switch. The switch sees the outer tag, strips it off, and forwards the packet to the designated VLAN. This leaves the inner tag intact.
- The packet, now with only the inner tag, reaches the target VLAN switch. This switch reads the inner tag and assumes the packet belongs to its VLAN. It then allows the packet to reach the target VLAN network, bypassing any restrictions that would usually prevent this.
Here’s a real-world scenario: Let’s say an attacker is on a guest VLAN in a company’s network but wants to access the company’s confidential VLAN, which is separated for security reasons. The attacker could use a double tagging technique to bypass the segregation, enabling them to access or disrupt the company’s confidential VLAN.
Dangers of double tagging
- Unauthorized access. An attacker can gain access to VLANs that they should not be able to reach, bypassing network segregation. This could lead to access to sensitive information.
- Data breaches. Once an attacker has access to a VLAN, they can view, steal, alter, or delete information, leading to data breaches.
- Network disruption. Attackers can cause disruptions, such as Denial of Service (DoS) attacks, on the target VLAN once they’ve gained access to it.
Mitigation of double tagging
- Disable unused ports. Disabling all unused ports on your switches can prevent unauthorized devices from connecting to your network and launching double tagging attacks.
- Disable auto-trunking. Auto-trunking allows a switch to automatically create a trunk link to another switch. Disabling this feature can prevent an attacker from creating a trunk link to access other VLANs.
- Native VLAN segregation. It is recommended to change the native VLAN, typically VLAN 1, to a different VLAN and avoid using the native VLAN for any user data. In a double tagging attack, the attacker exploits the fact that the first switch does not tag frames on the native VLAN.
- Implement private VLANs. Private VLANs (PVLANs) can further isolate network ports within the same VLAN, which can help prevent double tagging attacks.
- Use VLAN access control lists. VLAN Access Control Lists (VACLs) allow you to set policies that filter network traffic within a VLAN, between VLANs, or over a trunk link. VACLs can be used to block certain traffic, limiting the potential for double tagging attacks.