Exploit detection techniques for STP using distributed IDS

Spanning tree protocol (STP) is a link layer protocol used for link management, prevention of loop formation etc. in the network. Although STP is widely used, it is still prone to many kinds of attacks that exploit the lack of security features both in basic working process and STP packet format. By exploiting STP control packet an attacker can pretend to be the new root in STP domain and perform unauthorized activities that lead to root take-over attack, STP control packet flooding, traffic redirection and so on. In this paper, a coverage based distributed intrusion detection system (DIDS) has been introduced, for the detection of attacks on STP. The proposed scheme computes a set of switches in the network that can cover the STP network completely; where every switch belongs to that set is installed with a small module of IDS. This set of IDSs logically divides the STP network into a set of local zones. All the switches in a zone is directly connected to one switch installed with IDS and thus covered by at least one IDS in STP domain. Each IDS can detect and verify any exploit inside its local zone. Additionally IDSs communicate with each other so that any exploit outside the local zone of a particular IDS can also be detected and verified. The results show that the proposed DIDS approach can detect all the STP based attacks.