LLDP on Ubiquiti UDM Pro Causing Network Glitches?
Random issues with network cutting out and attacks on LLDP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Unifi | Dream Machine Pro | Ubiquiti | pfSense | Network Security | Penetration Testing | Data Breaches
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Do you know what LLDP is doing on your nework and what sort of issues might arise as a result?
I’ve been testing out the Ubiquiti UDM Pro for a while now. I don’t use Wifi that much. It is mostly for all the insecure things in the house. But one thing I noticed, is that sometimes when I connect to wifi it is slow to connect. Google Chrome will initially tell me I have no network connection.
The strange thing is that as soon as I fire up tcpdump with this command, it starts to work magically:
sudo tcpdump -nvtSometimes it also helps to dig google.com (use nslookup on Windows):
dig google.comWhat I also notice is that sometimes when I get on WiFi, the TV cuts out, even though I’m on a separate WiFi adapter than the TV.
I’ve figured out that sometimes the firewall gets overloaded when connections are waiting for a response that never comes because something is blocked. Something, somewhere keeps sending packets when it shouldn’t. In one case it was due to the pfSense implementation of Suricata which seems faulty:
Although there are a few glitches here and there the WiFi has been decent and I haven’t had time to deal with these issues too much because I’m busy. It definitely works better than the Google WiFi devices I was testing out.
But one thing is making me curious.
Whenever I see the WiFi cut out I usually see a related bunch of LLDP traffic. Now to be honest, I may have learned this in some class but if I did, I forgot. I may be exposing too much information here. I redacted some of it. But this is what I see:
One interesting thing I noticed in the above information is a wifi SSID name which is not the one to which I’m connected. Hmm. Seems like I need some additional segregation on the network potentially? I have to dig into this protocol to understand what is really going on here.
So what is LLDP anyway? It’s a network protocol: Link Layer Discovery Protocol. Wikipedia describes it as follows:
The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbors on a local area network based on IEEE 802 technology, principally wired Ethernet.
Also note on Wikipedia that you can use the information on an LLDP enabled network to crawl the network — meaning you can map out the network. If an attacker gains access to your network they may attempt to use LLDP to discover other devices on the network they can attack and information about the network devices and capabilities.
BlackHills Infosec wrote about that here:
I also notice that LLDP-MED is in use:
These protocols serve a purpose. In the case of a Ubiquiti UDM Pro perhaps it’s a way to keep track of all the devices on the network and display them on the UDM administrative dashboard or to get them to connect. But I presume you can also connect things manually.
LLDP can also be spoofed like CDP. I’d have to think more about how to do that and the implications but here’s the gist of it:
Here’s an analysis of a link discovery attack in a software defined network controller.
I’d like to just turn this off. Is this protocol actually required? Let’s see if we can find some documentation on the Ubiquiti site.
Well, the documentation could be better. Google searches don’t yield much on LLDP when restricting to Ubiquiti sites. Mostly I get the community forum comments. The documentation has no search box. If I click on the networking link I get this:
I don’t know. Let’s try features and configuration.
I clicked through a bunch of links and can’t find anything on LLDP.
I found this from two years ago. That’s not promising:
This is also not a good look:
Followed by these interesting comments:
I noted in an earlier post that Ubiquiti was sending too much information to the ISP but my pfSense device blocks it. Another note for the people who wonder why I put a pfSense in front of a Ubiquiti device.
Also interesting:
Here’s another clue:
This is for an edge router but perhaps relevant for configuration purposes.
This post never got an answer from the UI team:
Hmmm. Well, I can’t find simple instructions to disable LLDP for a UDM Pro after searching a bunch of different ways but maybe the above will help. Maybe it’s just a switch in the console, but some are indicating that doesn’t work.
I also ran across this recommendation on LLDP in some Tenable audit output. That’s for a Juniper device but the concept is the same.
I also found a number of vulnerabilities related to LLDP in Cisco products. It’s funny how I’m finding more instructions to turn off LLDP for other products while searching for how to do that in the UDM Pro where the instructions seem non-existent. The Ubiquiti documentation could use some love.
I’m not sure LLDP is actually the issue because I just restarted my system, ran tcpdump, then enabled WiFi. More investigation is needed. I couldn’t connect until I ran the dig command. And I can’t see that dig command in my tcpdump network traffic. Hmm. More investigation is needed. I’m wondering if it has something to do with Google’s safe search functionality or DNS over HTTP or maybe trying to use Google DNS servers when I don’t allow them.
In any case, I’d like to turn off LLDP.
I’m not at my admin console at the moment. I’ll have to dig around in there later to see if and how I can turn this off or see if there’s some command line option I can use.
Wish me luck. 😊
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
