>From memory, sorry if I get anything wrong.
You can define what MAC address is allow to connect to the port on the
switch. I believe you can define up to about 120 MAC address per port. If
a port see a MAC outside the group, it can shut down the port or send a SNMP
alert. If you have a fully switched network, you can define the MAC address
for every port before it can come live and no other MAC can come send
traffic in that port. I believe this was design to prevent authorize
computer from getting on the network.
I don't think this attack will be very effective. The real machine can
reply before the enemy machine. The switch will also not switch the packet
to the fake MAC. The switch will see packet from the real MAC and have that
in the MAC address table. This could cause the switch to think there is a
loop (don't know that much about Spanning Tree yet. Have the CCIE switching
book on order) and shut down one of the port. You will know when this
happen real fast.
My 0.02
Rodgers will know more about this.
Albert
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeff Kell
Sent: Thursday, June 08, 2000 3:51 PM
To: [EMAIL PROTECTED]
Subject: Sniffing on switched networks
Recently I came across some advisories on a new (to me) hack tool called
dsniff (IIRC). The basic operation is as follows:
* enemy spoofs an ARP reply to a target host/client for the victim's
IP, but supplies it's own MAC address.
* target stashes this in it's ARP table, subsequent IP packets are
sent to the enemy's MAC.
* enemy copies the packet and forwards on to the victim.
It is a bit scary, and gets down to the bit-level of various TCP
stacks. On paper it sounds rather simple, and I'm trying to devise some
means of protection against this. Among my concerns about the
attack:
* do all stacks accept and cache 'unsolicited' ARP replies? Routers?
Windows? NT? Various unix flavors?
* will this overwrite any existing ARP entry in the cache?
* will this overwrite a static ARP entry?
To insure a "sniff-proof" connection between yourself and a host, can
you define static ARPs on the client, host, and endpoint router(s) if on
different subnets and protect yourself from such an attack?
Sorry if somewhat off-topic, but it does get to the way ARP works (is it
stateful - request and wait on reply, or they two events handled
asynchronously?)
Jeff Kell <[EMAIL PROTECTED]>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
