RE: Sniffing on switched networks

Sun, 25 Jun 2000 17:03:26 -0700 

I know this is a bit late coming in and for that I am sorry.  Something to
consider if your goal is to prevent this attack is using Dynamic VLAN's.
Each VLAN is assigned a group of known MAC addresses which are kept on a
TFTP server.  When a machine is plugged into a port the switch queries the
TFTP server to find out into which VLAN it belongs.  The Cisco LAN Switch
book has good information regarding this, but both authors seem to feel it
is really not worth the headache.  

Good Luck
Daryn P. Bartlett

        -----Original Message-----
        From:   Jeff Kell [SMTP:[EMAIL PROTECTED]]
        Sent:   Thursday, June 08, 2000 3:51 PM
        To:     [EMAIL PROTECTED]
        Subject:        Sniffing on switched networks

        Recently I came across some advisories on a new (to me) hack tool
called
        dsniff (IIRC).  The basic operation is as follows:

        * enemy spoofs an ARP reply to a target host/client for the victim's

          IP, but supplies it's own MAC address.
        * target stashes this in it's ARP table, subsequent IP packets are 
          sent to the enemy's MAC.
        * enemy copies the packet and forwards on to the victim.

        It is a bit scary, and gets down to the bit-level of various TCP
        stacks.  On paper it sounds rather simple, and I'm trying to devise
some
        means of protection against this.  Among my concerns about the 
        attack:

        * do all stacks accept and cache 'unsolicited' ARP replies?
Routers?
          Windows?  NT?  Various unix flavors?
        * will this overwrite any existing ARP entry in the cache?
        * will this overwrite a static ARP entry?

        To insure a "sniff-proof" connection between yourself and a host,
can
        you define static ARPs on the client, host, and endpoint router(s)
if on
        different subnets and protect yourself from such an attack?

        Sorry if somewhat off-topic, but it does get to the way ARP works
(is it
        stateful - request and wait on reply, or they two events handled
        asynchronously?)

        Jeff Kell <[EMAIL PROTECTED]>

        ___________________________________
        UPDATED Posting Guidelines:
http://www.groupstudy.com/list/guide.html
        FAQ, list archives, and subscription info: http://www.groupstudy.com
        Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]

___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to