From owner-freebsd-security Sun Jan 14 0:12: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (unknown [198.79.110.2]) by hub.freebsd.org (Postfix) with ESMTP id BF12D37B400; Sun, 14 Jan 2001 00:11:49 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id AAA00707; Sun, 14 Jan 2001 00:11:15 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200101140811.AAA00707@spammie.svbug.com> Date: Sun, 14 Jan 2001 00:11:14 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: Building a local network on switches (ANTISNIFFER measures) To: wes@softweyr.com Cc: sthaug@nethelp.no, matrix@ipform.ru, questions@FreeBSD.ORG, security@FreeBSD.ORG In-Reply-To: <3A56AD06.BDD770B0@softweyr.com> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 5 Jan, Wes Peters wrote: > sthaug@nethelp.no wrote: >> >> > Somebody said, that there is way to fool but floodding it with weird >> > arpa entries and the switch will fall back into hub mode. I wonder if it >> > is true for all hubs and if I can use non SNMP controllable hub. >> >> Think about how a hub works (or for that matter a switch). It has a >> MAC address table of a certain finite size. If you send packets with >> a MAC address which is not in the address table, the packet must be >> transmitted on all ports (except the one it arrived on). > > Except some managed switches allow you to specify certain MAC addresses > that are allowed on a given port. Packets received from other MAC > addresses are dropped. > Yes, 3Com ethernet ethernet switched hubs offer this. However, most admins I've run into kill that feature. One co-lo we were in started dropping packets for no reason. So ourselves and others would ping the outside world just to keep our servers from getting dropped. Yes, they were 3Com. Getting back to the question about ANTI-sniffer measuers. Good hackers usually go for the weakest link. If SNMP routers and hubs have passwords and don't get set to 'public', they will go after other boxes. I suggest if you are running a co-lo or something with many servers, sett up a sacrafical lamb. A 486-box with minimal setting is good, maybe even with jail. If you give then an easy target, they will usually go for it. In other words, make it a target. Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message