From owner-freebsd-net Tue May 23 18:43:10 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rz.fh-wilhelmshaven.de (mail.rz.fh-wilhelmshaven.de [139.13.25.134]) by hub.freebsd.org (Postfix) with ESMTP id DE06937BB14 for ; Tue, 23 May 2000 18:43:03 -0700 (PDT) (envelope-from ohoyer@fbwi.fh-wilhelmshaven.de) Received: from fettesau.stuwo.fh-wilhelmshaven.de (stuwopc5.stuwo.fh-wilhelmshaven.de [139.13.209.5]) by mail.rz.fh-wilhelmshaven.de (8.9.3/8.9.3) with SMTP id DAA13592; Wed, 24 May 2000 03:42:52 +0200 (MET DST) Message-Id: <4.1.20000524033815.00a76340@mail.rz.fh-wilhelmshaven.de> X-Sender: ohoyer@mail.rz.fh-wilhelmshaven.de X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 24 May 2000 03:43:32 +0200 To: Mike Silbersack From: Olaf Hoyer Subject: Re: BPF vs. promiscuous mode Cc: freebsd-net@FreeBSD.ORG In-Reply-To: References: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> I mean with fake adress that you pretend that your NIC had a differentz >> adress fro,m that stored in PROM. >> >> Say, your NIC had an adress of (fictional) 00:00:00:1e:3d:2a and you could >> make it appear to other boxes on the same network as say, >> 3e:2e:4b:3d:5c:00, in this case I'd like to know >> a) how this is done and >> b) how can it be detected > >Well, as one of those pesky students who has reprogramming his MAC address >on multiple occasions (so DHCP would give me the same IP when switching >NICs), I'm curious why that's a problem. Changing IPs doesn't really pose >any threat that I'm aware of, unless you're impersonating the gateway. >(Such attacks may be doable even without changing MAC addresses, >actually. I think impersonating the DHCP server would do - no packet >sniffing required!) > >However, that's really unimportant anyway; it sounds like you're using >regular hubs from your above statements. You should probably just get >cheap switches; any other countermeasures to prevent sniffers are just >going to take a lot of time, and not really be effective. Hi! Well, the IP assignment is not that problem. Fact is, that there are run some jobs that check if on some network segment is some card present that is in promiscuous mode and /or has its MAC adress changed, seen independently from the assigned (via DHCP) IP adress. (Of course, you might assign your IP adress manually). Are there some programs/techniques that do that? BSD or Linux, some program/trick/whatsoever that pretends(return to arp queries) a different MAC adress than stored on the ROM of the NIC. We have (due to costs) one cenral switch running (3com, IIRC), with about of twelve hubs attached, which hold altogether about 235 connections. Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message