From owner-freebsd-net Wed May 24 7:24:21 2000 Delivered-To: freebsd-net@freebsd.org Received: from dune.clickarray.com (adsl-63-197-76-246.dsl.snfc21.pacbell.net [63.197.76.246]) by hub.freebsd.org (Postfix) with ESMTP id 890F937BC1A for ; Wed, 24 May 2000 07:24:11 -0700 (PDT) (envelope-from sshah@dune.clickarray.com) Received: (from sshah@localhost) by dune.clickarray.com (8.9.3/8.9.3) id HAA14615; Wed, 24 May 2000 07:23:20 -0700 Date: Wed, 24 May 2000 07:23:20 -0700 From: Steve Shah To: Mike Silbersack Cc: Olaf Hoyer , freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode Message-ID: <20000524072320.C14568@clickarray.com> References: <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 23, 2000 at 08:35:17PM -0500, Mike Silbersack wrote: > On Wed, 24 May 2000, Olaf Hoyer wrote: > > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to > > university. > > We already had some sniffer attack to sniff out Pop3 passwords. Consider forcing all e-mail services to be accessable only through secure tunnels. If the students are using Outlook, then they can use SSL. If you want to allow generic POP3 clients, then make the stunnel utility available to them with a batch file that runs: stunnel -c -d 110 -r pop3server.school.edu:995 I've done this for my "VPN" so that my road warriors could access our mail servers from remote without worrying about what type of net connection they have or what other people they may have to share it with. It works quite well. > NICs), I'm curious why that's a problem. Changing IPs doesn't really pose > any threat that I'm aware of, unless you're impersonating the gateway. > (Such attacks may be doable even without changing MAC addresses, > actually. I think impersonating the DHCP server would do - no packet > sniffing required!) Generally the problem is students changing their MAC addy's to get another IP address from the DHCP server. It's more of an annoyance than anything else, esp. when you run out of IP addresses and legit students start whining about it. (Those pesky students! ;-)) The tool that you are looking for is "arpwatch". This will watch all of the MAC<->IP mappings on a segment and alert you if this changes. A tool that takes DHCP logs and filters out accepted changes could probably be hacked up quickly. #include "magic_perl_script_here.pl" Aside: If you haven't already, I assume you have NAT'd off your dorms and firewalled them up the wazoo, right? I know at my old university, unauthorized servers were a real ugly problem. On more than one occation, we would see MRTG graphs go all green.... It was not a pretty sight. This was because students were given real IP addy's. What should have been done (and hopefully done by now... it's been a while since I've seen their network) is to have all the students NAT off into the 10.0.0.0 network. This would keep the servers from coming in. What would have been entertaining is to try and put ever student on their own subnet. This would keep the script kiddies from doing broadcast based attacks since all the other hosts would just ignore the packets within the first few checks in their IP stack. There are certainly enough networks to support a few thousand 30 bit netmasks.... -Steve -- ___________________________________________________________________________ Steve Shah (sshah@clickarray.com) | Developer/Systems Administrator/Author http://www.clickarray.com | Voice: 408.772.8202 (e-mail preferred) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Beating code into submission, one OS at a time... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message