Date: Fri, 20 Aug 1999 14:06:02 -0600 (MDT) From: Joel Maslak <jmaslak@updatesystems.com> To: freebsd-security@freebsd.org Subject: Switches & Security Message-ID: <Pine.LNX.4.10.9908201358560.1547-100000@unix.updatesystems.com>
next in thread | raw e-mail | index | archive | help
To compromize a network consisting of a switched backbone...
Let's say there are two machines, A and B. Let's say there is a router,
R.
So:
Internet ---- R ----+
|
A -- SWITCH -- B
Let's say B got compromised.
What B has to do is send ARP broadcasts out, claiming that it is actually
R. Now, it knows R's REAL ethernet address.
If R is busy and doesn't notice this (can be done a lot of ways), A may
change it's ARP table. If R notices, it may log this problem, or even
stop working.
Thus, to send packets to the Internet, A ends up sending them to B's
ethernet address (B thinks that is the ethernet address of R). B resends
them (after logging them) to R's real ethernet address.
--- That was method 1. ---
There are MANY ways to invalidate the ARP cache of a switch. Some
crash the switch.
VLANs do *NOT* always protect you, either! VLANs, technically, are just
broadcast domain seperations and nothing more. Some switches prevent any
packet from crossing VLAN boundaries. A lot of others, though, just
prevent broadcast packets from crossing those boundaries. Thus, two
machines can communicate through the VLAN boundary if they know each
other's ethernet address.
Sending out forged packets with the source ethernet address of another
VLAN is a sure way to confuse most switches, BTW.
Joel Maslak
UPDATE Systems Inc.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.10.9908201358560.1547-100000>