Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Jan 2007 22:35:59 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Andrew Pantyukhin" <infofarmer@freebsd.org>
Cc:        "Dan Mahoney, System Admin" <danm@prime.gushi.org>, questions@freebsd.org
Subject:   Re: Transport Mode IPSEC
Message-ID:  <00f901c73b94$15ef9590$3c01a8c0@coolf89ea26645>
References:  <20070118022306.Q26349@prime.gushi.org><005701c73ad3$1e433560$3c01a8c0@coolf89ea26645><cb5206420701180025t33de5399q11a8b96f6322a964@mail.gmail.com><00c601c73ae4$85eec240$3c01a8c0@coolf89ea26645> <cb5206420701180207x27ebea97s1259a8b321ec17eb@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

----- Original Message ----- 
From: "Andrew Pantyukhin" <infofarmer@freebsd.org>
To: "Ted Mittelstaedt" <tedm@toybox.placo.com>
Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>;
<questions@freebsd.org>
Sent: Thursday, January 18, 2007 2:07 AM
Subject: Re: Transport Mode IPSEC


> On 1/18/07, Ted Mittelstaedt <tedm@toybox.placo.com> wrote:
> >
> > ----- Original Message -----
> > From: "Andrew Pantyukhin" <infofarmer@freebsd.org>
> > To: "Ted Mittelstaedt" <tedm@toybox.placo.com>
> > Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>;
> > <questions@freebsd.org>
> > Sent: Thursday, January 18, 2007 12:25 AM
> > Subject: Re: Transport Mode IPSEC
> >
> >
> > > On 1/18/07, Ted Mittelstaedt <tedm@toybox.placo.com> wrote:
> > > > Dan,
> > > >
> > > >   You do realize, don't you, that since both of these hosts are on a
> > switch,
> > > > and are using unicast traffic to communicate with each other, that
they
> > > > cannot be sniffed, don't you?
> > > >
> > > >   You might read up on ethernet switching technology a bit before
> > > > answering that.
> > >
> > > I'm sorry to be the one to make this remark but it's
> > > you who needs to read a bit to learn (a) how to sniff
> > > traffic off most Ethernet switches from D-Link to
> > > Cisco; (b) what other security risks unprotected NFSv3
> > > shares pose.
> >
> > Yeah, sure I've heard that one before.
> >
> > Why don't you go ahead and elaborate one of your favorite
> > theoretical attacks out of one of those books that "proves"
> > that an attacker can "sniff most switches" so I can have the
> > fun of knocking it down by real-world hardware implementations
> > that you can actually buy and use right now.
> >
> > Don't be a fool.  Ethernet switch manufacturers aren't stupid and
> > have read the same stuff your citing.  They combat them 2 ways.
> > The first is used on the expensive switches and it's called filtering
> > and allows switch manufacturer salespeople to have something to
> > dog and pony.  The second is used on the cheapo switches and
> > it's called using a wussy CPU on the switch so that the second
> > you try attacking the switch with one of your fancy attacks to
> > sniff it, the switch just rolls over and dies, passing so few packets
> > that every connection through it looses tremendous numbers of
> > packets, and hell breaks loose as all users start screaming.
> >
> > been there, done that.  Those work just dandy in the lab and
> > in your CCIE class with 3 hosts setup for the purpose of
> > demonstrating the attacks.  But try it on a production network some
> > day and the side-effects will kill you.
>
> Okay, I'm sorry to have sounded a bit rough before
> I even parsed your name :-) You don't need to throw
> bits of your knowledge at unsuspecting bystanders,
> too. ;)
>

OK, truce then. :-)

> Most attacks I can imagine, I read/heard about or
> seen in the worst of my nightmares - I wouldn't be
> able to reproduce or describe in detail.

Actually they sound a lot more interesting than they are
in practice.

There are two general ethernet attacks out there.  The first is
a MAC-based, you impersonate someone's MAC and IP
address (preferably a machine that happens to be switched off
at the moment) to get some sort of elevated privilege on a
server somewhere, or you do it while the other machine is
online, in order to take it offline, or do it to the gateway in
order to disrupt internet access, (usually)  Quite a lot of fun
things can be done with MAC and IP spoofing, and there
was a lot of this in early university campus dorm networks
when they were first setup.  Schools screamed about it and
switch vendors responded with intelligent switches that blurred
the distinction between layer 1, 2 and 3 and the rule of
thumb nowadays is to deploy those in networks where you
have potential attackers.  The best switches can notify the
admin when someone is pulling one of these stunts and
the admin can program in advance port lockdowns and
such, so that the wanna-be college freshman that thinks
he's smart gets a visit from campus security when he pulls
this kind of thing.

The second are in the high-speed rate family.  You send out
a lot of itty-bitty packets at a high rate of speed.  One trick is
to vary the MAC address on each packet so you overflow the
switch internal mac tables and cause the switch to basically
become a big hub - when that happens you run your sniffer
and try to steal passwords, etc.  Once more, the aforementiond
intelligent switches are the way to deal with this.

Both of these attacks depend on the attacker being on the
local LAN, or a machine he has compromised being on the
local LAN.

It is, of course, true that there's a lot of cheap switches on
the market and there are corporations that deploy them.
However your dealing with an environment here where
if an attacker gains control of a machine on the inside, he
can get far more useful data from inserting a keystroke
logger into the compromised operating system than bothering
with running LAN attacks.  Or, the attacker can try
a high speed password cracker.  You would not believe
how insecure most corporate networks are.

As an example a few months ago a customer of ours had me
run crack on an internal mailserver.  Out of the approximately
250 users, 100 of them had their passwords guessed by crack
within about 5 minutes, and 200 of them within 3 days.  The
customer raised hell internally as you might expect.  2 weeks
later I ran crack again and only half of the users had changed
to more secure passwords.

> My friend
> has a motto, which I happen to agree with: there's
> a good enough attacker for any kind of security
> measures, our job is to make his job as tough as
> possible.
>

Most attackers out there are relatively benign, all they
are looking for is resources.  They want disk space for
their pirated movies and music, or network and cpu resources
to allow them to spam or attack other systems.  The last
thing they want is to damage their victim or cause trouble with
it that would attract an administrators attention.  I can count
the ones I've ran acrosss that have damaged systems on the
fingers of one hand, and most of those damaged systems
by accident, not by intent.  And the real truth is that there is
such a plethora of unpatched or otherwise easy-to-compromise
systems out there, that those good enough attackers don't
bother wasting time when they run across a tight system, they
just move on to the next one.

Ted




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f901c73b94$15ef9590$3c01a8c0>