From owner-freebsd-questions  Mon Sep  6 13: 5:23 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from pop.uniserve.com (pop.uniserve.com [204.244.156.3])
	by hub.freebsd.org (Postfix) with SMTP
	id 9BCA91514F; Mon,  6 Sep 1999 13:05:10 -0700 (PDT)
	(envelope-from tom@uniserve.com)
Received: from shell.uniserve.ca [204.244.186.218] 
	by pop.uniserve.com with smtp (Exim 1.82 #4)
	id 11O4zn-0005xR-00; Mon, 6 Sep 1999 13:04:07 -0700
Date: Mon, 6 Sep 1999 13:04:05 -0700 (PDT)
From: Tom <tom@uniserve.com>
X-Sender: tom@shell.uniserve.ca
To: Alfred Perlstein <bright@wintelcom.net>
Cc: Brad Knowles <blk@skynet.be>,
	Dag-Erling Smorgrav <des@flood.ping.uio.no>,
	Pascal Hofstee <daeron@Wit401305.student.utwente.nl>,
	freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG
Subject: Re: softupdates in latest build?
In-Reply-To: <Pine.BSF.4.05.9909061201010.6392-100000@fw.wintelcom.net>
Message-ID: <Pine.BSF.4.02A.9909061254470.13016-100000@shell.uniserve.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 6 Sep 1999, Alfred Perlstein wrote:

> >   Besides, most ethernets are switched these days, making password
> > sniffing for anything but connections to or from the machine the sniffer
> > is running on completely useless.
> 
> Isn't it possible to spoof arp and compromise a switch?
> 
> Just wondering.

  Well, it depends.

  ARP is used to resolve IPs to MAC addresses.  L2 switches don't even
look at ARP.  They just memorize where different MAC addresses are.  Now,
if an ARP broadcast goes out from a certain client for a login box, and
the login box and a spoofing box both answer the request, the client will
report a duplicate IP error.  So you don't really gain anything.  You
certainly can't "compromise" the switch.

  You can try spoofing MAC addresses, but a switch will direct traffic to
the port with a particular registered MAC address.  So either the spoofing
box or the login box get the traffic, not both.  Either way, things will
not be working right on the network, and people are going to notice.
Also, all switches allow particular MAC addresses to be hard-coded to
particular ports.  If other ports attempt to use them, they are shutdown
or ignored.

  You are however screwed if the login box goes done, and your spoofing
box tries to impersonate it.  This however would be detected very quickly
because whatever services the login box had wouldn't be working, unlike a
classic sniffer.



> -Alfred
> 
> 
> 


Tom



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message