Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 May 2000 07:23:20 -0700
From:      Steve Shah <sshah@clickarray.com>
To:        Mike Silbersack <silby@silby.com>
Cc:        Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>, freebsd-net@FreeBSD.ORG
Subject:   Re: BPF vs. promiscuous mode
Message-ID:  <20000524072320.C14568@clickarray.com>
In-Reply-To: <Pine.BSF.4.21.0005232030020.19221-100000@achilles.silby.com>
References:  <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> <Pine.BSF.4.21.0005232030020.19221-100000@achilles.silby.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 23, 2000 at 08:35:17PM -0500, Mike Silbersack wrote:
> On Wed, 24 May 2000, Olaf Hoyer wrote:
> > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to
> > university.
> > We already had some sniffer attack to sniff out Pop3 passwords.

Consider forcing all e-mail services to be accessable only through
secure tunnels. If the students are using <sigh> Outlook, then
they can use SSL. If you want to allow generic POP3 clients, then
make the stunnel utility available to them with a batch file 
that runs:

stunnel -c -d 110 -r pop3server.school.edu:995

I've done this for my "VPN" so that my road warriors could access 
our mail servers from remote without worrying about what type of
net connection they have or what other people they may have to share
it with. It works quite well.

> NICs), I'm curious why that's a problem.  Changing IPs doesn't really pose
> any threat that I'm aware of, unless you're impersonating the gateway.
> (Such attacks may be doable even without changing MAC addresses,
> actually.  I think impersonating the DHCP server would do - no packet
> sniffing required!)

Generally the problem is students changing their MAC addy's to get
another IP address from the DHCP server. It's more of an annoyance
than anything else, esp. when you run out of IP addresses and legit
students start whining about it. (Those pesky students! ;-))

The tool that you are looking for is "arpwatch". This will watch all
of the MAC<->IP mappings on a segment and alert you if this changes.
A tool that takes DHCP logs and filters out accepted changes could
probably be hacked up quickly. #include "magic_perl_script_here.pl"

Aside: If you haven't already, I assume you have NAT'd off your dorms
and firewalled them up the wazoo, right? I know at my old university,
unauthorized servers were a real ugly problem. On more than one
occation, we would see MRTG graphs go all green.... It was not a pretty
sight. This was because students were given real IP addy's. What 
should have been done (and hopefully done by now... it's been a while
since I've seen their network) is to have all the students NAT off
into the 10.0.0.0 network. This would keep the servers from coming
in. 

<BOFH>
What would have been entertaining is to try and put ever student
on their own subnet. This would keep the script kiddies from 
doing broadcast based attacks since all the other hosts would just
ignore the packets within the first few checks in their IP stack.
There are certainly enough networks to support a few thousand 
30 bit netmasks.... <grin>
</BOFH>

-Steve


-- 
___________________________________________________________________________
Steve Shah (sshah@clickarray.com) | Developer/Systems Administrator/Author
   http://www.clickarray.com      | Voice: 408.772.8202 (e-mail preferred)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
             Beating code into submission, one OS at a time...


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000524072320.C14568>