Security Basics mailing list archives

Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618

From: "Craig Janssen" <cjanssen () mail millikin edu>
Date: Thu, 26 Jun 2003 16:41:58 -0500

I understand that it is possible to overwhelm a switch such that it

reduces to a hub, and everyone can listen to everyone else.  I *think*
this is done by spewing out (spoofed) packets with so many different
hw
addresses that the address table is totally bogus.  Then no valid
input
packets do anything but get "broadcasted" to all port.  Someone
correct
me if I'm wrong.

That is definitely possible, Cisco Catalyst switches and a few other
brands used to be susceptible to "christmas tree attacks", where you
basically would send the switch TCP packets with incorrect TCP flags set
(i.e., SYN, FIN, ACK, etc), and it would often overload the switch and
set it to a fail-open state, where it basically turns into a big
repeating hub.  The other way to do this is to overload the MAC table in
the switch's memory with by sending mass ARP replies where it would
error out and again fail open.  Every packet entering the switch would
then be forwarded on every interface, making packet sniffing much easier
on remote segments.  Hopefully you'd see a degradation in network
performance when this happens and be able to reboot the switch before
things got any worse.

Craig



______________________________
Craig Janssen, MCP, A+
Network and Internet Services Manager
Millikin University Information Technology Dept
(217) 362-6488
cjanssen () mail millikin edu

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618 Craig Janssen (Jun 26)
- <Possible follow-ups>
- Re: AW: security-basics Digest 18 Jun 2003 22:09:15 -0000 Issue 618 Craig Janssen (Jun 27)