Security Basics mailing list archives

RE: about CAM table overflow attack?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 24 Apr 2006 10:19:36 -0700

  The switch has a separate CAM table for every VLAN.  Whether the filling
of the CAM 
table for one VLAN affects just that VLAN, or the entire switch, will
depend on how those
tables are allocated, and will vary from manufacturer to manufacturer, and
perhaps from
model to model and code release to code release.

  However:  The attacker's port is usually a member of a specific VLAN, and
a working
switch will only deliver traffic to that port if it's within that VLAN.
  Also, there will be traffic on that VLAN that the attacker does not see
*unless* he
overflows the CAM tables for that VLAN on every switch in the network.

David Gillett

-----Original Message-----
From: Monty Ree [mailto:chulmin2 () hotmail com] 
Sent: Tuesday, April 18, 2006 4:23 AM
To: security-basics () securityfocus com
Subject: about CAM table overflow attack?

Hello, all.

I have read some documents about CAM table overflow(or mac 
flooding, switch
jam) attack.
I have some questions about this.

If some attacker executes macof for sometime, so CAM tables 
would be overflowed.

1. then attacker can see other traffic only which in a same VLAN? 

2. or attacker can see all traffic(over vlan) which switch 
services, like dummy hub?

Thanks in advance.

_________________________________________________________________
확인하자. 오늘의 운세 무료 사주, 궁합, 작명, 전생 가이드   
http://www.msn.co.kr/fortune/default.asp  

--------------------------------------------------------------
-----------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records 
un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------
------------



-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

Current thread:

about CAM table overflow attack? Monty Ree (Apr 18)
- RE: about CAM table overflow attack? Network Security (Apr 18)
- RE: about CAM table overflow attack? David Gillett (Apr 24)
- <Possible follow-ups>
- Re: about CAM table overflow attack? inoutsec (Apr 18)
  - Re: about CAM table overflow attack? Rick Zhong (Apr 19)
    - RE: about CAM table overflow attack? Network Security (Apr 19)