Re: Infosec.19990305.macof.a

[cel95eig () mds mdh se (Emil Isberg)]

On 5 May 1999, ian.vitek () INFOSEC SE wrote:
> Vulnerability Summary
> ---------------------
>
> Problem:  Due to limitation with ARP/MAC-tables;
>               switches could start sending packages to all ports,
>               other network devices could hang, crash or reboot
>               if they receive lots of MAC-addresses.
>
> Threat:   Someone could eavesdrop/sniff network connections
>               over a switched network.
>               Denial of service attacks on a local network.
> Solution: There is no today known solution to the problem.

This problem is known.
The problem is known as "Learning mode" and is the state the switch is in
when it "learn" how the network is configurated.

What it does is simply to record what port each mac-address is responding.

How does the solution look like?
Well. Don't use "learning mode" on the switch. In a secure environment you
know most of the needed mac-addresses and the rest you should know anyway
so you do not need "learning mode".

But is it a limitation? Yes. The switch should notice that a port is
behaving very strange and disable it (before it's MAC-table is flushed).

--
/Emil
"Man kan säga att jag har ett eget filsystem i min lägenhet. /Bornäs"