Bugtraq mailing list archives
Re: Infosec.19990305.macof.a
From: alan () LXORGUK UKUU ORG UK (Alan Cox)
Date: Sat, 8 May 1999 03:17:47 +0100
IEEE 802.1d isn't much use in deciding which option is best.
IEEE 802.1d is of questionable value anyway. Grep the standard for the word security. Spanning tree used maliciously is spectacularly effective when you decide to elect yourself the root of the tree.
Fixes are to activate "port security", which deactivates a port if its MAC address changes. This limits the DoS to one machine, which may still be worthwhile if the machine runs an attractive service. It is costly to administer in a large network.
Your security is still totally illusionary. Treat a switch as a network accelerator thats all. Any security consultant who talks about switches as a security feature you should offer to sell a bridge too (london bridge that is). The only time the switch helps is if it has IP level filters
Networks with trees of switches will see multiple traps as MAC addresses changes, so this option is usually only enabled on switches at the edge.
Be careful the bridge handles this right. You can trash some with trap bombs too - its often loading the on board CPU down to handle an SNMP trap and that in many bridges clobbers some of the hardware assisted performance badly.
access areas (computing labs, etc) on their own IP subnets. These areas usually require significant IP filtering in any case. The effect is to limit link-level DoS attacks initiated from a public keyboard to a single physical area.
Sort of. Given nodes A and B talking IP away from the public lab. Ping A, ping B. Note their mac addresses. Send A a regular stream of ARPs claiming B has moved to your address. Send B a stream of frames claiming A has moved to your address. Sit in the middle rewriting destination headers. Enjoy. You are using strong crypto on your network aren't you 8) Alan
Current thread:
- Infosec.19990305.macof.a ian.vitek () INFOSEC SE (May 05)
- Re: Infosec.19990305.macof.a Emil Isberg (May 06)
- Re: Infosec.19990305.macof.a David Maxwell (May 06)
- <Possible follow-ups>
- Re: Infosec.19990305.macof.a Glen Turner (May 06)
- Re: Infosec.19990305.macof.a Alan Cox (May 07)
- Re: Infosec.19990305.macof.a Greg A. Woods (May 08)
- Re: Infosec.19990305.macof.a Alan Cox (May 09)
- OpenLinux 2.2: LISA install leaves root access without password Andrew McRory (May 08)
- Re: [linux-security] OpenLinux 2.2: LISA install leaves root Ralf Flaxa (May 09)
- SunOS 5.7 rmmount, no nosuid. Jonas Stahre (May 10)
- Re: SunOS 5.7 rmmount, no nosuid. C.J. Oster (May 10)
- nidsbench announcement Dug Song (May 13)
- Re: Infosec.19990305.macof.a Alan Cox (May 07)
- Adminisrivia Aleph One (May 10)
- [BIND-BUGS #18] Non-delegated master domains Ian Carr-de Avelon (May 10)
- Re: [BIND-BUGS #18] Non-delegated master domains Andrew Brown (May 11)