Re: unswitched behavior of a switched network...

From: Krugger (merc4krugger@gmail.com)
Date: Sat Oct 14 2006 - 10:27:22 EDT

• Next message: Jon Hart: "Re: unswitched behavior of a switched network..."
• Previous message: Steve Armstrong: "Vulnerability Assessment and Operational Security Testing Methodology (VAOST) - version 0.2 released"
• In reply to: Jon Hart: "unswitched behavior of a switched network..."
• Next in thread: Ron: "Re: unswitched behavior of a switched network..."
• Reply: Ron: "Re: unswitched behavior of a switched network..."
• Reply: Buz Dale: "Re: unswitched behavior of a switched network..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:
> Greetings,
>
> I've got a situation here that I can't quite figure out. It is well
> known that it is possible to cause a switched network to act like an
> unswitched network by flooding the CAM table. There are countless tools
> and documents out there that cover the offensive and defensive measures
> related to this issue.
>
> While this isn't Cisco's official documentation on this issue,
> http://xrl.us/r8k7 says:
>
> "Content-addressable memory (CAM) overflow: A CAM table is used to
> determine where to direct incoming frames depending on which port the
> incoming MAC address came from. When the CAM receives a frame with an
> unknown destination, the proper procedure is to flood frames within
> the acceptable Layer 2 domain (the proper VLAN). Hardware and
> software tools are available (some for free), that can flood a switch
> with MAC addresses. Once the CAM table limit is exceeded, switches
> behave differently depending on the brand of the switch."
>
> My question is, has anyone seen a situation where the same broadcast
> behavior occurs, but the CAM table itself is not overloaded and there is
> no good reason for entries to be expiring? Furthermore, even if the
> entries were expired, has anyone encountered situations (malicious or
> otherwise), where a given port will receive traffic outside of its own
> L2?
>
> Thanks,
>
> -jon

Some router have an option of dumping all traffic to a give port, so
if you are connected to the right router port you will see everything
as if it was a hub. At least I already saw a router configured that
way, that port that was connected to a computer that was dedicated to
run snort.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Jon Hart: "Re: unswitched behavior of a switched network..."
• Previous message: Steve Armstrong: "Vulnerability Assessment and Operational Security Testing Methodology (VAOST) - version 0.2 released"
• In reply to: Jon Hart: "unswitched behavior of a switched network..."
• Next in thread: Ron: "Re: unswitched behavior of a switched network..."
• Reply: Ron: "Re: unswitched behavior of a switched network..."
• Reply: Buz Dale: "Re: unswitched behavior of a switched network..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:12 EDT