Re: unswitched behavior of a switched network...

From: Ben Nell (enemy.cow@gmail.com)
Date: Sun Oct 15 2006 - 21:03:41 EDT

• Next message: p4ssion@gmail.com: "Re: RE: Sql injection automated check tool"
• Previous message: Debasis Mohanty: "RE: Web Vulnerability Scanner"
• In reply to: Jon Hart: "unswitched behavior of a switched network..."
• Next in thread: Florian Osses: "Re: unswitched behavior of a switched network..."
• Reply: Florian Osses: "Re: unswitched behavior of a switched network..."
• Reply: Can't dig that daddy: "Re: unswitched behavior of a switched network..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Is all traffic being "broadcasted"? Can you narrow it down to a
specific host that's common to all of the traffic, perhaps a gateway
device? If you're doing multicasting on a gateway device
(multicasting using unicast addressing), you would get the type of
behavior that you're describing. I've seen this exact situation
before, actually.

BN

On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:
> Greetings,
>
> I've got a situation here that I can't quite figure out. It is well
> known that it is possible to cause a switched network to act like an
> unswitched network by flooding the CAM table. There are countless tools
> and documents out there that cover the offensive and defensive measures
> related to this issue.
>
> While this isn't Cisco's official documentation on this issue,
> http://xrl.us/r8k7 says:
>
> "Content-addressable memory (CAM) overflow: A CAM table is used to
> determine where to direct incoming frames depending on which port the
> incoming MAC address came from. When the CAM receives a frame with an
> unknown destination, the proper procedure is to flood frames within
> the acceptable Layer 2 domain (the proper VLAN). Hardware and
> software tools are available (some for free), that can flood a switch
> with MAC addresses. Once the CAM table limit is exceeded, switches
> behave differently depending on the brand of the switch."
>
> My question is, has anyone seen a situation where the same broadcast
> behavior occurs, but the CAM table itself is not overloaded and there is
> no good reason for entries to be expiring? Furthermore, even if the
> entries were expired, has anyone encountered situations (malicious or
> otherwise), where a given port will receive traffic outside of its own
> L2?
>
> Thanks,
>
> -jon
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: p4ssion@gmail.com: "Re: RE: Sql injection automated check tool"
• Previous message: Debasis Mohanty: "RE: Web Vulnerability Scanner"
• In reply to: Jon Hart: "unswitched behavior of a switched network..."
• Next in thread: Florian Osses: "Re: unswitched behavior of a switched network..."
• Reply: Florian Osses: "Re: unswitched behavior of a switched network..."
• Reply: Can't dig that daddy: "Re: unswitched behavior of a switched network..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:12 EDT