From: Buz Dale (buz.dale@usg.edu)
Date: Mon Oct 16 2006 - 15:55:43 EDT
I can think if a couple of possibilities. 1) This is
broadcast/multicast traffic. 2) The mac addresses are unknown to the
switch (So it will flood to find them.) 3) The port could be a trunk or
a mirror of a trunk.
Buz
Krugger wrote:
> On 10/13/06, Jon Hart <jhart@spoofed.org> wrote:
>> Greetings,
>>
>> I've got a situation here that I can't quite figure out. It is well
>> known that it is possible to cause a switched network to act like an
>> unswitched network by flooding the CAM table. There are countless tools
>> and documents out there that cover the offensive and defensive measures
>> related to this issue.
>>
>> While this isn't Cisco's official documentation on this issue,
>> http://xrl.us/r8k7 says:
>>
>> "Content-addressable memory (CAM) overflow: A CAM table is used to
>> determine where to direct incoming frames depending on which port the
>> incoming MAC address came from. When the CAM receives a frame with an
>> unknown destination, the proper procedure is to flood frames within
>> the acceptable Layer 2 domain (the proper VLAN). Hardware and
>> software tools are available (some for free), that can flood a switch
>> with MAC addresses. Once the CAM table limit is exceeded, switches
>> behave differently depending on the brand of the switch."
>>
>> My question is, has anyone seen a situation where the same broadcast
>> behavior occurs, but the CAM table itself is not overloaded and there is
>> no good reason for entries to be expiring? Furthermore, even if the
>> entries were expired, has anyone encountered situations (malicious or
>> otherwise), where a given port will receive traffic outside of its own
>> L2?
>>
>> Thanks,
>>
>> -jon
>
> Some router have an option of dumping all traffic to a give port, so
> if you are connected to the right router port you will see everything
> as if it was a hub. At least I already saw a router configured that
> way, that port that was connected to a computer that was dedicated to
> run snort.
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>
> ------------------------------------------------------------------------
-- ---- Buz Dale buz.dale@usg.edu IT Security Specialist 1-888-875-3697 Office of Information and Instructional Technology University System of Georgia ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT