From: Cedric Blancher (blancher@cartel-securite.fr)
Date: Wed Nov 02 2005 - 03:15:18 EST
Good morning Volker.
Le mardi 01 novembre 2005 à 10:50 +0100, Volker Tanger a écrit :
> If manual MAC/port mapping takes precedence over cache (which is
> implementation dependant) - why not?
> If port security disables the port (the attacker/flooder's one) as soon
> as more than one MAC address is being announced there - why not?
ARP cache poisoning will still work because when your ARP cache poison
someone, you actually don't change your MAC address at all... And as you
don't change the port you're plugged in, you also don't change your
_MAC/port_ mapping. The thing you're changing when ARP cache poisoning
is some station's _MAC/IP_ on the target's cache.
Let's say Joker want to ARP cache poison Batman, pretending being Robin.
He will send Batman ARP requests/answers associating _his_ MAC address
to Robin's _IP_, and thus, does not alter his MAC address so he's
transparent to any MAC/port mapping.
You can see http://sid.rstack.org/arp-sk/ for further details on ARP
cache poisoning. There's an abstract of a longer article, written in
french, that can be found at :
http://sid.rstack.org/arp-sk/article/arp.html
This is a link to a rough FR-EN automatic translation :
Moreover, port/MAC mapping are only checked on ethernet header, but ARP
cache poisoning occurs in upper layer, in ARP packets. As an example,
you can try to poison a host ARP cache for MAC adresses that does not
belong to you or does not even exist. It just works, because ethernet
header remains consistent in regard to switch port/MAC mapping. You can
check ethernet header for ARP packets in the article. Source MAC is
always the attacking host one.
To quickly reach my point, port security, as a layer 2 mecanism, is
_useless_ against ARP cache poisoning. This can be found in some
articles/guides, but it is just wrong.
To fight ARP cache poisoning, you need to check MAC/IP mappings :
. using ARP traffic monitoring software such as arpwatch (or
dedicated IDS modules)
. using static ARP cache on hosts
. using switches that can provide MAC/IP mappings (usually layer
3 switches)
-- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:07 EDT