[10474] in bugtraq
Re: Infosec.19990305.macof.a
daemon@ATHENA.MIT.EDU (Emil Isberg)
Fri May 7 13:46:37 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Content-Transfer-Encoding: QUOTED-PRINTABLE
Message-Id: <Pine.GSO.4.05.9905062222430.29816-100000@legolas.mdh.se>
Date: Thu, 6 May 1999 22:30:07 +0200
Reply-To: Emil Isberg <emil.isberg@mds.mdh.se>
From: Emil Isberg <cel95eig@MDS.MDH.SE>
X-To: ian.vitek@INFOSEC.SE
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <41256768.002D5C09.00@mailgw.backupcentralen.se>
On 5 May 1999, ian.vitek@INFOSEC.SE wrote:
>Vulnerability Summary
>---------------------
>
>Problem: Due to limitation with ARP/MAC-tables;
> switches could start sending packages to all ports,
> other network devices could hang, crash or reboot
> if they receive lots of MAC-addresses.
>
>Threat: Someone could eavesdrop/sniff network connections
> over a switched network.
> Denial of service attacks on a local network.
>Solution: There is no today known solution to the problem.
This problem is known.
The problem is known as "Learning mode" and is the state the switch is =
in
when it "learn" how the network is configurated.
What it does is simply to record what port each mac-address is respondi=
ng.
How does the solution look like?
Well. Don't use "learning mode" on the switch. In a secure environment =
you
know most of the needed mac-addresses and the rest you should know anyw=
ay
so you do not need "learning mode".
But is it a limitation? Yes. The switch should notice that a port is
behaving very strange and disable it (before it's MAC-table is flushed)=
.
--
/Emil
"Man kan s=E4ga att jag har ett eget filsystem i min l=E4genhet. /Born=E4=
s"
