[10488] in bugtraq
Re: Infosec.19990305.macof.a
daemon@ATHENA.MIT.EDU (Glen Turner)
Fri May 7 13:47:18 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <37326525.BF43935D@adelaide.edu.au>
Date: Fri, 7 May 1999 13:29:33 +0930
Reply-To: Glen Turner <glen.turner@ADELAIDE.EDU.AU>
From: Glen Turner <glen.turner@ADELAIDE.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
ian.vitek@INFOSEC.SE wrote:
> Problem: Due to limitation with ARP/MAC-tables;
> switches could start sending packages to all ports,
> other network devices could hang, crash or reboot
> if they receive lots of MAC-addresses.
>
This problem is well-known. We see it occassionally.
The bridge designer faces two choices:
1. To flood packets when the filtering database
fills. Thus the bridge can cope with larger
bridged networks than it was originally
designed for.
2. To refuse service to addresses not already
in the filtering database when the database
fills.
IEEE 802.1d isn't much use in deciding which option
is best.
Fixes are to activate "port security", which deactivates
a port if its MAC address changes. This limits the
DoS to one machine, which may still be worthwhile
if the machine runs an attractive service. It is
costly to administer in a large network.
Some switches have a "trap on port MAC address change"
option. The port running the exploit will generate a huge
number of traps, and suitable administrative action taken.
Networks with trees of switches will see multiple traps
as MAC addresses changes, so this option is usually
only enabled on switches at the edge.
However, we run this option on all our switches and
just deal with the extra traps.
Switch vendors do need to improve security. Most vendors'
plans involve obtaining user authentication before granting
significant link-level access. At present, these plans
are somewhat propietary.
Network design is also important. We place all public
access areas (computing labs, etc) on their own IP subnets.
These areas usually require significant IP filtering
in any case. The effect is to limit link-level DoS attacks
initiated from a public keyboard to a single physical area.
--
Glen Turner Network Specialist
Tel: (08) 8303 3936 Information Technology Services
Fax: (08) 8303 4400 The University of Adelaide 5005
Email: glen.turner@adelaide.edu.au South Australia
