Re: PPPoE + Switch sniffing

On 7/27/06, Carlos de Oliveira <carlos.oliv@xxxxxxxxx> wrote:
Hello friends,

As a manager of my network, I am woried of security. Recently we
changed the HUB's for switch's in hope that we get more securitty.

In a few days ago, we have seeing another Access concentrator in our
network sending PADO's to the clients that wanted to connect.

This access concentrator have the same MAC address of one of my clients.

I would like to know what do you think that could be?
I've searched google for this, but I didn't found any attack baseed on
PPPoE + switch.
Could this other access concentrator be trying to give connection to
some of my clients just to sniff their connection?


It doesn't matter whether you use a switch or not. The PPPoE client
will broadcast PADI packets, so they will arive at all hosts on the
subnet. Whether you use a switch or not.

If this is not simply some mistake of having a wrong setup, this looks
like an attack. First of all, do you use some kind of MAC-address
based filtering? That would explain why someone would forge the MAC
address. Much more likely though it is not forged, I think the client
you are talking about /IS/ the attacker!

I think the attacker wants to steal other people's login stuff... I'm
not familiar with Radius, but the PADO packets can include information
on where the client should authenticate with. So I suppose this could
be used to steal the logins of other clients in some way.

That's my guess,

Good luck.

--
Regards,
Rob klein Gunnewiek

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • [NT] AOLs Instant Messaging Command Execution, HTML and JavaScript Injection Vulnerabilities
    ... Get your security news from a reliable source. ... AIM Pro is AOL's business-oriented version of AIM targeted for ... the vulnerable IM clients use an embedded Internet Explorer ... In particular this attack vector exposes workstations to: ...
    (Securiteam)
  • RE: Dhcp security
    ... Setting up a 802.1x wired network requires: ... vendors, including Cisco, provide solutions to ensure that only properly ... trust agent collects security state information from multiple security ... software clients, such as anti-virus clients, and then communicates this ...
    (Focus-Microsoft)
  • << Small Biz Server news this week - June 18, 2004 >>>
    ... The monthly Executive Circle Security Webcast with Mike Nash, ... IP phones can create network security risk ... The biggest of the headaches was Tuesday's attack ... Akamai now says it was targeted by DDoS attack ...
    (microsoft.public.backoffice.smallbiz)
  • << Small Biz Server news this week - June 18, 2004 >>>
    ... The monthly Executive Circle Security Webcast with Mike Nash, ... IP phones can create network security risk ... The biggest of the headaches was Tuesday's attack ... Akamai now says it was targeted by DDoS attack ...
    (microsoft.public.backoffice.smallbiz2000)
  • << Small Biz Server news this week - June 18, 2004 >>>
    ... The monthly Executive Circle Security Webcast with Mike Nash, ... IP phones can create network security risk ... The biggest of the headaches was Tuesday's attack ... Akamai now says it was targeted by DDoS attack ...
    (microsoft.public.windows.server.sbs)