RE: switch jamming

From: Anthony Gruppuso (AGruppus@jcals.army.mil)
Date: 01/31/02 

From: Anthony Gruppuso <AGruppus@jcals.army.mil>
To: vuln-dev@securityfocus.com
Date: Thu, 31 Jan 2002 09:36:44 -0500

Does anybody know of any switches that can protect against this type of
attack, or is virtually every switch affected? I imagine this is "old
news," so what have vendors done to counteract this type of activity?

-----Original Message-----
From: Sebastian Jaenicke [mailto:tsa@jaenicke.org]
Sent: Wednesday, January 30, 2002 5:13 PM
To: vuln-dev@securityfocus.com
Subject: Re: switch jamming

Hi,

On Wed, Jan 30, 2002 at 10:05:08PM +0000, Jan wrote:
[..]
> how can i sniff upon a switched network segment ? a read some articles
about "switch jamming" and "port mirroring" but up to know i didn't
learn anything special at all.
> ca some of your guys out there help me ? (i'm sure some of you can but
are you willing, too ?)
>

This can be achieved by flooding the switch with spoofed ARP packets
until
its internal MAC table is filled up - most switches will then revert to
"hub mode" and therefore broadcast all traffic to the network where it
can easily be sniffed.

http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm should
give you some (more accurate?) information.

Sebastian 

-- 
Sebastian Jaenicke
whois pgpkey-18AC0BE4@whois.ripe.net|perl -ne's-^certif: +--&&print'
  "Object-oriented programming is an exceptionally bad idea which
   could only have originated in California." --Edsger Dijkstra

Relevant Pages

  • Re: switch jamming
    ... Subject: switch jamming ... > at the moment my boss is planning a firm which will take care of firm ... > how can i sniff upon a switched network segment? ... about "switch jamming" and "port mirroring" but up to know i didn't learn ...
    (Vuln-Dev)
  • RE: switch jamming
    ... It depends on whether you have ownership of the switch or not. ... Or, if the device you are sniffing on can understand, or at least strip, 802.1q tags, you can plug your sniffer into a trunk port. ... If you don't control the switch there are various ways to make other ports visible. ... how can i sniff upon a switched network segment? ...
    (Vuln-Dev)
  • Re: Ubuntu
    ... I wouldn't mind having a switch to flip every time s/he ... Send responses to the relevant news group rather than email to me. ... I often ignore posts from Google ... Use a real news client if you want me to see your posts. ...
    (comp.sys.mac.system)
  • Re: ITV1 Regions on Sky Digital, have they added more?
    ... What happened was that their viewing in Sky homes dropped, because 'allegedly' viewers could not be bothered to switch back to analogue to view them. ... rural Dorset, and Brighton, and Milton Keynes on the BBC South news) At least ITV serve me better there, but I doubt come analogue switch off whether there will be any regional news at all on ITV. ... Please replace invalid and invalid with gmx and net to reply. ...
    (uk.tech.digital-tv)
  • Re: PICTURES -- Lathe transport, cleanup etc (it runs)
    ... The bad news is that it has considerable wear, ... switch anything so the lathe is on when the speed selector is on. ... I can give lots of advice in how to turn it into a 2-year project, if you are looking for such self-abuse, as I did that on my 15" Sheldon lathe. ...
    (rec.crafts.metalworking)