RE: mac duplication
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 12/15/03
- Previous message: Glenn_Everhart_at_bankone.com: "RE: mac duplication"
- In reply to: Jimi Thompson: "Re: mac duplication"
- Next in thread: Dom De Vitto: "RE: mac duplication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <vuln-dev@securityfocus.com> Date: Mon, 15 Dec 2003 08:50:03 -0800
> No two ethernet cards on the planet should have the same MAC address
> (emphasis on SHOULD because I've run into cards with duplicated MAC's
> and you won't believe the havoc this wreaks). This is used as a
> physical layer address by things like ARP.
Two things need to be clarified here:
1. Physical layer addresses are not "used by" ARP. ARP (NOT "router
tables") is the mechanism by which network-layer addresses get translated
to physical-layer addresses.
2. Although burned-in MAC addresses should be unique on the planet, for
correct operation (with conformant network equipment...) it is only
necessary that they be unique within each segment/subnet/broadcast domain.
Some OSes/protocols routinely override the burned-in MAC addresses so that
a given host uses the same MAC address on all of its interfaces, and in
general this causes no havoc at all.
Switches/bridges, as layer 2 devices, build tables associating destination
MAC addresses with specific ports. If there is only one such device in the
network, it will likely deliver traffic for MAC address X only to the port
where a packet with that source was last seen. In a network with multiple
layer 2 devices, it's possible that some traffic may get delivered to one
port and some to another, or perhaps that a device will trigger a spanning
tree reconvergence to try to stabilize the network topology. (It won't
fix it, though, so if this happens it is likely to keep happening, perhaps
rendering the entire network unusable....)
I have, in fact, used a deliberate MAC duplication (in a switch config,
not
on an actual end node) to DoS a prankster who was unplugging legitimate
machines and plugging in his own laptop in various student lab areas. We
might not have minded him so much if his laptop wasn't trying to spread both
Blaster and Nachi to the rest of the network.
David Gillett
> -----Original Message-----
> From: Jimi Thompson [mailto:jimit@myrealbox.com]
> Sent: December 13, 2003 16:34
> To: vuln-dev@securityfocus.com
> Subject: Re: mac duplication
>
>
> Dev,
>
> You seem to need some clarification about how Ethernet
> actually works.
> I'm going to try to toss out a 50,000 foot view. Anyone can
> feel free
> to add to this or correct me. Host names map to IP addresses
> via DNS.
> IP address map to MAC addresses via router tables. Just as your IP
> address has to be unique in order to be routable, so does your MAC
> address. MAC addresses are purchased in blocks by the
> people who make
> network devices and blown on to what amount to EPROMS and attached to
> network cards, switch ports, etc.
>
> No two ethernet cards on the planet should have the same MAC address
> (emphasis on SHOULD because I've run into cards with duplicated MAC's
> and you won't believe the havoc this wreaks). This is used as a
> physical layer address by things like ARP.
> If you want to sniff traffic to a particular machine, get
> yourself a hub
> (NOT a switch) and plug the switch into the uplink on the hub
> and your
> sniffer and sniff-ee into the hub ports.
>
> This will A) let you see everything and B) not cause any serious
> problems for your switch. I hope that no one was using the
> machine you
> were trying to sniff because chances are you are causing a
> DOS situation
> by duplicating the MAC address.
>
> Jimi
>
> Dev wrote:
>
> >hi ppl, please redirect me to a different mailing list if
> this is not the appropriate list to post to.
> >
> >I did the following experiment:
> >
> >I have a switched ethernet network in my university.
> >I wanted to capture packets meant for a certain machine on a
> different port of a Dlink switch. I thought that arp
> poisoning would be too noisy - arpwatch can catch it, & its
> too bulky for the MITM machine (in case we are poisoning a
> heavily loaded server machine.)
> >& So i duplicated the mac of the victim machine on my own machine.
> >
> >What i saw was this:
> >
> >ping packet drop rate for any of the two machines from a
> third machine varied from 40 to almost 80 %. Also say telnet
> sessions to any of the two machines (which had now the same
> mac addresses) worked with notable 4-5 second lockups.
> >
> >Further i could not ping the other machine from one of the
> duplicated machines. (the last one is okay - it makes a lot of sense)
> >
> >My premise is that the problem in connectivity is coming
> becoz the OS does not fall back to half duplex mode when two
> machines take up the same mac address??
> >
> >can anyone plz tell me about the behaviour. How do i set up
> mac duplication in that case so that i can sniff data.
> >
> >I dont want to hurt network performance. & so dont want to
> do mac flooding. Anyways i m not even sure the switches we
> have here would resort to broadcast mode in case of mac flooding.
> >
> >Last but not the least its my second message to the list, &
> people were really helpful in discussing about my queries in
> my first message.
> >
> >Mailing lists rock..
> >
> >Devrat
> >
> >
> >
> >
>
- Previous message: Glenn_Everhart_at_bankone.com: "RE: mac duplication"
- In reply to: Jimi Thompson: "Re: mac duplication"
- Next in thread: Dom De Vitto: "RE: mac duplication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
