Great Circle Associates Firewalls
(November 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Concerns about MAC spoofing
From: renner <renner @ macroint . com>
Date: Wed, 02 Nov 94 10:43:01 EST
To: firewalls @ GreatCircle . COM, Rich=Gautier%SP-23DC%DRC @ S1 . drc . com
Encoding: 5678 Text

     In the PC world (along with rest of it too) MAC spoofing does not 
     require any genius, just a little knowledge.  In order to understand 
     why MAC spoofing is so easy, here's a little background on how an 
     Ethernet card works.
     First 99% of all ethernet cards are stupid, ie they have no processing 
     capability in and of themselves.  The Ethernet device basically only 
     performs the functions of the first layer of the ISO model, 
     specifically the physical layer stuff.  It does the transmitting on 
     the wire, receiving, collision detection and CRC checks.  The 
     formatting of the actual packet, and examination of destination 
     addresses is done by software, i.e. the kernel device driver on UNIX 
     systems, or the ODI driver/packet driver (Clarkson aka Crynwr)/NDIS 
     driver on a PC.  So what does this mean, it means that every packet 
     that is sent on the wire, is examined by this software driver.  Now 
     before everyone out there starts sending flame mail that this is 
     impossible, that a PC or even some UNIX systems are incapable of 
     examining every packet on the busy network, please read on.  The first 
     function of the driver is to determine if the packet's destination 
     address matches the address assigned to this device.  To do this, only 
     the first 7 bytes  of the packet need to be examined by the driver (1 
     byte Start of Frame and the 6 byte destination address).  This 
     comparison can be done on most machines in about 20 CPU instructions.  
     If the destination address doesn't match the rest of packet is 
     ignored.  This driver is also responsible for formatting the packets 
     to be transmitted on the wire. 
     The next question is where does the driver get this address.  It gets 
     the address when the driver initializes the ethernet device.  Part of 
     the initialization  routine queries the device for the address that is 
     burned in on the address ROM.  This address is normally stored as the 
     address for the device.  The address is so easy to change (i.e. 
     ifconfig on most UNIX systems) because it is nothing more than stored 
     variable, just like the IP address used at the IP layer.
     In order to change the MAC address in UNIX you need root access to use 
     ifconfig, in the PC world you need a driver that allows you to select 
     the MAC address of the card (locally administered addresses) so that 
     this address is used instead of the one burned on the card.  No 
     "hacked"  copy of anything is required for those drivers that 
     inplement locally administerd addresses.  Another method is to have 
     the source code for the driver (available for all of the Clarkson aka 
     Crynwr packet drivers) and modify the initialization routine to use a 
     specific address (your "hacked driver").  Anybody who is even slightly 
     competent in assembly language could do this without a problem.  A 
     more sophisticated (although easier) approch would be to write a 
     program to search the entire memory space of the PC to find the six 
     byte address of the card (find the location of the address in the 
     drivers data area) and change it while the PC is running (kinda like 
     doing an ifconfig on a DOS machine!)   The explosion of PC based 
     protocol analyzers is due the implementation, in most driver specs, of 
     promiscuous mode where the driver passes up all packets regardless of 
     destination address.  Which is really a form of address spoofing.
     Now regarding your question about two devices with the same MAC 
     address on the same network.  The same thing that happens if you have 
     two devices on the same network with the same IP address.  Weird 
     things start happening to both devices.
     How do you gaurd against this.  Some hub manufactures have created 
     "secure" hubs, where only specified devices are allowed to be 
     connected to specific ports.  If "unknown" source MAC address appear 
     on the port, the hub disables the port.   This way, no "unknown" MAC 
     address are allowed into the network.  The only way to get in is to 
     attached your device to network cable plant, using a "good" MAC 
     address on the port you are attached to.  The only way to prevent this 
     from happening is to make sure your cable plant is physically secure.  
     MAC based authentication is really very worthless in the real-world 
     because MAC addresses are easily changed on just about any Ethernet 
     (or Token Ring) device. 

______________________________ Reply Separator _________________________________
Subject: Concerns about MAC spoofing
Author:  Rich=Gautier%SP-23DC%DRC @
 S1 .
 drc .
 com at INTERNET
Date:    11/2/94 7:43 AM

I have a few questions about MAC spoofing.  First off, how difficult would it 
be to spoof a MAC address in a non-TCP/IP environment (i.e. IPX/SPX?).  
Without an IFCONFIG, wouldn't the user require a hacked copy of the MLID to 
do this?

Secondly, what happens if two cards exist with same MAC address on a network? 
 Does it lock up both cards, or do the two cards start sending garbage onto 
the Ethernet and locking up the entire network?
What we want to do is provide single-user login from single MAC address, but 
we are worried about the possibility of someone punching down a connection 
and spoofing an address on the net.

     Rich Gautier    

Indexed By Date Previous: Re: Concerns about MAC spoofing
From: Ted Lemon <mellon @ ipd . wellsfargo . com>
Next: Re: ntp surprise
From: Barney Wolff <barney @ databus . com>
Indexed By Thread Previous: Re: Concerns about MAC spoofing
From: David Ross <ross @ rce . com>
Next: Re[2]: Concerns about MAC spoofing
From: renner <renner @ macroint . com>

Search Internet Search