On Thu, 15 Aug 1996, Don Lewis wrote:
> On Aug 15, 2:59am, Rabid Wombat wrote:
> } Subject: Re: Re: huh? switch hitter?
> } Be careful with the security benefits angle, though. I read a test report
> } a while back (sorry, don't have the reference handy, and no brands were
> } specified) that indicated that some switches will pass packets out all
> } ports when under very heavy loads - even crossing VLANs established on the
> } switch. An attacker could "load" the switch from one or more ports, then
> } watch for "fallout" on another port.
> If a bridge/switch doesn't know which port a MAC address lives on, it
> will forward a packet sent to that MAC address to all it's ports (unless
> it knows that some of the ports only connect to a certain device(s)), in
> the hope that one of them connects to the desired device. You wouldn't
> want all the machines on your net to stop talking just because the switch
> was power cycled and lost it's MAC table.
Correct, but I doubt you'd get any useful info this way, as you'd only
get the first few packets, at most, and then the MAC table would pick up
the target address from the ACK packets coming back. I'm assumming, of
course, that the device would take long enough to power cycle that
connections would time out and need to be re-started. If not, you'd be
able to pick up a few packets out of any point in the conversation.
> Due to speed requirements, bridges/switches usually keep their MAC tables
> in some type of high speed memory which is of limited size. If someone
> manages to overflow this memory with fake MAC addresses (or real addresses
> if your network is big enough), then packets sent to a host whose MAC
> address has been flushed can be forwarded to ports other than the one
> to which the host is connected.
Flooding the table w/ fake/real addresses is one I hadn't thought of -
this would be more dangerous than the above, because it could be used to
pick up the middle of conversations.
> --- Truck