Security Basics mailing list archives
RE: Network Configuration Question?
From: "Naman Latif" <naman.latif () inamed com>
Date: Tue, 5 Nov 2002 11:46:15 -0800
Whenever the switch receives a packet for which it doesn't find the destination mac address in its "forwarding database", it sends that packet to all Ports in that VLAN. These are known as "unknown unicast" messages. You probably are seeing those packets. One way to block this is to have the ports configured to block these packets by using "port block unicast" however I don't think this would work out well in most scenarios. I would suggest moving all your "Secure Machines" into a different VLAN and then use a Router (or RSM) to route between VLANS. Regards \\ Naman
-----Original Message----- From: netsec novice [mailto:netsec9 () hotmail com] Sent: Tuesday, November 05, 2002 8:14 AM To: ilyte () alias666 freeserve co uk; security-basics () securityfocus com Subject: Re: Network Configuration Question? I recently saw similar behaviour running tcpdump on my workstation that is attached to a Cisco catalyst switch. I would be interested to find any answers myself.From: "Ian Lyte" <ilyte () alias666 freeserve co uk> To: <security-basics () securityfocus com> Subject: Network Configuration Question? Date: Mon, 4 Nov 2002 16:58:37 -0000 Hi All, On a corporate machine, I was having trouble removingthe TinyBarscrote-ware that had installed itself surreptitiously ontomy machine.As part of the process of tracking down how it was running, I downloaded a small packet sniffer and ran it so I could attempt to trace the outgoing target address of the pop-up window. We are on a 100mbs switched network (I believe switched but ..). Now imagine my surprise when I could pick up trafficfrom around 6other machines, including HTTP, POP, SMTP and all the associated passwords. Some of the machines were geographically close to me inthe officebut not all. How could this happen on a switched network -has one ofthe switches fallen over into broadcast mode or something?If so how doI go about determining (remotely) why/how it has fallenover, who elseis on the segment, and what other avenues do I have to explore? Thanks in advance Ian_________________________________________________________________ Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp
Current thread:
- Network Configuration Question? Ian Lyte (Nov 04)
- Re: Network Configuration Question? Pablo Gietz (Nov 06)
- <Possible follow-ups>
- Re: Network Configuration Question? netsec novice (Nov 05)
- RE: Network Configuration Question? Naman Latif (Nov 06)
- Re: Network Configuration Question? ktyler (Nov 08)