Security Basics mailing list archives
RE: about CAM table overflow attack?
From: Network Security <network.security () iit edu>
Date: Wed, 19 Apr 2006 15:30:35 -0500
Unfortunately, it is still possible. Because every switch has a hardware limitation, the CAM table can only be *so* big. Even in the big boys, like the 6500, it still has a limit to how many mac addresses can be held at one time. Once this limit is reached, the traffic comes flooding. However, there are features in the newer versions of IOS that limit how many macs can be seen from one port. You can set the number higher than usual (maybe 25-50 on a 6500), so that someone can plug in a 4 port switch and traffic will still pass, but it will prevent someone from sending 10000+ macs into the switch for malicious reasons. felix lin -----Original Message----- From: Rick Zhong [mailto:sagiko () gmail com] Sent: Wednesday, April 19, 2006 4:04 AM To: inoutsec () gmail com Cc: security-basics () securityfocus com Subject: Re: about CAM table overflow attack? I am just curious whether this behaviour is still valid in newer switches, like those IOS 12+ ... it sounds to me a very old tricks and seems the successful rate for this type of attack is very lower nowadays. On 18 Apr 2006 20:11:45 -0000, inoutsec () gmail com <inoutsec () gmail com> wrote:
Basically what would happen is all traffic would be flooded to all
ports.(No VLANS Yet) This would happen to only unkown traffic though, that is MAC addresses that are not in the CAM.
If the VLAN is configured then, only ports on the same VLAN would receive
the broadcasts. The nature of VLANs prevent broadcast from being delivered to another VLAN.
Hopes this helps. ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php -------------------------------------------------------------------------- ------------------------------------------------------------------------- This List Sponsored by: Webroot Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. FREE 30-Day Trial of Spy Sweeper Enterprise http://www.webroot.com/forms/enterprise_lead.php --------------------------------------------------------------------------
Current thread:
- about CAM table overflow attack? Monty Ree (Apr 18)
- RE: about CAM table overflow attack? Network Security (Apr 18)
- RE: about CAM table overflow attack? David Gillett (Apr 24)
- <Possible follow-ups>
- Re: about CAM table overflow attack? inoutsec (Apr 18)
- Re: about CAM table overflow attack? Rick Zhong (Apr 19)
- RE: about CAM table overflow attack? Network Security (Apr 19)
- Re: about CAM table overflow attack? Rick Zhong (Apr 19)