Re: Infosec.19990305.macof.a

[david () FUNDY CA (David Maxwell)]

On Wed, May 05, 1999 at 09:15:25AM +0100, ian.vitek () INFOSEC SE wrote:
> Infosec Security Vulnerability Report
> No: Infosec.19990305.macof.a
> =====================================
>
> Vulnerability Summary
> ---------------------
>
> Problem:  Due to limitation with ARP/MAC-tables;
>                switches could start sending packages to all ports,
>                other network devices could hang, crash or reboot
>                if they receive lots of MAC-addresses.

This doesn't seem like a major issue, as long as
PER PORT Mac limit < x < y < PER SWITCH Mac limit
and y-x is a reasonable size.

Since you can only generate Mac addresses which will be recorded
on the port of the switch your attacking box is connected to,
you won't be able to overload the box entirely.

You will be able to knock valid local (i.e. on your segment) Macs
out of the table, but this will only give the switch a little
extra work to do (packet replication). All the traffic to or from
hosts on the same port as you should already be sniffable anyway.
Displacing existing Macs will disrupt traffic as mentioned, but

it's worth noting that on some brands of VLAN capable switch,
the same Mac can exist without conflict in more than 1 VLAN. So
you'll only be affecting the VLAN you're connected to.

--
David Maxwell, david () vex net|david () maxwell net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville