Re: [PEN-TEST] Bizzare Network Errors Found During Pen Test (IP ARPThrottled)

[Michael Thumann <michael.thumann () SPARKASSE-SINGEN-RADOLFZELL DE>]

I've got the same problem some time ago. A Token Ring environment
normally uses source route bridging and perhaps transparent bridging, if
needed.
Source route bridging almost needs a RIF Field in the network packets to
work, otherwise you don't get responses. There are differnet reasons for
this:

On Windows machines there's a registry key for controlling ARP Request
with source route support:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
-> ArpAlwaysSourceRoute; dword; 0=always without RIF; 1=always with RIF
If the value doesn't exist, the first ARP Packet is sent without a RIF
and if there's no answer another ARP Request is sent with RIF.
This may result in a timeout problem of the application.

Another Problem is when only transparent bridging is used to bridge from
token ring to ethernet segments. The RIF will get lost. To prevent the
whole packet from getting lost you have to reinsert the RIF into the
packet when it is entering a token ring segment with only source route
bridging again. On Cisco routers you can use the multiring command to do
this job.

I don't think that it is a problem of translational bridging because the
main job of translational bridging is to convert the MAC addresse
properly from token ring to ethernet format and do some resizing of the
packets, so you can check easily if the MAC address look like they have
to.

Here's a link to Cisco where Mixed Media Bridging and possible Problems
are described:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/mmbridge.htm

If you can place a sniffer at some interessting points you can check the
presence of the RIF where it is needed.

Hope that helps ;-)
Michael

--
Michael Thumann
Certified Internet Security Manager
Sparkasse Singen-Radolfzell
Sitz: 78224 Singen
Registergericht:Singen HRA 943