Snort mailing list archives

RE: DSL

From: "Bob McDowell" <bmcdowell () coxhealthplans com>
Date: Tue, 7 Jan 2003 09:33:29 -0600

My own experience with DSL has shown gobs and gobs of folks rummaging
through my computers.  As a result, my 'test-bed' for Linux firewall has
recently become my house.  I took my Iptables logs and made a pretty
effective presentation by simply showing what hackers were after.

My set-up differs a bit in the fact that my DSL device is some sort of
Ethernet-to-DSL bridge with a router upstream.  I would guess that in my
implementation sniffing would be basically fruitless.

I do, however get a ton of local spoofers and I'd guess they're trying to
pry their way in...

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Rich
Adamson
Sent: Tuesday, January 07, 2003 6:31 AM
To: NoLiMiT1961 () aol com; snort-users () lists sourceforge net
Subject: Re: [Snort-users] DSL

Is it a fact that you can only sniff the traffic on
DSL that's directed only to you and you caint sniff
any other traffic at all?


That depends 100% on how your telephone company and ISP configured
their dsl offering. In most US cases, the telephone company provides
the basic dsl pipe, and most of the layer 2 and/or 3 components are
implemented by the ISP. There has been three popular implementations.

1. small telephone companies frequently use a relatively inexpensive
 dslam-like device that act similar to a hub. The equipment allows
 one dsl subscriber to see and interact with some of the other dsl
 subscriber's systems. (Most of these devices appear almost like
 ethernet extenders with no layer 2 or 3 functionality to speak of.)

2. some ISPs implement their head-end equipment in bridging mode as
 it's the easiest configuration to use when you don't understand all
 the technical dsl details. Later they generally wish they would have
 used a true layer-3 approach, but it becomes too costly for them to
 revisit their dsl customers to switch to another implementation.
 The bridging approach will allow broadcasts and some other traffic
 to appear at a customer's location that has no business for going
 there (wastes bandwidth). Given the chatty nature of Microsoft
 systems, you will see some traffic from other dsl customer machines.

3. some ISPs implement true layer-3 at the head-end, reducing the
 amount of other dsl customer traffic seen at your location. That
 implementation generally requires a fair amount of understanding
 and planning prior to activating a dsl offering.

4. regardless of how the telephone company and ISP configure their
 equipment, the majority use dsl modems at the customer location
 that implements Network Address Translation (NAT). The NAT function
 provides a very basic firewall-like function that further reduces
 (and in many cases eliminates) any traffic from neighboring dsl
 users. Pure guess is that something greater then 90% of all dsl
 modems in use implement NAT in one form or another.

Since most people don't have access to the equipment necessary to
sniff (or snort) the actual physical dsl circuit, whether adjacent
dsl customer traffic appears on the wire is mostly irrelevant (except
for the small amount of bandwidth consumed by this unproductive
neighbor broadcast traffic, etc).

If you sniff/snort the ethernet side of the dsl modem (as opposed to
the physical dsl circuit) and see broadcasts, the implementation is
probably either #1 or #2, above.

The telphone companies generally consider the dsl modem as "customer
owned" equipment. Therefore, a fairly large percentage of dsl providers
leave the dsl modem open to console, telnet, web and/or snmp access
in one direction or the other. In some implementations, the modem is
password protected, but the password is given to the customer since the
box is considered customer owned. If a hacker-type subscribes to dsl
services, he can reconfigure the dsl modem in some cases to allow him
to sniff/snort more of his neighboring dsl customer traffic then what
would normally be seen. If the telephone company uses #1, above, the
hacker would see most/all neighboring dsl traffic.

If security is a concern for a dsl customer (regardless of the above),
then the customer should consider an on-site firewall-like device
to reduce the possibility of neighbors rummaging through their mostly
open PC systems, etc.



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

DSL NoLiMiT1961 (Jan 06)
- Re: DSL Matt Kettler (Jan 06)
- Re: DSL Rich Adamson (Jan 07)
- <Possible follow-ups>
- RE: DSL Bob McDowell (Jan 07)