Vulnerability Development mailing list archives
Re: ethernet cards & promisc mode
From: david_laporte () HARVARD EDU (David LaPorte)
Date: Fri, 5 May 2000 01:13:17 -0400
The Linux Intrusion Detection System patch (LIDS) seems to allow disabling promiscuous mode at the kernel level. I haven't personally tried it, but it is listed as a feature: http://www.lids.org/lids-howto/lids-hacking-howto-8.html#ss8.2 Hope this helps, Dave LaPorte -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Granquist, Lamont Sent: Thursday, May 04, 2000 4:18 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: ethernet cards & promisc mode Disabling capabilities (e.g. CAP_KILL CAP_LINUX_IMMUTABLE CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_TTY_CONFIG) should go a long way towards preventing these kinds of attacks. On Thu, 4 May 2000, C.J. Oster wrote:
I'm fairly sure it's a driver issue, not the card allowing you to do so or not. You could always take the kernel module and turn off it's ability to enter promisc mode. You may have to hack the ethernet layer also. Promisc mode just means the driver stops checking it's hardware address against the destination address, so I belive that this is a driver issue. You can only enter promisc mode as root anyway, so if an attacker got that far, nothing prevents him from building a working driver and using that. You could force the attacker to build an entire kernel and reboot the machine by building the card driver into the kernel rather than a module, but one can still work around that as well. -CJO- On Wed, 3 May 2000, Security Team wrote:are there any ethernet cards on the market that work well with linux,
that
dont allow you to go into promisc mode? kwC.J. Oster (Linux Guru/Surge Addict) cjo () pobox com ---------------------------------------------------------------------- Network Security Manager Unix System Administrator For BHNet, Bromley Hall Workstation Services Group/CCSO Hoover and Associates University of Illinois at security () bromleygroup com Urbana-Champaign (217)355.1132 (217)265.8427 ---------------------------------------------------------------------- PGP: 87D5 4216 43A1 42D6 754D 8F5E 24B3 992A B7A1 F556 "If builders built buildings like programmers write programs, the first woodpecker that came along would have destroyed civilization." --Murphy
Current thread:
- I Love you virus cure for exchange server NT, (continued)
- I Love you virus cure for exchange server NT sven (May 04)
- "I Love You" worm Voodoo Chile (May 04)
- Re: New worm? Ron DuFresne (May 04)
- Re: New worm? Bluefish (May 04)
- lovethingy spread analyses Roelof Temmingh (May 04)
- I love you. Blue Boar (May 04)
- Re: ethernet cards & promisc mode C.J. Oster (May 04)
- Re: ethernet cards & promisc mode Stuart Henderson (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 04)
- Help me audit a mail filter in C, please? Bennett Todd (May 04)
- Re: ethernet cards & promisc mode David LaPorte (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 05)
- Re: ethernet cards & promisc mode Bluefish (May 07)
- "I don't think I really love you" Michal Zalewski (May 07)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 07)
- Possible new strain of [CENSORED] Blue Boar (May 05)
- Re: ethernet cards & promisc mode Dragos Ruiu (May 04)
- Opportunist? Blue Boar (May 04)
- Re: Opportunist? Andreas Ferber (May 05)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Re: Blind Remote Buffer Overflow Max Vision (May 02)