Re: MiM Simultaneous close attack

[Jim Nanney <jnanney () datasync com>]

A switch (particulary a low end, cheaper model) keeps a table of mac
addresses connected to each port and it's memory size is limited, thus
once you flood the switch with wrong mac addresses it broadcasts to all
ports to find the next mac.  Continous flooding will make the switch
broadcast traffic to every port.

Small Example (very small for illustrative point)

MAC Table with only room for 4 entries
MAC 1 - port 1
MAC 2 - port 2
MAC 3 - port 3
MAC 4 - port 4

If the MAC table is full the next unknown mac to come across drops the
list down and the last one falls off.  If this last one (MAC 4) sends
traffic again it will be sent to all ports. (Subsequently once MAC 4
responds MAC 3 drops off the list)

Thus the new table

NEWMAC - port 1
MAC 1  - port 1
MAC 2  - port 2
MAC 3  - port 3

For a better explanation, see dsniff collection of tools, particularly
macof utility.

This collection of sniffing tools from Dug Song is a tutorial in packet
sniffing in itself and from his homepage there are links explaining each.

http://www.monkey.org/~dugsong/dsniff/
 
Thanks,
___
_|im Nanney


On Tue, 21 Aug 2001, Mauro Flores wrote:

> Robert Freeman wrote:
>
> > I don't think you can get exactly what you want Paul. About the switched
> > networks in general, you could:
> >
> > 1) Spoof an existing MAC (not reliable)
> > 2) Flood your switch with MAC announcements (may become a nice hub!)
> > 3) Sniff the initial ARP broadcast and reply (hassle for all packets)
> >
> > regards,
> > Robert
> >
> > btw, a MiM DoS? ...geez.
>
>
> Hi!!
> Can enyone explain me (or point me an URL) why if i flood the switch MAC
> table it would became a hub??
> The only case i can undestand that the switch became a hub is if i can
> fill the switch Mac table with faked Macs... otherwise the switch will
> still work as a switch...
> am i wrong on this??
> Thanks!
>
> see arround, Mauro Flores