Vulnerability Development mailing list archives
Re: Vlans
From: Samuel Patton <dsap () MILLENNIUM-COMPUTING COM>
Date: Fri, 19 Jan 2001 01:31:20 -0600
Most commercial switches change algorithms to flood mode at around the 80-90% CPU util. The most common way to push a switch into a high CPU state is with ARP packets. This technique has been known for a while and is pretty noisy. Arp packets are destined for the broadcast Ethernet address and thus data must be copied to all ports. If you are interested in reproducing this all you need is the data structure for the ARP frame which is documented in RFC 826 and the sendto() function combined with a raw socket or I suppose you could just use libnet. John's previous comment about physically seperating the switches is a solid design principle as a preventative mechanism for this type of attack. -Sam ----- Original Message ----- From: "John Kinsella" <jlk () slip net> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, January 18, 2001 2:35 AM Subject: Re: Vlans
Tim - In theory it's capable to "flatten" VLANs on a switch by slamming the switch's CPU with enough traffic that it stops tagging packets for the appropriate VLANs. From what I understand, at this point instead of the switch dropping the packet, it sends the packet out destined for all VLANs. There was some discussion on this topic on bugtraq last year. I've been meaning to test out the theory myself in the lab over the last few weeks but haven't had a chance yet...I will say that unless money is a serious constraint that a client has, I always try to keep internal and external network traffic on physically separate switches. Some piece of mind may come, though, from considering that the amount of traffic needed to jump a switch's VLANs *should* be more than easily generated by a remote user...I'd guess at least 80% of a switch's backplane capacity would need to be forced through the switch. John On Wed, Jan 17, 2001 at 09:02:03AM -0800, Tim Salus wrote:I am not certain if this is the place to ask this and if not please let me know where to send it. I have a client who has the following configuration Internet -> router -> firewall -> load balancer The connection from the router to the firewall is on a switch and the connection from the inside interface of the firewall is on the same switch. The separation is done using VLANS. I was taught this is bad due to 802.1q tagging and VLAN hopping using tagged packets. The problem is I can find very little information on this to prove my point. Also what if there is no 802.1q trunking being done. Is there still a problem with this? Is there an exploit to get around the firewall and do server flooding by jumping VLANS. No one can get on the firewall segment so what I need to know is can anyone on the internet cause a problem with this type of configuration. Thanks in advance Timothy L. Salus