Vulnerability Development mailing list archives

Re: Vlans

From: Samuel Patton <dsap () MILLENNIUM-COMPUTING COM>
Date: Fri, 19 Jan 2001 01:31:20 -0600

Most commercial switches change algorithms to flood mode at around the
80-90% CPU util.
The most common way to push a switch into a high CPU state is with ARP
packets.  This technique has
been known for a while and is pretty noisy.  Arp packets are destined for
the broadcast Ethernet address and thus
data must be copied to all ports.  If you are interested in reproducing this
all you need is the data structure for the ARP frame
which is documented in RFC 826 and the sendto() function combined with a raw
socket or I suppose you could just use libnet.
John's previous comment about physically seperating the switches is a solid
design principle as a preventative mechanism
for this type of attack.

-Sam
----- Original Message -----
From: "John Kinsella" <jlk () slip net>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Thursday, January 18, 2001 2:35 AM
Subject: Re: Vlans

Tim - In theory it's capable to "flatten" VLANs on a switch by slamming
the switch's CPU with enough traffic that it stops tagging packets for
the appropriate VLANs.  From what I understand, at this point instead of
the switch dropping the packet, it sends the packet out destined for all
VLANs.  There was some discussion on this topic on bugtraq last year.

I've been meaning to test out the theory myself in the lab over the last
few weeks but haven't had a chance yet...I will say that unless money is
a serious constraint that a client has, I always try to keep internal
and external network traffic on physically separate switches.  Some
piece of mind may come, though, from considering that the amount of
traffic needed to jump a switch's VLANs *should* be more than easily
generated by a remote user...I'd guess at least 80% of a switch's
backplane capacity would need to be forced through the switch.

John

On Wed, Jan 17, 2001 at 09:02:03AM -0800, Tim Salus wrote:

I am not certain if this is the place to ask this and if not please let
me know where to send it.

I have a client who has the following configuration

Internet -> router -> firewall -> load balancer

The connection from the router to the firewall is on a switch and the
connection from the inside interface of the firewall is on the same
switch. The separation is done using VLANS.

I was taught this is bad due to 802.1q tagging and VLAN hopping using
tagged packets. The problem is I can find very little information on
this to prove my point.

Also what if there is no 802.1q trunking being done. Is there still a
problem with this?

Is there an exploit to get around the firewall and do server flooding by
jumping VLANS.

No one can get on the firewall segment so what I need to know is can
anyone on the internet cause a problem with this type of configuration.

Thanks in advance

Timothy L. Salus

Current thread:

Vlans Tim Salus (Jan 17)
- Re: Vlans Tony Soprano (Jan 18)
- Re: Vlans Dom De Vitto (Jan 18)
  - Re: Vlans Tim Salus (Jan 18)
- Re: Vlans Aaron D. Turner (Jan 18)
- Re: Vlans John Kinsella (Jan 18)
  - Re: Vlans Samuel Patton (Jan 19)
  - Re: Vlans Aaron D. Turner (Jan 22)
    - Re: Vlans John Kinsella (Jan 21)
    - Re: Vlans Dom De Vitto (Jan 22)
    - Re: Vlans Dan Kaminsky (Jan 22)
- Re: Vlans Akatosh (Jan 18)
- Re: Vlans Lincoln Yeoh (Jan 22)
  - Re: Vlans Carson Sweet (Jan 22)
    - Re: Vlans Philipp Buehler (Jan 23)
- <Possible follow-ups>
- Vlans Tim Salus (Jan 18)
- Re: Vlans Shawn Davenport (Jan 18)

(Thread continues...)