Vulnerability Development mailing list archives
Re: switch jamming
From: blast <blast () baymoo org>
Date: Thu, 31 Jan 2002 09:42:18 -0800 (PST)
Blue Boar wrote: The Cisco switches at least can be secured against this, if you can live with the inconvenience. If you have one machine per port, you can configure the switch to learn the first MAC address it sees, and then not accept frames from any other address. This means that you can't move machines around or changes NICs without the switch admin resetting the MAC address for the affected ports. It also means that you can't chain multiple machines off of any ports configured that way, say via a hub.
This comes at an administrative cost that is so high that mistakes are made and it does not scale. The better feature-set to look at which has promise in this approach is PRIVATE VLANs. Here you have a policy which is held at L2. It is described to the switch as policy and not as execution. Both Cisco and Foundry have something simular and the best way to research would be to Google for it. The property is help at the VLAN declaration. Ports placed in this VLAN have one of three policies. Community pvlans * A port assigned to a community pvlan has full connectivity to all other ports in the same community pvlan. * Ports that are promiscuous to a community pvlan have full connectivity to all the ports belonging to this community pvlan. * There can be several community pvlans within a primary pvlan but there is no direct layer-2 connectivity between ports belonging to different community pvlans. Isolated pvlan * A port assigned to the isolated pvlan can only reach the promiscuous ports of the isolated pvlan: there is no direct connectivity possible between two hosts in the isolated pvlan. * Ports promiscuous to the isolated pvlan have full connectivity to all the ports belonging to the isolated pvlan. * There is only one isolated pvlan in the primary pvlan (there is no need for several of them). Promiscuous ports * Promiscuous ports can talk to each other, even if they are not promiscuous to the same community or isolated pvlans. * Promiscuous ports have full connectivity to each individual ports belonging to the community or isolated pvlan they are promiscuous to. * Promiscuous ports belong to the primary pvlan and can be promiscuous to several different community or isolated pvlans in this primary pvlan. Good luck, --blast
Current thread:
- Re: DoS against DHCP, (continued)
- Re: DoS against DHCP Felix Lindner (Jan 31)
- Re: switch jamming Blue Boar (Jan 30)
- RE: switch jamming Ed Moyle (Jan 30)
- Re: switch jamming sean whalen (Jan 30)
- RE: switch jamming Henniges, Matthew (ISS) (Jan 30)
- RE: switch jamming Anthony Gruppuso (Jan 31)
- Re: switch jamming Blue Boar (Jan 31)
- Re: switch jamming ALoR (Jan 31)
- RE: switch jamming Alexander (Jan 31)
- Re: switch jamming Blue Boar (Jan 31)
- RE: switch jamming Toni Heinonen (Jan 31)
- Re: switch jamming blast (Jan 31)
- RE: switch jamming blast (Jan 31)
- RE: switch jamming Richard Corley (Jan 31)