Vulnerability Development mailing list archives

Re: switch jamming

From: blast <blast () baymoo org>
Date: Thu, 31 Jan 2002 09:42:18 -0800 (PST)

Blue Boar wrote:
The Cisco switches at least can be secured against this, if you can
live with the inconvenience.  If you have one machine per port, you
can configure the switch to learn the first MAC address it sees,
and then not accept frames from any other address.  This means
that you can't move machines around or changes NICs without the
switch admin resetting the MAC address for the affected ports.  It also
means that you can't chain multiple machines off of any ports
configured that way, say via a hub.


This comes at an administrative cost that is so high
that mistakes are made and it does not scale.

The better feature-set to look at which has promise
in this approach is PRIVATE VLANs.  Here you have a
policy which is held at L2.  It is described to the
switch as policy and not as execution.
Both Cisco and Foundry have something simular and the
best way to research would be to Google for it.

The property is help at the VLAN declaration.
Ports placed in this VLAN have one of three policies.

Community pvlans

*   A port assigned to a community pvlan has full connectivity to all other
    ports in the same community pvlan.
*   Ports that are promiscuous to a community pvlan have full connectivity
    to all the ports belonging to this community pvlan.
*   There can be several community pvlans within a primary pvlan but there
    is no direct layer-2 connectivity between ports belonging to different
community pvlans.


Isolated pvlan

*   A port assigned to the isolated pvlan can only reach the promiscuous
    ports of the isolated pvlan: there is no direct connectivity possible
between two hosts in the isolated pvlan.
*   Ports promiscuous to the isolated pvlan have full connectivity to all
    the ports belonging to the isolated pvlan.
*   There is only one isolated pvlan in the primary pvlan (there is no need
    for several of them).


Promiscuous ports

*   Promiscuous ports can talk to each other, even if they are not
    promiscuous to the same community or isolated pvlans.
*   Promiscuous ports have full connectivity to each individual ports
    belonging to the community or isolated pvlan they are promiscuous to.
*   Promiscuous ports belong to the primary pvlan and can be promiscuous to
    several different community or isolated pvlans in this primary pvlan.



Good luck,
--blast

Current thread:

Re: DoS against DHCP, (continued)
- - Re: DoS against DHCP Felix Lindner (Jan 31)
- Re: switch jamming Blue Boar (Jan 30)
- RE: switch jamming Ed Moyle (Jan 30)
  - Re: switch jamming sean whalen (Jan 30)
- RE: switch jamming Henniges, Matthew (ISS) (Jan 30)
- RE: switch jamming Anthony Gruppuso (Jan 31)
  - Re: switch jamming Blue Boar (Jan 31)
    - Re: switch jamming ALoR (Jan 31)
  - RE: switch jamming Alexander (Jan 31)
- RE: switch jamming Toni Heinonen (Jan 31)
- Re: switch jamming blast (Jan 31)
- RE: switch jamming blast (Jan 31)
- RE: switch jamming Richard Corley (Jan 31)