| Author |
Message |
sean
Guest
|
 Posted:
Sat Mar 12, 2005 1:07 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Arnold Nipper wrote:
Um, how so? they basically repeat what I said! but a better link is:
http://www.sans.org/resources/idfaq/switched_network.php
which states:
| Quote: | MAC Flooding
Since switches are responsible for setting up the virtual circuits from
one node to another, they must keep a translation table that tracks
which addresses (specifically, which MAC addresses) are on which
physical port. The amount of memory for this translation table is
limited. This fact allows the switch to be exploited for sniffing
purposes. On some switches, it is possible to bombard the switch with
bogus MAC address data. The switch, not knowing how to handle the
excess data, will 'fail open'. That is, it will revert to a hub and
will broadcast all network frames to all ports. At this point, one of
the more generic network sniffers will work.
|
Note is says it will broadcast *ALL* frames to *ALL* ports.
And given whose website that's from, i would tend to trust it ;-) |
|
| Back to top |
|
 |
Arnold Nipper
Guest
|
| Posted:
Sat Mar 12, 2005 1:17 am Post subject:
Re: Switch behavior when MAC table full |
|
|
On 11.03.2005 20:33 sean wrote
| Quote: | I know this is not how the switches SHOULD behave, but it seems that
many switches do indeed revert to being a hub when the MAC table fills
up. I have seen multiple discussions of this behavoir on the net - it's
a fairly well known phenomenon. In fact I am suprised that you of all
people have not heard of this.
It is also possible it's not a common problem but a common
misconception, of course. I'll search a little and post more links.
|
At least Cisco switches behave as how Rich pointed out. See
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00801d0808.shtml
for detais.
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
sean
Guest
|
| Posted:
Sat Mar 12, 2005 1:18 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Arnold Nipper wrote:
Someone once told me thay had seen a cisco switch act as I desctribed.
Sorry I do not have more details like model, who said it, what COS or
IOS ver, etc.
I do know my Cisco 1548 at home behaves as I described, but you may not
want to count that - (low end, discontinued, etc) |
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Sat Mar 12, 2005 1:32 am Post subject:
Re: Switch behavior when MAC table full |
|
|
On 11.03.2005 21:07 sean wrote
| Quote: | Um, how so? they basically repeat what I said! but a better link is:
http://www.sans.org/resources/idfaq/switched_network.php
which states:
MAC Flooding
Since switches are responsible for setting up the virtual circuits from
one node to another, they must keep a translation table that tracks
which addresses (specifically, which MAC addresses) are on which
physical port. The amount of memory for this translation table is
limited. This fact allows the switch to be exploited for sniffing
purposes. On some switches, it is possible to bombard the switch with
bogus MAC address data. The switch, not knowing how to handle the
excess data, will 'fail open'. That is, it will revert to a hub and
will broadcast all network frames to all ports. At this point, one of
the more generic network sniffers will work.
Note is says it will broadcast *ALL* frames to *ALL* ports.
And given whose website that's from, i would tend to trust it ;-)
|
Note also that ist says _On some switches_ ... that's quite different
than _on all switches_
So I guess "all switches will flood some frames" and "some switches will
flood all frames" is the truth ;-)
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Sat Mar 12, 2005 1:34 am Post subject:
Re: Switch behavior when MAC table full |
|
|
On 11.03.2005 21:18 sean wrote
That documents says "This document is not restricted to specific
software and hardware versions."
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
sean
Guest
|
| Posted:
Sat Mar 12, 2005 1:51 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Arnold Nipper wrote:
| Quote: |
Note also that ist says _On some switches_ ... that's quite different
than _on all switches_
|
However, at no point did I ever say ALL switches. I did at one point say
"most", and then I backpeddled on that.
I can say all I have tested this on (so far only netgear and low end
cisco) do it.
I don't have the cajones to try it on my production baystack 450's yet.
If it works it will disrupt things quite a bit. Maybe some quiet early
morning, say at 3:00 am I might try it...
| Quote: |
So I guess "all switches will flood some frames" and "some switches will
flood all frames" is the truth ;-)
Arnold |
|
|
| Back to top |
|
|
Michael Roberts
Guest
|
| Posted:
Sat Mar 12, 2005 2:24 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Has anyone seen a vendor create some type of security feature to prevent
MAC table flood attacks? If so, I would be curious to know this works
given that bogus MAC addresses could be completely random...
-mike
sean wrote:
| Quote: | Arnold Nipper wrote:
Note also that ist says _On some switches_ ... that's quite different
than _on all switches_
However, at no point did I ever say ALL switches. I did at one point say
"most", and then I backpeddled on that.
I can say all I have tested this on (so far only netgear and low end
cisco) do it.
I don't have the cajones to try it on my production baystack 450's yet.
If it works it will disrupt things quite a bit. Maybe some quiet early
morning, say at 3:00 am I might try it...
So I guess "all switches will flood some frames" and "some switches
will flood all frames" is the truth ;-)
Arnold
|
|
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Sat Mar 12, 2005 2:49 am Post subject:
Re: Switch behavior when MAC table full |
|
|
On 11.03.2005 22:24 Michael Roberts wrote
| Quote: | Has anyone seen a vendor create some type of security feature to prevent
MAC table flood attacks? If so, I would be curious to know this works
given that bogus MAC addresses could be completely random...
|
CatOS lets you disable unicast-flooding on a per port basis.
sw003> (enable) set port unicast-flood 1/1 disable
See
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a008022f290.html
for more information on how to configure Unicast Flood Blocking
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
Rich Seifert
Guest
|
| Posted:
Sat Mar 12, 2005 2:54 am Post subject:
Re: Switch behavior when MAC table full |
|
|
In article <1133v4facl9j6da@news.supernews.com>,
sean <sean@snerts-r-us.org> wrote:
| Quote: |
http://www.sans.org/resources/idfaq/switched_network.php
which states:
MAC Flooding
Since switches are responsible for setting up the virtual circuits from
one node to another, they must keep a translation table that tracks
which addresses (specifically, which MAC addresses) are on which
physical port. The amount of memory for this translation table is
limited. This fact allows the switch to be exploited for sniffing
purposes. On some switches, it is possible to bombard the switch with
bogus MAC address data. The switch, not knowing how to handle the
excess data, will 'fail open'. That is, it will revert to a hub and
will broadcast all network frames to all ports. At this point, one of
the more generic network sniffers will work.
Note is says it will broadcast *ALL* frames to *ALL* ports.
And given whose website that's from, i would tend to trust it ;-)
|
And I would tend *not* to trust it, since the author thinks that
switches set up "virtual circuits from one node to another." Clearly,
the writer is "fast and loose" with his terminology, which leads me to
question what he means by "broadcast".
I have never heard of, nor seen, a switch that truly acts as a repeater
when its address table is full. In fact, since it would take
*additional, unneeded logic* in order to behave this way, I find it hard
to believe any designer would go to the trouble to do so.
--
Rich Seifert Networks and Communications Consulting
21885 Bear Creek Way
(408) 395-5700 Los Gatos, CA 95033
(408) 228-0803 FAX
Send replies to: usenet at richseifert dot com |
|
| Back to top |
|
|
sean
Guest
|
| Posted:
Sat Mar 12, 2005 3:37 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Rich Seifert wrote:
| Quote: | In article <1133v4facl9j6da@news.supernews.com>,
sean <sean@snerts-r-us.org> wrote:
http://www.sans.org/resources/idfaq/switched_network.php
which states:
MAC Flooding
Since switches are responsible for setting up the virtual circuits from
one node to another, they must keep a translation table that tracks
which addresses (specifically, which MAC addresses) are on which
physical port. The amount of memory for this translation table is
limited. This fact allows the switch to be exploited for sniffing
purposes. On some switches, it is possible to bombard the switch with
bogus MAC address data. The switch, not knowing how to handle the
excess data, will 'fail open'. That is, it will revert to a hub and
will broadcast all network frames to all ports. At this point, one of
the more generic network sniffers will work.
Note is says it will broadcast *ALL* frames to *ALL* ports.
And given whose website that's from, i would tend to trust it ;-)
And I would tend *not* to trust it, since the author thinks that
switches set up "virtual circuits from one node to another." Clearly,
the writer is "fast and loose" with his terminology, which leads me to
question what he means by "broadcast".
I have never heard of, nor seen, a switch that truly acts as a repeater
when its address table is full. In fact, since it would take
*additional, unneeded logic* in order to behave this way, I find it hard
to believe any designer would go to the trouble to do so.
|
Yes, I agree he is fast and loose with his terminology. But I have SEEN
this (seen switches start acting as hubs when the MAC address table
fills up)with my own eyes. Also, a large part of the functionality of
DSNIFF is based on this phenomenon.
Yes, it DOES require extra logic. I think the philosphy behind this
design is likely something along the lines of "it is better to lose the
swicth functionality and have uneccessary traffic go to ports where it
is not needed than drop any packets" - and of course this design will
wreak absolute havoc in a spanning tree environment - you'd basically
have it all start looping... |
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Sat Mar 12, 2005 4:05 am Post subject:
Re: Switch behavior when MAC table full |
|
|
On 11.03.2005 23:37 sean wrote
| Quote: |
Yes, it DOES require extra logic. I think the philosphy behind this
design is likely something along the lines of "it is better to lose the
swicth functionality and have uneccessary traffic go to ports where it
is not needed than drop any packets" - and of course this design will
wreak absolute havoc in a spanning tree environment - you'd basically
have it all start looping...
|
What you write does not make sense to me. Only flooding traffic for
unknown MAC addresses would already match your philosophy whereas
traffic for known destinations is still not flooded.
Moreover imagine what flooding all traffic means on a switch with
different port speeds. A lightly loaded GE port will swamp all FE and
Eth ports already when there is minimal traffic for an unknown destination.
And as Rich pointed out: you need extra logic which buys you nothing.
Arnold
--
Arnold Nipper |
|
| Back to top |
|
|
sean
Guest
|
| Posted:
Sat Mar 12, 2005 4:05 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Rich Seifert wrote:
| Quote: | In article <1133v4facl9j6da@news.supernews.com>,
sean <sean@snerts-r-us.org> wrote:
http://www.sans.org/resources/idfaq/switched_network.php
which states:
MAC Flooding
Since switches are responsible for setting up the virtual circuits from
one node to another, they must keep a translation table that tracks
which addresses (specifically, which MAC addresses) are on which
physical port. The amount of memory for this translation table is
limited. This fact allows the switch to be exploited for sniffing
purposes. On some switches, it is possible to bombard the switch with
bogus MAC address data. The switch, not knowing how to handle the
excess data, will 'fail open'. That is, it will revert to a hub and
will broadcast all network frames to all ports. At this point, one of
the more generic network sniffers will work.
Note is says it will broadcast *ALL* frames to *ALL* ports.
And given whose website that's from, i would tend to trust it ;-)
And I would tend *not* to trust it, since the author thinks that
switches set up "virtual circuits from one node to another." Clearly,
the writer is "fast and loose" with his terminology, which leads me to
question what he means by "broadcast".
I have never heard of, nor seen, a switch that truly acts as a repeater
when its address table is full. In fact, since it would take
*additional, unneeded logic* in order to behave this way, I find it hard
to believe any designer would go to the trouble to do so.
|
Here is a link that specifically states Cisco Catalyst 5000's do this:
http://synfin.net/papers/switch_security.pdf |
|
| Back to top |
|
|
Arnold Nipper
Guest
|
| Posted:
Sat Mar 12, 2005 4:27 am Post subject:
Re: Switch behavior when MAC table full |
|
|
On 12.03.2005 00:05 sean wrote
| Quote: | Rich Seifert wrote:
I have never heard of, nor seen, a switch that truly acts as a repeater
when its address table is full. In fact, since it would take
*additional, unneeded logic* in order to behave this way, I find it hard
to believe any designer would go to the trouble to do so.
Here is a link that specifically states Cisco Catalyst 5000's do this:
http://synfin.net/papers/switch_security.pdf
|
Read carefully ... that paper doesn't say that. It says that all frames
are dumped to all ports first (whatever that means) and that the Sup
hats to tell each port beside the actual destination port to drop the frame.
I can't find any line that says that the Cat5k dumps traffic from all
ports to all ports when the cam table is full.
Arnold
--
Arnold Nipper, AN45 |
|
| Back to top |
|
|
sean
Guest
|
| Posted:
Sat Mar 12, 2005 4:33 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Arnold Nipper wrote:
| Quote: | On 12.03.2005 00:05 sean wrote
Rich Seifert wrote:
I have never heard of, nor seen, a switch that truly acts as a
repeater when its address table is full. In fact, since it would take
*additional, unneeded logic* in order to behave this way, I find it
hard to believe any designer would go to the trouble to do so.
Here is a link that specifically states Cisco Catalyst 5000's do this:
http://synfin.net/papers/switch_security.pdf
Read carefully ... that paper doesn't say that. It says that all frames
are dumped to all ports first (whatever that means) and that the Sup
hats to tell each port beside the actual destination port to drop the
frame.
I can't find any line that says that the Cat5k dumps traffic from all
ports to all ports when the cam table is full.
|
You are right. It says when the processor is overloaded, not when the
cam table is full. so nix that example. |
|
| Back to top |
|
|
sean
Guest
|
| Posted:
Sat Mar 12, 2005 4:37 am Post subject:
Re: Switch behavior when MAC table full |
|
|
Arnold Nipper wrote:
| Quote: |
What you write does not make sense to me. Only flooding traffic for
unknown MAC addresses would already match your philosophy whereas
traffic for known destinations is still not flooded.
Moreover imagine what flooding all traffic means on a switch with
different port speeds. A lightly loaded GE port will swamp all FE and
Eth ports already when there is minimal traffic for an unknown destination.
And as Rich pointed out: you need extra logic which buys you nothing.
|
agreed. However-
1- try googling "fail open" "ethernet switch" - dozens of links
decribing what I state. (and many dozens of links as well that have
nothing to do with the topic, so you do need to sort through a bit)
2- dsniff is in part based on this phenomenon being real.
3- i've witnessed it |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in