Does anybody know of any switches that can protect against this type of
attack, or is virtually every switch affected? I imagine this is "old
news," so what have vendors done to counteract this type of activity?

-----Original Message-----
From: Sebastian Jaenicke [mailto:tsajaenicke.org]
Sent: Wednesday, January 30, 2002 5:13 PM
To: vuln-devsecurityfocus.com
Subject: Re: switch jamming

Hi,

On Wed, Jan 30, 2002 at 10:05:08PM +0000, Jan wrote:
[..]
> how can i sniff upon a switched network segment ? a read some articles
about "switch jamming" and "port mirroring" but up to know i didn't
learn anything special at all.
> ca some of your guys out there help me ? (i'm sure some of you can but
are you willing, too ?)
>

This can be achieved by flooding the switch with spoofed ARP packets
until
its internal MAC table is filled up - most switches will then revert to
"hub mode" and therefore broadcast all traffic to the network where it
can easily be sniffed.

http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm should
give you some (more accurate?) information.

Sebastian

-- 
Sebastian Jaenicke
whois pgpkey-18AC0BE4whois.ripe.net|perl -ne's-^certif: +--&&print'
  "Object-oriented programming is an exceptionally bad idea which
   could only have originated in California." --Edsger Dijkstra  

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]