Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: unswitched behavior of a switched network...

from [Ben Nell] Network Security [Permanent Link]
Subject: Re: unswitched behavior of a switched network...
Date: Sun, 15 Oct 2006 20:03:41 -0500 
Is all traffic being "broadcasted"?  Can you narrow it down to a
specific host that's common to all of the traffic, perhaps a gateway
device?  If you're doing multicasting on a gateway device
(multicasting using unicast addressing), you would get the type of
behavior that you're describing.  I've seen this exact situation
before, actually.

BN

On 10/13/06, Jon Hart <jhart@spoofed.org> wrote: 
Greetings,

I've got a situation here that I can't quite figure out.  It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table.  There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.

While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:

   "Content-addressable memory (CAM) overflow: A CAM table is used to
   determine where to direct incoming frames depending on which port the
   incoming MAC address came from. When the CAM receives a frame with an
   unknown destination, the proper procedure is to flood frames within
   the acceptable Layer 2 domain (the proper VLAN). Hardware and
   software tools are available (some for free), that can flood a switch
   with MAC addresses. Once the CAM table limit is exceeded, switches
   behave differently depending on the brand of the switch."

My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring?  Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?

Thanks,

-jon


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Web Vulnerability Scanner, Debasis Mohanty
Next by Date:  Re: RE: Sql injection automated check tool, p4ssion
Previous by Thread:  Re: unswitched behavior of a switched network..., David C. Smith
Next by Thread:  Re: unswitched behavior of a switched network..., Florian Osses
Indexes:  [Date] [Thread] [Top] [All Lists]