Network Security: Detailed info on RE: about CAM table overflow attack?

Subject:	RE: about CAM table overflow attack?
Date:	Wed, 19 Apr 2006 15:30:35 -0500

Unfortunately, it is still possible.  Because every switch has a hardware
limitation, the CAM table can only be *so* big.  Even in the big boys, like
the 6500, it still has a limit to how many mac addresses can be held at one
time.  Once this limit is reached, the traffic comes flooding.  

However, there are features in the newer versions of IOS that limit how many
macs can be seen from one port.  You can set the number higher than usual
(maybe 25-50 on a 6500), so that someone can plug in a 4 port switch and
traffic will still pass, but it will prevent someone from sending 10000+
macs into the switch for malicious reasons.

felix lin
-----Original Message-----
From: Rick Zhong [mailto:sagiko@gmail.com] 
Sent: Wednesday, April 19, 2006 4:04 AM
To: inoutsec@gmail.com
Cc: security-basics@securityfocus.com
Subject: Re: about CAM table overflow attack?

I am just curious whether this behaviour is still valid in newer
switches, like those IOS 12+ ... it sounds to me a very old tricks and
seems the successful rate for this type of attack is very lower
nowadays.



On 18 Apr 2006 20:11:45 -0000, inoutsec@gmail.com <inoutsec@gmail.com>
wrote:

Basically what would happen is all traffic would be flooded to all

ports.(No VLANS Yet) This would happen to only unkown traffic though, that
is MAC addresses that are not in the CAM.


If the VLAN is configured then, only ports on the same VLAN would receive

the broadcasts. The nature of VLANs prevent broadcast from being delivered
to another VLAN.


Hopes this helps.

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
about CAM table overflow attack?, Monty Ree RE: about CAM table overflow attack?, Network Security Re: about CAM table overflow attack?, inoutsec Re: about CAM table overflow attack?, Rick Zhong RE: about CAM table overflow attack?, Network Security <=

Previous by Date:	Microsoft IAS / RADIUS, ttate
Next by Date:	Re: How to get a job in IT-Security, Nick Owen
Previous by Thread:	Re: about CAM table overflow attack?, Rick Zhong
Next by Thread:	SF new column announcement: Stop the bots, Kelly Martin
Indexes:	[Date] [Thread] [Top] [All Lists]