Of hubs, switches and network security
At the Network layer, hosts are identified by IP addresses. At the Data Link layer, however, hosts are identified by MAC addresses. All packets (in ethernet) are delivered by MAC address (ARP and RARP convert between IP and MAC addresses).
To conserve bandwidth, switches direct traffic to a specific port based on the target MAC address (as opposed to hubs which simply broadcast all packets to all ports). This allows multiple peer-to-peer conversations to occur at the same time as each conversation only requires two ports (whereas in a hub each conversation occupies all ports!) Hence, bandwidth management; not security 
.
For a switch to know which port connects to which MAC addresses, the switch creates and manages a CAM table (a simple mapping between port and MAC address(es)). If no Port Security, this table is dynamic and changes over time (to allow for hosts to appear, disappear and move between ports). The switch learns the CAM table mappings by monitoring the source and destination MAC addresses in packets that it directs.
Now look at the Port Stealing slide. Send layer 2 packets with “source address equal to victim host address” and “destination address equal to its own mac address”. Taking these in reverse order, the switch will direct the packet to the port mapped to the destination address, the attackers “own mac address”; i.e. the packet will return to the attackers host (so no other hosts will notice the packet). At the same time, the switch will record the source address of the packet against the port it came from in the CAM table; i.e. the victim host (MAC) address against the attacker’s port. If you looked in the CAM table, you’d now find the attackers port mapped to both the attackers MAC address and also the victim’s MAC address.
The switch will now direct the next packet targeted at the victim’s MAC address to the attackers port (based on the CAM table entry) - the port is ’stolen’.
To relay the packet to the correct port (so that the conversations can continue uniterrupted), the attacker needs to get the CAM table back to the original state, i.e. with the victim’s port mapped to the victim’s MAC address. This is achieved by issuing a broadcast ARP request for the victim’s IP address. Broadcast means the request will go to all ports (including the victim). When the victim responds, the switch will record the new CAM table mapping (back to where it was originally). The captured packet can now be resent by the attacker and correctly directed by the switch to the victim’s port.
Now (and this is the scary bit) to get and relay the _next_ packet, the attacker needs to repeat the entire process. It looks like a lot of work and is why I raised queries about whether or not packets would be dropped. NaGA says ‘not necessarily’ which is fair enough.
URL: http://ettercap.sourceforge.net/forum/viewtopic.php?t=2329
Comments
Leave a Reply
You must be logged in to post a comment.
About
Welcome to Arstan's personal blog. This blog includes tips on Linux, Apache, MySQL, Shell Scripts. Hardware/software and internet technologies reviews and updates.
