03-21-2008 02:08 AM - edited 03-05-2019 09:53 PM
I work for a public library system, and we have a number of public-access computers on switched networks (largely Catalyst 2950s). We have just been made aware of a potential security threat, using a package named Ettercap. referred to as "port stealing".
It involves an attacking PC tricking the switch by sending a spoofed layer 2 frame with a target PC's MAC in the source field, and it's own MAC in the destination field. The switch should then update it's CAM table so that packets addressed to the target are forwarded to the attacker.
The attacker can then relay the packets on to the target by sending an arp request to it's IP address to reset the CAM table. The exploit is described here:
http://ettercap.sourceforge.net/forum/viewtopic.php?t=2329&sid=305c457d68c3c9c757747b86b4a1bec9
I can see that enabling port security and limiting each port to one MAC address would make this attack difficult. Are there any other security measures that could be taken on the switch to protect against this attack? Sticky addresses could be a possibility, but configuring static MAC address would not be practical.
Thanks,
Rob
03-21-2008 07:20 AM
Hi Rob,
Please take a look at Dynamic ARP Inspection and DHCP snooping here:
This will help.
Regards,
Jason
03-26-2008 03:04 AM
Thanks for the link, Jason - very useful.
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide