I work for a public library system, and we have a number of public-access computers on switched networks (largely Catalyst 2950s). We have just been made aware of a potential security threat, using a package named Ettercap. referred to as "port stealing".

It involves an attacking PC tricking the switch by sending a spoofed layer 2 frame with a target PC's MAC in the source field, and it's own MAC in the destination field. The switch should then update it's CAM table so that packets addressed to the target are forwarded to the attacker.

The attacker can then relay the packets on to the target by sending an arp request to it's IP address to reset the CAM table. The exploit is described here:

http://ettercap.sourceforge.net/forum/viewtopic.php?t=2329&sid=305c457d68c3c9c757747b86b4a1bec9

I can see that enabling port security and limiting each port to one MAC address would make this attack difficult. Are there any other security measures that could be taken on the switch to protect against this attack? Sticky addresses could be a possibility, but configuring static MAC address would not be practical.

Thanks,

Rob