[unisog] Strange things from our residence.

Asadoorian, Paul D Paul_Asadoorian at brown.edu
Thu Oct 24 16:53:09 GMT 2002


You should certainly limit which ports have the ability to participate
in spanning tree.....  We do this on our 3550's.

Paul Asadoorian, GCIA
Brown University
115 Waterman St.
Providence, RI 02912
401.863.7553

PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE  927F C946 9174 41DC 7A4F
Web: http://www.pauldotcom.com
 

-----Original Message-----
From: Elliot Metsger [mailto:emetsger at jhu.edu] 
Sent: Thursday, October 24, 2002 1:23 AM
To: jtk at aharp.is-net.depaul.edu
Cc: unisog at sans.org
Subject: Re: [unisog] Strange things from our residence.


I agree with John.  While it may be technically correct for a switch to 
source frames with a broadcast address, it doesn't make sense, and 
obviously has security ramifications.  I encourage comments on the 
switch vendor and OS version.  Another sinister layer 2 attack may be a 
host on a network participating in spanning tree...

Regards,
Elliot

John Kristoff wrote:
> On Tue, 22 Oct 2002 15:26:59 -0400
> Pete Hickey <pete at shadows.uottawa.ca> wrote:
<snip>
>>source MAC address of FFFFFFFFFFFF..  A broadcast as the asource.
>>
>>NOw, what the switch was doing (a bug IMO) was noting that this was 
>>the MAC associated with that port.  Then, all broadcasts were directed
> 

> Care to comment on the vendor switch, the version of code and any 
> interesting configuration that may affect its behavior?  Your 
> experience certainly doesn't sound like proper bridge address table 
> behavior (perhaps technical legal, but certainly not sane).
> 
> John





More information about the unisog mailing list