[unisog] Strange things from our residence.
Asadoorian, Paul D
Paul_Asadoorian at brown.edu
Thu Oct 24 16:53:09 GMT 2002
You should certainly limit which ports have the ability to participate
in spanning tree..... We do this on our 3550's.
Paul Asadoorian, GCIA
115 Waterman St.
Providence, RI 02912
PGP Key: http://pauldotcom.com/Paul_Asadoorian.asc
Fingerprint: 42CB D9A8 37C4 2D1C A2FE 927F C946 9174 41DC 7A4F
From: Elliot Metsger [mailto:emetsger at jhu.edu]
Sent: Thursday, October 24, 2002 1:23 AM
To: jtk at aharp.is-net.depaul.edu
Cc: unisog at sans.org
Subject: Re: [unisog] Strange things from our residence.
I agree with John. While it may be technically correct for a switch to
source frames with a broadcast address, it doesn't make sense, and
obviously has security ramifications. I encourage comments on the
switch vendor and OS version. Another sinister layer 2 attack may be a
host on a network participating in spanning tree...
John Kristoff wrote:
> On Tue, 22 Oct 2002 15:26:59 -0400
> Pete Hickey <pete at shadows.uottawa.ca> wrote:
>>source MAC address of FFFFFFFFFFFF.. A broadcast as the asource.
>>NOw, what the switch was doing (a bug IMO) was noting that this was
>>the MAC associated with that port. Then, all broadcasts were directed
> Care to comment on the vendor switch, the version of code and any
> interesting configuration that may affect its behavior? Your
> experience certainly doesn't sound like proper bridge address table
> behavior (perhaps technical legal, but certainly not sane).
More information about the unisog