- Previous message: Joe Abley: "Re: IPv6, IPSEC and DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: J. Oquendo (no email)
Date: Mon Jan 03 2005 - 13:45:20 EST
On 3-jan-05, at 10:55:49, Iljitsch van Beijnum wrote:
> If you can then enforce the port->MAC->IP mappings you're pretty much
> bullet proof. I know there are switches that can handle the port->MAC
> part. An alternative for the MAC->IP part would be the TCP MD5 option or
> IPsec.
And what if an attacker sends memberships queries with bogus MAC addresses
to a router via CGMP or IGMP messages to a switch... Would normal
filtering catch this problem (MAC spoofing/exhaustion) Wouldn't the
switch or router say "WTF?"
// EXAMPLE //
x:x:x:x:x:x who has 10.10.1.2
Router "no one... you do loser"
x:x:x:x:x:x "I am now 10.10.1.2 ... I am the king of the world"
Attacker via CGMP/IGMP --> Membership Query:
"Hello I am x:x:x:x:x:x at 10.10.2.2 I want to join this group"
Router "checks MAC tables scratching its RAM"
OTHER SCENARIOS: http://www.cs.ucsb.edu/~krishna/igmp_dos/
// END //
Maybe I should lay off the caffeine. Aside from your bulletproof
situation, if the case held true, 1) Why haven't many implemented this, my
guess would be ANEL (Apparent Network Engineer Laziness not pronounced
similar to ANAL) 2) why hasn't someone made mention via RFC/Standard/^ETC
...
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99
CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D
sil @ politrix . org http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net
"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
|
|
|