Does anybody know of any switches that can protect against this type of attack, or is virtually every switch affected? I imagine this is "old news," so what have vendors done to counteract this type of activity? -----Original Message----- From: Sebastian Jaenicke [mailto:tsaat_private] Sent: Wednesday, January 30, 2002 5:13 PM To: vuln-devat_private Subject: Re: switch jamming Hi, On Wed, Jan 30, 2002 at 10:05:08PM +0000, Jan wrote: [..] > how can i sniff upon a switched network segment ? a read some articles about "switch jamming" and "port mirroring" but up to know i didn't learn anything special at all. > ca some of your guys out there help me ? (i'm sure some of you can but are you willing, too ?) > This can be achieved by flooding the switch with spoofed ARP packets until its internal MAC table is filled up - most switches will then revert to "hub mode" and therefore broadcast all traffic to the network where it can easily be sniffed. http://www.sans.org/newlook/resources/IDFAQ/switched_network.htm should give you some (more accurate?) information. Sebastian -- Sebastian Jaenicke whois pgpkey-18AC0BE4at_private|perl -ne's-^certif: +--&&print' "Object-oriented programming is an exceptionally bad idea which could only have originated in California." --Edsger Dijkstra
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 08:03:43 PST