On Wed, 17 Apr 2002, Sean Convery wrote: > 1) Sending bogus BPDUs to a switched network to continually force > spanning tree recalculation, thereby creating a DoS condition on the > switches. early linux traffic shaping code would do this some switches, with a rate proportional to the size of the LAN. larger bridged LANs would suffer the most. libnet 1.1 now includes 802.1d code, so it should be easy to forge all sorts of abusive packets. > 2) Sending bogus BPDUs with an advertisement that the attacker should > be the root bridge. Upon completing this, the attacker would then get > forwarded frames he might not normally receive. with the 802.1d construction routines in libnet, plus some analysis of the switched topology, this should be pretty easy. > My first question is this: Has anyone verified if this works or not > with common switch vendors (Cisco et. al.)? i've seen the first go ballistic on old cabletron switching fabrics. i haven't tested it against cisco, linksys, etc hardware. > Second question is more of a comment. With far more useful exploits > for a switched network (MAC flooding, ARP spoofing), why would you > bother with this anyway? its not as well known to the script kiddie community, its a bit harder to pull off, and consequently its not watched for often. snmp traps on arp floods are (thankfully) gaining more ground as people learn about it. a spanning tree recalculation is a bit harder to detect for most deployments. alan cox has commented on this in the past, for example: http://security-archive.merton.ox.ac.uk/archive-199905/0178.html anyhow, i hope this makes some sense. ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/
This archive was generated by hypermail 2b30 : Wed Apr 17 2002 - 10:31:51 PDT