Home page logo

basics logo Security Basics mailing list archives

RE: Network Configuration Question?
From: "Naman Latif" <naman.latif () inamed com>
Date: Tue, 5 Nov 2002 11:46:15 -0800

Whenever the switch receives a packet for which it doesn't find the destination mac address in its "forwarding 
database", it sends that packet to all Ports in that VLAN. These are known as "unknown unicast" messages. You probably 
are seeing those packets.

One way to block this is to have the ports configured to block these packets by using "port block unicast" however I 
don't think this would work out well in most scenarios.

I would suggest moving all your "Secure Machines" into a different VLAN and then use a Router (or RSM) to route between 

Regards \\ Naman

-----Original Message-----
From: netsec novice [mailto:netsec9 () hotmail com] 
Sent: Tuesday, November 05, 2002 8:14 AM
To: ilyte () alias666 freeserve co uk; security-basics () securityfocus com
Subject: Re: Network Configuration Question?

I recently saw similar behaviour running tcpdump on my 
workstation that is 
attached to a Cisco catalyst switch.  I would be interested 
to find any 
answers myself.

From: "Ian Lyte" <ilyte () alias666 freeserve co uk>
To: <security-basics () securityfocus com>
Subject: Network Configuration Question?
Date: Mon, 4 Nov 2002 16:58:37 -0000

Hi All,

    On a corporate machine, I was having trouble removing 
the TinyBar 
scrote-ware that had installed itself surreptitiously onto 
my machine. 
As part of the process of tracking down how it was running, I 
downloaded a small packet sniffer and ran it so I could attempt to 
trace the outgoing target address of the pop-up window.

    We are on a 100mbs switched network (I believe switched but ..).

    Now imagine my surprise when I could pick up traffic 
from around 6
machines, including HTTP, POP, SMTP and all the associated passwords.

    Some of the machines were geographically close to me in 
the office 
but not all. How could this happen on a switched network - 
has one of 
the switches fallen over into broadcast mode or something? 
If so how do 
I go about determining (remotely) why/how it has fallen 
over, who else 
is on the segment, and what other avenues do I have to explore?

    Thanks in advance


Unlimited Internet access for only $21.95/month.  Try MSN! 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]