mailing list archives
Re: switched n/w
From: Andreas Putzo <andreas () inferno nadir org>
Date: Wed, 8 Dec 2004 09:37:52 +0100
On Tuesday 07 December 2004 19:30, kaushal wrote:
Iam a bit new to network securities.We have a switched network and to
my knowledge a hosts' data cannot be sniffed by other host by runnning
tcpdump.But Iam receiving complaints from few users that their data is
being changed/manipulated.Is this possible?
Yes, this is possible. One technique to sniff in a switched environment is arp
poisoning. For example, i make a fake arp entry in the victims arp table,
suggesting, that i am the victim's gateway. If this is successful, the victim
will send all data to my machine. While my machine is forwarding the data to
the correct gateway, i can sniff and even manipulate the data on the fly.
How can I avoid this at the host level?Does this mean the server has
been compromised?Any help or pointer in this aspect would be highly
You can avoid arp attacks with static arp entries (arp -s ).
It's also possible, that some of your hosts has been compromised. You may take
a look at the machines and/or check the network traffic for unusal arp
traffic (e.g. with arpwatch).
What kind of data has been manipulated?