Home page logo

basics logo Security Basics mailing list archives

Re: PPPoE + Switch sniffing
From: "Rob klein Gunnewiek" <rob.kleingunnewiek () gmail com>
Date: Mon, 31 Jul 2006 11:33:36 +0200

On 7/27/06, Carlos de Oliveira <carlos.oliv () gmail com> wrote:
Hello friends,

As a manager of my network, I am woried of security. Recently we
changed the HUB's for switch's in hope that we get more securitty.

In a few days ago, we have seeing another Access concentrator in our
network sending PADO's to the clients that wanted to connect.

This access concentrator have the same MAC address of one of my clients.

I would like to know what do you think that could be?
I've searched google for this, but I didn't found any attack baseed on
PPPoE + switch.
Could this other access concentrator be trying to give connection to
some of my clients just to sniff their connection?

It doesn't matter whether you use a switch or not. The PPPoE client
will broadcast PADI packets, so they will arive at all hosts on the
subnet. Whether you use a switch or not.

If this is not simply some mistake of having a wrong setup, this looks
like an attack. First of all, do you use some kind of MAC-address
based filtering? That would explain why someone would forge the MAC
address. Much more likely though it is not forged, I think the client
you are talking about /IS/ the attacker!

I think the attacker wants to steal other people's login stuff... I'm
not familiar with Radius, but the PADO packets can include information
on where the client should authenticate with. So I suppose this could
be used to steal the logins of other clients in some way.

That's my guess,

Good luck.

Rob klein Gunnewiek

This list is sponsored by: Norwich University

The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]