Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Cain and Abel
From: "J. Oquendo" <sil () infiltrated net>
Date: Thu, 3 Feb 2005 17:22:53 -0500 (EST)

On Thu, 3 Feb 2005, Paul Melson wrote:

A more manageable defense against ARP poisoning attacks is to configure your
switches to prevent against MAC address spoofing.  Cisco switches, for
example, can statically map the MAC address of the interface connected to a
given port (good for servers), as well as limit the number of MAC addresses
that can appear on a given port (good for workstations, conference rooms,
hotel rooms, etc.).

802.1q and Cisco PVLAN's will suffice by segmentation to minimize the
effects of programs like Cain and Abel. However, most people forget that
at the core level any product be it a switch (layer 2 or 3) or router will
still have to listen for broadcasts in order to get MAC information to
delegate traffic. If someone just wanted to sit there and DoS your ARP
tables to oblivion it wouldn't be hard. VLAN tagging has its insecurities
as well. You could likely just roast someone's connection if you're on
their segment as well via spoofing however you're limited to that segment.


J. Oquendo
GPG Key ID 0x0D99C05C

sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]