[ On Sunday, May 28, 2000 at 11:21:56 (-0700), Erik Fair wrote: ]
> Subject: Re: inetd.conf defaults
>
> It would have to be quite the DoS attack - the typical 10/100 FDX 
> switch in that 8-port, $100 category has the capacity to handle 8,000 
> MAC addresses...

As I understand it there are other ways to spoof switches into doing the
wrong thing other than flooding them with faked MACs.

Of course 8000 fake packets at 100mbps is chicken-feed, or peanuts, or
whatever....  The MAC table would have to be large enough that it could
not be filled before the first fakes started to time out and disappear.
Depending on the rules for such timeouts (which I know little about)
that may make it impossible to secure the table from such attacks even
if you have stuffed the box with all the memory that'll physically fit
into it.  With only 8000 entries it may be possible to keep the switch
in full broadcast mode indefinitely.

The only real way I know of to secure a switch 100% is to lock each port
down to a specified MAC and I don't think that can be done in any of the
~$100 units (even if they are true switches).  Some manageable hubs do
allow you to do this too, but again none in the $100 region that I know
of.

(the concept is just the same as not allowing IP packets to enter your
network if they appear to have come from within it, and to also not
allowing IP packets in that cannot have an internal destination -- with
a switch you have to do the same thing at layer-2 using layer-2
addresses)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>