Subject: Re: a remote user can check promiscuous mode
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: Ignatios Souvatzis <is@jocelyn.rhein.de>
List: tech-net
Date: 12/10/1999 22:10:44
On Fri, Dec 10, 1999 at 12:16:31PM -0800, Wolfgang Rupprecht wrote:
>
> mcr@sandelman.ottawa.on.ca (Michael Richardson) writes:
> > The technique is to send an ICMP ping addressed to the node at the IP
> > layer, but not addressed to the node at the ethernet layer.
>
> I can think of a few more probes like this that are possible. One can
> also slap on a MAC multicast address and the NIC's IP address and see
> if the NIC is listening to that ethernet multicast.
>
> I'm not sure that the information that these probes provide is at all
> damaging from a security standpoint. The probe just shows if the MAC
> filters are pre-filtering ethernet traffic or not.
Hm.
But our IP layer should reject packets with IPv4 unicast addresses, that are
targeted at link multicast addresses, right? (If I recall
${ROLE}_REQUIREMENTS right.)
So my guess at the description of the mechanism is that somehow
the M_MCAST/M_BCAST marking isn't done right in case of promiscuous
mode, and this is definitely a bug.
Regards,
-is