Re: Attacking our pc router at work

---

• From: Michal Mertl <michal.mertl@xxxx>
• Date: Wed, 05 Apr 2006 15:19:06 +0200

---

Mark Jayson Alvarez wrote:

Hi,

I have one question. What if I change my ip and mac address at the
same time to that of our pcrouter's ip and mac... Will this going to
kick out that router in our network, causing the rest of the entire
lan to be out of service?? No one's gonna caught me right?? Arpwatch
can only watch if an ip address has moved to another mac address but
not when both ip and mac has moved to another ip and mac... Do you
know any possible solution to this??

Your question is off topic for this list.

Use inteligent switches (not hubs) and port security (you can allow only
a specific MAC address behind a switch port). You could also use static
entries on the switch for some MAC addresses (entry on a switch is a MAC
address + port behind which the address can be found) but that isn't as
safe. An attacker can generate traffic with lots of source MAC
addresses. Every switch has limited memory to store the MAC addresses
and usually when the table is full it starts working as a hub. A
sophisticate attacker may still be able to contaminate end stations - if
he sends a gratuitous ARP reply to a station where he pretends he is the
router (changes the MAC address), he will receive the traffic for the
router and can also then make man-in-the-middle attacks (insert himself
into forwarding chain of the station).

More sophisticated solution is using 802.1x - port-based authentication
- a switch will only start forwarding traffic to you once you
authenticate and you of course shouldn't be able to authenticate as the
server.

On FreeBSD you can disable ARP and/or create static ARP entries and it
will protect you a little but you also need to configure some protection
on the network infrastructure.

It's quite a complex issue to protect against this type of attack and I
am no real guru so please take what I said with a grain of salt.

HTH

Michal

_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

---

• References:
  • Attacking our pc router at work
    • From: Mark Jayson Alvarez

• Prev by Date: Re: FreeBSD stickers
• Next by Date: Re: re-attaching STDOUT
• Previous by thread: RE: Attacking our pc router at work
• Next by thread: FreeBSD stickers
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Network setup problem. ... They work with Mac addresses (well the switch does), ... Type IPCONFIG /RELEASE * ... If all the computers are getting IP addresses from the router, ... (comp.security.firewalls) Re: Leopard market share??? ... GreyCloud wrote: ... another Mac. ... Airport Extreme connected to switch and to ... he doesn't have another router. ... (comp.sys.mac.advocacy) Re: Leopard market share??? ... only), MacBook Pro C2Duo connecting wirelessly, Mac Pro directly connected to switch. ... Airport Extreme connected to switch and to cable modem. ... Ethernet configured automatically (If the MP is set to a large MTU it can no longer administer the Airport Extreme!) ... he doesn't have another router. ... (comp.sys.mac.advocacy) Re: ISA Server 2000 NLB on Windows Server 2003 ... You need to add static ARP entries on the router (or layer 3 switch ... MAC addresses with a lead byte of 03. ... explains why you can ping the NLB address locally, ... if you want to add static CAM entries on the switch at ... (microsoft.public.isa.configuration) Re: Leopard market share??? ... another Mac. ... Airport Extreme connected to switch and to ... he doesn't have another router. ... (comp.sys.mac.advocacy)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Mailing-Lists  > FreeBSD  > questions  > 2006-04