[nsp-sec] How to hijack traffic for an entire Content/AdCompany - ARP Poisoning revisited - 8800.org / 6600.org badness
Dario Ciccarone (dciccaro)
dciccaro at cisco.com
Thu Apr 10 15:21:36 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As the paper itself points out, Cisco (and yeah, I work for
Cisco, and no, this is not a marketing blurb) has implemented
DAI (Dynamic ARP Inspection) together with DHCP Snooping to
prevent this scenario. I mention DHCP Snooping because it is a
prerequisite for DAI to work - DAI relies on the table built by
DHCP snooping. In non-DHCP environment, ARP ACLs. And also check
"IP Source guard".
All those features are available on Cat6K, 7600s, 3750, 3560 and
others. And I *think* other vendors have implemented similar
features on their products - to check with the vendor of choice
:)
And as a final note - there's even a book about this all. "LAN
Switch Security: What Hackers Know About Your Switches" -
http://www.amazon.com/LAN-Switch-Security-Networking-Technology/d
p/1587052563/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1207855190&sr=8-
1 - have to admit I've read many Cisco books, some of them
better than others (ahem, some very crappy ;)). This one
deserves a look at, IMHO.
Thanks,
Dario
Dario Ciccarone <dciccaro at cisco.com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
+1 212 714 4218
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> Danny McPherson
> Sent: Thursday, April 10, 2008 2:40 PM
> To: NSP-SEC List
> Subject: Re: [nsp-sec] How to hijack traffic for an entire
> Content/AdCompany - ARP Poisoning revisited - 8800.org /
> 6600.org badness
>
> ----------- nsp-security Confidential --------
>
>
> On Mar 27, 2008, at 10:29 AM, Sean Donelan wrote:
> > ----------- nsp-security Confidential --------
> >
> > On Thu, 27 Mar 2008, Chris Morrow wrote:
> >> so.. port-security is a solved problem for datacenters no??
> >> Also, Barry
> >> should chime in here with some more/other direct
> >> experience... Barry??
> >
> > Nope, not really a solved problem. Now think about the fun
> you can
> > have
> > with metro-wide, country-wide carrier ethernet systems being
> > deployed. The
> > amount of changes necessary to the "defaults" is insane.
> Not just bad
> > stuff, but also the junk traffic.
> >
> > Friends don't let friends do ARP.
>
> Note that this is what some of the SAVI work in the IETF was
> aiming to solve. It's still progressing, albeit slowly.
> Basically, mechanisms for {port,mac,IP} dynamic binding.
>
> If you've got interest or ideas here's a pointer to the
> mailing list:
>
> http://mail.nrc.tsinghua.edu.cn/cgi-bin/mailman/listinfo/sava
>
> -danny
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> community. Confidentiality is essential for effective
> Internet security counter-measures.
> _______________________________________________
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBR/5owIyVGB+6GuDwEQIj8gCgsHkoYR5nB9MrNIQm/8rbOchzLVEAoLcS
DHATE1QxU24blPgfzHQl09Er
=6mFa
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list