Problem with mac flooding
Results 1 to 8 of 8

Thread: Problem with mac flooding

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130

    Problem with mac flooding

    I have a small network set up here as part of an assignment I am working on. It consists of a netware server, 2 clients and an IDS box. The NetWare server is not currently acting as a gateway, just a file server. This post is sent from inside that network, so everything must be otherwise functioning normally.

    My professor gave out 5 port D-Link switches for this assignment to everyone (DSS-5+). I need to flood this switch so it defaults to hub behaviour, a la ettercap/dsniff, to allow the IDS to pick up the traffic it needs to function. I would prefer to use port spanning, but a switch this simple doesn't allow it.

    On the IDS box, I do pick up some of the traffic sent during a flood, telling me that this attack is having at least some of the effect I need it to, but no other traffic can be picked up though. After the flood, it should take the switch some time to clear its mac tables and climb out of "failsafe" mode, but this doesn't happen. The switch does not default to a hub no matter how much the mac tables get flooded?

    Can D-Link switches be arp flooded? Or do they simply discard any mac addresses after the cache fills up? Or maybe is there another way to this (besides using a hub)?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    I'm not exactly sure I understand what you are trying to do. Is the assignment to cause the switch to "fail-open" or to use an IDS? If you just want IDS why not place your IDS box between the switch and gateway? I if you are trying to flood the switch's table I assume you are using MACof that comes with dsniff, but honestly this isnt always(usually) effective. Usually a more specific attack with ARPspoof or Ettercap will yield better results.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Is the assignment to cause the switch to "fail-open" or to use an IDS?
    To clarify, the assignment is to build an entire network. The IDS system is only a small part of it. I need to make the switch fail open so I can sniff local traffic for attack signatures.

    The IDS needs to be able to identify inetrnal attacks (ones not passing through the gateway), as well as external attacks. Normally this would be accomplished with port spanning, however that is not an option with the hardware available. ARP flooding is the best alternative I can think of.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Junior Member
    Join Date
    Aug 2003
    Posts
    28
    You don't know anyone you can borrow a hub from for a while?

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    I don't know anyone who's used a hub in the last 3 or 4 years. Can't find one at the school, either. But I'm told that the Staples here has a bargain bin with a bunch of them for around $10. I should prolly go grab them, I could always find a use for a hub or two.

    The switch is also connected to two networks, and my network is effectively bridging them, which IT isn't too fond of. The switch limits the traffic passing between networks to a minimum. I'd like to be able to control when it's a hub and when it's not.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    You already have your switch, but the hub and with some creative placement you can still limit the traffic between the two nets and sniff all the local traffic, (maybe even the pass-through traffic too.... )
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Striek
    I don't know anyone who's used a hub in the last 3 or 4 years. Can't find one at the school, either. But I'm told that the Staples here has a bargain bin with a bunch of them for around $10. I should prolly go grab them, I could always find a use for a hub or two.

    The switch is also connected to two networks, and my network is effectively bridging them, which IT isn't too fond of. The switch limits the traffic passing between networks to a minimum. I'd like to be able to control when it's a hub and when it's not.
    Hey Hey,

    Hah where in Canada are you? I just gave away a 24-port Cabletron hub at a presentation I made on DNS and WebServers... I've got a Dlink 16-port hub sitting under my desk (in use) and I've got a 5-port hub still sitting in the closet... I've also got a dlink 24 and another dlink 16 port sitting at a buddies house collecting dust... I could have given you one. I love hubs... My roommate and I go through a switch... and everyone else goes through the hub...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Peterborough, about 4 hours away from you right now. I will be going home to Mommy for the Christmas holidays to Brampton.

    Actually, if your get together gets going, I'll bring all my spare computer parts so we can trade whatever we don't want for something we do want. I'm sure quite a few of us in the area have oodles and gobbles of spare parts we'd love to trade off for something else lying around.

    That 24-port hub sounds nice... I've still got the first hub me and my brother ever used when we were like 15. It cost $70 for an 8 port hub at the time, and switches were around $400.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •