Problem with mac flooding

Printable View

December 7th, 2004, 02:35 AM
Striek

Problem with mac flooding

I have a small network set up here as part of an assignment I am working on. It consists of a netware server, 2 clients and an IDS box. The NetWare server is not currently acting as a gateway, just a file server. This post is sent from inside that network, so everything must be otherwise functioning normally.

My professor gave out 5 port D-Link switches for this assignment to everyone (DSS-5+). I need to flood this switch so it defaults to hub behaviour, a la ettercap/dsniff, to allow the IDS to pick up the traffic it needs to function. I would prefer to use port spanning, but a switch this simple doesn't allow it.

On the IDS box, I do pick up some of the traffic sent during a flood, telling me that this attack is having at least some of the effect I need it to, but no other traffic can be picked up though. After the flood, it should take the switch some time to clear its mac tables and climb out of "failsafe" mode, but this doesn't happen. The switch does not default to a hub no matter how much the mac tables get flooded?

Can D-Link switches be arp flooded? Or do they simply discard any mac addresses after the cache fills up? Or maybe is there another way to this (besides using a hub)?
December 7th, 2004, 07:38 PM
Maestr0

I'm not exactly sure I understand what you are trying to do. Is the assignment to cause the switch to "fail-open" or to use an IDS? If you just want IDS why not place your IDS box between the switch and gateway? I if you are trying to flood the switch's table I assume you are using MACof that comes with dsniff, but honestly this isnt always(usually) effective. Usually a more specific attack with ARPspoof or Ettercap will yield better results.

-Maestr0
December 7th, 2004, 08:46 PM
Striek

Quote:

Is the assignment to cause the switch to "fail-open" or to use an IDS?

To clarify, the assignment is to build an entire network. The IDS system is only a small part of it. I need to make the switch fail open so I can sniff local traffic for attack signatures.

The IDS needs to be able to identify inetrnal attacks (ones not passing through the gateway), as well as external attacks. Normally this would be accomplished with port spanning, however that is not an option with the hardware available. ARP flooding is the best alternative I can think of.
December 7th, 2004, 10:16 PM
comptech2

You don't know anyone you can borrow a hub from for a while?
December 8th, 2004, 05:24 AM
Striek

I don't know anyone who's used a hub in the last 3 or 4 years. Can't find one at the school, either. But I'm told that the Staples here has a bargain bin with a bunch of them for around $10. I should prolly go grab them, I could always find a use for a hub or two.

The switch is also connected to two networks, and my network is effectively bridging them, which IT isn't too fond of. The switch limits the traffic passing between networks to a minimum. I'd like to be able to control when it's a hub and when it's not.
December 8th, 2004, 02:09 PM
Tiger Shark

You already have your switch, but the hub and with some creative placement you can still limit the traffic between the two nets and sniff all the local traffic, (maybe even the pass-through traffic too.... ;))
December 8th, 2004, 06:59 PM
HTRegz

Quote:

Originally posted here by Striek
I don't know anyone who's used a hub in the last 3 or 4 years. Can't find one at the school, either. But I'm told that the Staples here has a bargain bin with a bunch of them for around $10. I should prolly go grab them, I could always find a use for a hub or two.

The switch is also connected to two networks, and my network is effectively bridging them, which IT isn't too fond of. The switch limits the traffic passing between networks to a minimum. I'd like to be able to control when it's a hub and when it's not.

Hey Hey,

Hah where in Canada are you? I just gave away a 24-port Cabletron hub at a presentation I made on DNS and WebServers... I've got a Dlink 16-port hub sitting under my desk (in use) and I've got a 5-port hub still sitting in the closet... I've also got a dlink 24 and another dlink 16 port sitting at a buddies house collecting dust... I could have given you one. I love hubs... My roommate and I go through a switch... and everyone else goes through the hub... :)

Peace,
HT
December 8th, 2004, 07:21 PM
Striek

Peterborough, about 4 hours away from you right now. I will be going home to Mommy for the Christmas holidays to Brampton.

Actually, if your get together gets going, I'll bring all my spare computer parts so we can trade whatever we don't want for something we do want. I'm sure quite a few of us in the area have oodles and gobbles of spare parts we'd love to trade off for something else lying around.

That 24-port hub sounds nice... I've still got the first hub me and my brother ever used when we were like 15. It cost $70 for an 8 port hub at the time, and switches were around $400.