Greetings,
I've got a situation here that I can't quite figure out. It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table. There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.
While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:
"Content-addressable memory (CAM) overflow: A CAM table is used to
determine where to direct incoming frames depending on which port the
incoming MAC address came from. When the CAM receives a frame with an
unknown destination, the proper procedure is to flood frames within
the acceptable Layer 2 domain (the proper VLAN). Hardware and
software tools are available (some for free), that can flood a switch
with MAC addresses. the CAM table limit is exceeded, switches
behave differently depending on the brand of the switch."
My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring? Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?
Thanks,
-jon
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

10/13/06, Jon Hart <jhart (AT) spoofed (DOT) orgwrote:
Greetings,

I've got a situation here that I can't quite figure out. It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table. There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.

While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:

"Content-addressable memory (CAM) overflow: A CAM table is used to
determine where to direct incoming frames depending on which port the
incoming MAC address came from. When the CAM receives a frame with an
unknown destination, the proper procedure is to flood frames within
the acceptable Layer 2 domain (the proper VLAN). Hardware and
software tools are available (some for free), that can flood a switch
with MAC addresses. the CAM table limit is exceeded, switches
behave differently depending on the brand of the switch."

My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring? Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?

Thanks,

-jon

Some router have an option of dumping all traffic to a give port, so
if you are connected to the right router port you will see everything
as if it was a hub. At least I already saw a router configured that
way, that port that was connected to a computer that was dedicated to
run snort.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Is all traffic being "broadcasted"? Can you narrow it down to a
specific host that's common to all of the traffic, perhaps a gateway
device? If you're doing multicasting on a gateway device
(multicasting using unicast addressing), you would get the type of
behavior that you're describing. I've seen this exact situation
before, actually.

BN

10/13/06, Jon Hart <jhart (AT) spoofed (DOT) orgwrote:
Greetings,

I've got a situation here that I can't quite figure out. It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table. There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.

While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:

"Content-addressable memory (CAM) overflow: A CAM table is used to
determine where to direct incoming frames depending on which port the
incoming MAC address came from. When the CAM receives a frame with an
unknown destination, the proper procedure is to flood frames within
the acceptable Layer 2 domain (the proper VLAN). Hardware and
software tools are available (some for free), that can flood a switch
with MAC addresses. the CAM table limit is exceeded, switches
behave differently depending on the brand of the switch."

My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring? Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?

Thanks,

-jon
--

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

--

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Friday 13 2006 18:32, Jon Hart wrote:

hi jon,

i had a similar situation in a switched environment. certain frames to a
particular server where to be seen at every port on all switches within the
same vlan. the reason was that the server was attached with several cards for
loadbalancing. arp request for the virtual address where answered by each
server card but when the client send ip packets using the learned virtual mac
the server cards replied using their physical address which is stupid since
the vmac was never used as a source and so it could not be learned by the
switches. as a result frames that had the vmac as a destination where always
floodedalso a nice example on how to turn expensive network equipment into
a hub :)

regards

jan

Greetings,

I've got a situation here that I can't quite figure out. It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table. There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.

While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:

"Content-addressable memory (CAM) overflow: A CAM table is used to
determine where to direct incoming frames depending on which port the
incoming MAC address came from. When the CAM receives a frame with an
unknown destination, the proper procedure is to flood frames within
the acceptable Layer 2 domain (the proper VLAN). Hardware and
software tools are available (some for free), that can flood a switch
with MAC addresses. the CAM table limit is exceeded, switches
behave differently depending on the brand of the switch."

My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring? Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?

Thanks,

-jon
--

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

>W

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

>
Some router have an option of dumping all traffic to a give port, so
if you are connected to the right router port you will see everything
as if it was a hub. At least I already saw a router configured that
way, that port that was connected to a computer that was dedicated to
run snort.
Just to clarify, I'm pretty sure you're talking about switches that have
a "mirror" port.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Le vendredi 13 octobre 2006 * 09:32 -0700, Jon Hart a crit :

Furthermore, even if the entries were expired, has anyone encountered
situations (malicious or otherwise), where a given port will receive
traffic outside of its own L2?

I recently see that on a Cisco Catalyst 6500 L3 swith with an up to date
IS image. some ports of a Gigabit slot, we sometimes see unicast
trafic of others VLAN or destinated to other IP addresses of the same
VLAN.

I wasn't able to explain this behaviour, it could be a hardware problem.

Nicob

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Sorry for my simple question.
But what kind of broadcast do you discover?
Perhaps you have a loop in your network, or even a sort of spanning tree
(double connected wire to switch) which spams your network?!

Florian

Ben Nell wrote:
Is all traffic being "broadcasted"? Can you narrow it down to a
specific host that's common to all of the traffic, perhaps a gateway
device? If you're doing multicasting on a gateway device
(multicasting using unicast addressing), you would get the type of
behavior that you're describing. I've seen this exact situation
before, actually.

BN

10/13/06, Jon Hart <jhart (AT) spoofed (DOT) orgwrote:
>Greetings,
>>
>I've got a situation here that I can't quite figure out. It is well
>known that it is possible to cause a switched network to act like an
>unswitched network by flooding the CAM table. There are countless tools
>and documents out there that cover the offensive and defensive measures
>related to this issue.
>>
>While this isn't Cisco's official documentation on this issue,
>http://xrl.us/r8k7 says:
>>
>"Content-addressable memory (CAM) overflow: A CAM table is used to
>determine where to direct incoming frames depending on which port the
>incoming MAC address came from. When the CAM receives a frame with an
>unknown destination, the proper procedure is to flood frames within
>the acceptable Layer 2 domain (the proper VLAN). Hardware and
>software tools are available (some for free), that can flood a switch
>with MAC addresses. the CAM table limit is exceeded, switches
>behave differently depending on the brand of the switch."
>>
>My question is, has anyone seen a situation where the same broadcast
>behavior occurs, but the CAM table itself is not overloaded and there is
>no good reason for entries to be expiring? Furthermore, even if the
>entries were expired, has anyone encountered situations (malicious or
>otherwise), where a given port will receive traffic outside of its own
>L2?
>>
>Thanks,
>>
>-jon
>>
>>
>
>This List Sponsored by: Cenzic
>>
>Need to secure your web apps?
>Cenzic Hailstorm finds vulnerabilities fast.
>Click the link to buy it, try it or download Hailstorm for FREE.
>
>>
>
>>
>>

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This is a common behaviour with M$ NLB. X-S
Analogously (e.g.: for load balancing) it could be possible that one of
the end-point of the communications you're seeing is using with ARP
replies that contain a MAC address that doesn't match the one used in
it's ethernet frames (i.e.: the one that switches learn).

dom, 2006-10-15 at 20:03 -0500, Ben Nell wrote:
Is all traffic being "broadcasted"? Can you narrow it down to a
specific host that's common to all of the traffic, perhaps a gateway
device? If you're doing multicasting on a gateway device
(multicasting using unicast addressing), you would get the type of
behavior that you're describing. I've seen this exact situation
before, actually.

BN

10/13/06, Jon Hart <jhart (AT) spoofed (DOT) orgwrote:
Greetings,

I've got a situation here that I can't quite figure out. It is well
known that it is possible to cause a switched network to act like an
unswitched network by flooding the CAM table. There are countless tools
and documents out there that cover the offensive and defensive measures
related to this issue.

While this isn't Cisco's official documentation on this issue,
http://xrl.us/r8k7 says:

"Content-addressable memory (CAM) overflow: A CAM table is used to
determine where to direct incoming frames depending on which port the
incoming MAC address came from. When the CAM receives a frame with an
unknown destination, the proper procedure is to flood frames within
the acceptable Layer 2 domain (the proper VLAN). Hardware and
software tools are available (some for free), that can flood a switch
with MAC addresses. the CAM table limit is exceeded, switches
behave differently depending on the brand of the switch."

My question is, has anyone seen a situation where the same broadcast
behavior occurs, but the CAM table itself is not overloaded and there is
no good reason for entries to be expiring? Furthermore, even if the
entries were expired, has anyone encountered situations (malicious or
otherwise), where a given port will receive traffic outside of its own
L2?

Thanks,

-jon
--

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

--

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This can be done both on switches and routers. Cisco routers you would use a route-map to basically copy all traffic passing through one interface to another interface. Possible uses would be for IDS setups and probably other uses. switches it would be known as port mirroring.

David Swafford.

Ron <ron (AT) gwndev (DOT) com10/16/2006 3:49 pm

Some router have an option of dumping all traffic to a give port, so
if you are connected to the right router port you will see everything
as if it was a hub. At least I already saw a router configured that
way, that port that was connected to a computer that was dedicated to
run snort.
Just to clarify, I'm pretty sure you're talking about switches that have
a "mirror" port.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Founded in Faith - Preserved with Pride - Sustained by Spirit

Upcoming Events:
ALTER PEN HUSE
November 16
7 - 9 p.m.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Mon, 16, 2006 at 03:55:43PM -0400, Buz Dale wrote:
I can think if a couple of possibilities. 1) This is
broadcast/multicast traffic. 2) The mac addresses are unknown to the
switch (So it will flood to find them.) 3) The port could be a trunk or
a mirror of a trunk.

I am also seeing normal broadcast/multicast traffic, but that is to be
expected. #3 is not the case here.

As for #2, thats kinda where I was going with my original question --
why would a switch that is processing a session between two endpoints
suddently forget the MAC? Yes, there are timeouts in play here, but
aren't those along the lines of several minutes?

Thanks,
-jon

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Hello Jon,

As for #2, thats kinda where I was going with my original question --
why would a switch that is processing a session between two endpoints
suddently forget the MAC? Yes, there are timeouts in play here, but
aren't those along the lines of several minutes?

I'm no switch expert, but your last comment caused an hypothesis to pop
into mind. Do any of your hosts have hard-coded MAC addresses set up?
This isn't common, but if you're trying to prevent ARP poisoning, one
might do this. If you were to do this, and not tell the switch which
ports had those MACs, then it wouldn't get a chance to learn those MACs
since those hosts wouldn't bother sending ARP requests, right? Just a
thought.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.