[VOIPSEC] Re: Voipsec Digest, Vol 2, Issue 33
Robert Moskowitz
rgm at icsalabs.com
Mon Feb 28 18:17:15 CST 2005
At 01:28 PM 2/27/2005, Michael Todd wrote:
>Perhaps my e-mail was vague. You don't need administrative access to a
>switch to snoop packets on a switched network. Nor do you even need to
>reconfigure the switch at all. On a switched network, you can send a
>gratuitous arp to an end station saying that *your* MAC address should be
>used to reach the gateway's IP address. You can then send a gratuitous arp
>to the *gateway* stating that *your* mac address should be used to reach
>the endstation mentioned above. Then turn on IP forwarding. As I
>mentioned, this has nothing to do with administrative access to a switch.
>As long as you are on the same VLAN as the endpoint you wish to sniff
>and both the gateway and endstations accept gratuitous arp packets, it is
>trivial. As I mentioned, I have done this in the lab with VoIP packets.
Cisco has a hack that registers DHCP requests coming through the
router. Then when it sees an ARP saying a different MAC address has the IP
address it saw in that DHCP response, it ignores it.
This is far from a 1000% cure. There are ways around it. The network has
to be architected properly. The router has to support it, and the DHCP
server on another segment (the router doing DHCP forwarding). So some
sites do a reasonable job of protecting themselves from this attack. BUt
not perfect by any means.
Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W: 248-968-9809
F: 248-968-2824
E: rgm at icsalabs.com
There's no limit to what can be accomplished
if it doesn't matter who gets the credit
More information about the Voipsec
mailing list