Date: Thu, 11 Sep 2003 13:35:37 -0700
From: Crist Clark <crist.clark@globalstar.com>
Mike Lewinski wrote:
>
[...snip...]
OS's IP stack is misbehaving badly, Zone Alarm should not see the traffic
on the LAN that does not have his MAC address on it.
How would a switch/router be deciding that these other IP addresses
should go to his PC's NIC (MAC address)?
Unless the switch got confused when the MAC address changed as it
did...? Then the switch would go into "broadcast" or "flood" mode
where every packet is delivered to evey port because the switch doesn't
know where to send it.
Regards,
Gregory Hicks
Gregory Hicks wrote:
> Date: Thu, 11 Sep 2003 13:35:37 -0700
> From: Crist Clark <crist.clark@globalstar.com>
>
> Mike Lewinski wrote:
> >
[...snip...]
> OS's IP stack is misbehaving badly, Zone Alarm should not see the traffic
> on the LAN that does not have his MAC address on it.
>
> How would a switch/router be deciding that these other IP addresses
> should go to his PC's NIC (MAC address)?
Unless the switch got confused when the MAC address changed as it
did...? Then the switch would go into "broadcast" or "flood" mode
where every packet is delivered to evey port because the switch doesn't
know where to send it.
Even if a switch floods all ports, it does not change the fact the packet
will not have the correct MAC address and his NIC should never pass it
up the stack. Switches do not rewrite the Ethernet addresses on packets.
Even if a switch floods all ports, it does not change the fact the packet
will not have the correct MAC address and his NIC should never pass it
up the stack. Switches do not rewrite the Ethernet addresses on packets.
Correct, ethernet switches do not. The question is, what were the systems
in question connecting to? Many hotels bought into proprietary broadband
systems, some of which are still in service. Just because there's an
ethernet port in the room says nothing about the hotel's internal net.
Some of them did(do) a very poor job of encapsulating or translating the
ethernet (or even layer 3, some of them were IP-only) at the room, converting
to some other p-t-p method (i.e. atm pvc logic, similar to dsl), and again
converting (badly) back downstairs. It's entirely possible the next IP
speaking box in line does not, in fact, know what the MAC of the client PC
on the end of the line actually is. Room 2037A gets the traffic for room
2037A, regardless of what the router's arp cache or the switch's mac map
actually says. The MAC seen may very well be generated by the concentrating
equipment and not the peecee. Even if the IP is negotiated with the node,
a la pppoe, there's no certainty that the traffic isn't modified in between.
Without speaking to someone "in the know" about the hotel, there's no telling
what actually happened.
All of which misses the issue he suggested, that traffic in any public arena
must be viewed as suspect. Yes, Corporations who rely on an edge firewall
solution and do not standardize on some form of node protection and audit
process are likely exposing themselves to this sort of thing all the time.
Should they fix it? Probably, but few of them are employing me/us, so
there's nothing I or most here can do about it. That's not a technical
problem. :-\
For those still interested, here is the status of this issue.
I suspect that my NIC is in promiscuous mode - I run winpcap for traffic
monitoring on my home network. Of course in the world of Microsoft it
isn't always straightforward to determine these things! So it isn't a
great surprise that some packets were detected by me. What is still a
surprise is that the packets were allowed in through the border
gateways. I am having a conference call today with the network security
people from the hotel chain to see if we can come up with a better
approach!
And then of course there is still the problem that from my room, I can
use network neighborhood (using MS terminology) and see the computers of
many of the guests. I just hope that none of them had file sharing on!
Of course since the press releases from the company suggest that users
will have the same level of security when in the hotel than when in
their own offices, the likelihood of anyone remembering to turn file
sharing off is nil.
If anything interesting comes out of this, I will repost.
Chris