Re: Some very strange network behaviors
Date: Thu, 11 Sep 2003 13:35:37 -0700 From: Crist Clark <crist.clark@globalstar.com>
Mike Lewinski wrote:
[...snip...] OS's IP stack is misbehaving badly, Zone Alarm should not see the traffic on the LAN that does not have his MAC address on it.
How would a switch/router be deciding that these other IP addresses should go to his PC's NIC (MAC address)?
Unless the switch got confused when the MAC address changed as it did...? Then the switch would go into "broadcast" or "flood" mode where every packet is delivered to evey port because the switch doesn't know where to send it. Regards, Gregory Hicks
-- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
--------------------------------------------------------------------- Gregory Hicks | Principal Systems Engineer Cadence Design Systems | Direct: 408.576.3609 555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3479 San Jose, CA 95134 | Internet: ghicks@cadence.com Never attribute to malice that which is adequately explained by ignorance or stupidity. Asking the wrong questions is the leading cause of wrong answers "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton
Gregory Hicks wrote:
Date: Thu, 11 Sep 2003 13:35:37 -0700 From: Crist Clark <crist.clark@globalstar.com>
Mike Lewinski wrote:
[...snip...] OS's IP stack is misbehaving badly, Zone Alarm should not see the traffic on the LAN that does not have his MAC address on it.
How would a switch/router be deciding that these other IP addresses should go to his PC's NIC (MAC address)?
Unless the switch got confused when the MAC address changed as it did...? Then the switch would go into "broadcast" or "flood" mode where every packet is delivered to evey port because the switch doesn't know where to send it.
Even if a switch floods all ports, it does not change the fact the packet will not have the correct MAC address and his NIC should never pass it up the stack. Switches do not rewrite the Ethernet addresses on packets. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387
Even if a switch floods all ports, it does not change the fact the packet will not have the correct MAC address and his NIC should never pass it up the stack. Switches do not rewrite the Ethernet addresses on packets.
Correct, ethernet switches do not. The question is, what were the systems in question connecting to? Many hotels bought into proprietary broadband systems, some of which are still in service. Just because there's an ethernet port in the room says nothing about the hotel's internal net. Some of them did(do) a very poor job of encapsulating or translating the ethernet (or even layer 3, some of them were IP-only) at the room, converting to some other p-t-p method (i.e. atm pvc logic, similar to dsl), and again converting (badly) back downstairs. It's entirely possible the next IP speaking box in line does not, in fact, know what the MAC of the client PC on the end of the line actually is. Room 2037A gets the traffic for room 2037A, regardless of what the router's arp cache or the switch's mac map actually says. The MAC seen may very well be generated by the concentrating equipment and not the peecee. Even if the IP is negotiated with the node, a la pppoe, there's no certainty that the traffic isn't modified in between. Without speaking to someone "in the know" about the hotel, there's no telling what actually happened. All of which misses the issue he suggested, that traffic in any public arena must be viewed as suspect. Yes, Corporations who rely on an edge firewall solution and do not standardize on some form of node protection and audit process are likely exposing themselves to this sort of thing all the time. Should they fix it? Probably, but few of them are employing me/us, so there's nothing I or most here can do about it. That's not a technical problem. :-\ -- Ray Wong rayw@rayw.net
For those still interested, here is the status of this issue. I suspect that my NIC is in promiscuous mode - I run winpcap for traffic monitoring on my home network. Of course in the world of Microsoft it isn't always straightforward to determine these things! So it isn't a great surprise that some packets were detected by me. What is still a surprise is that the packets were allowed in through the border gateways. I am having a conference call today with the network security people from the hotel chain to see if we can come up with a better approach! And then of course there is still the problem that from my room, I can use network neighborhood (using MS terminology) and see the computers of many of the guests. I just hope that none of them had file sharing on! Of course since the press releases from the company suggest that users will have the same level of security when in the hotel than when in their own offices, the likelihood of anyone remembering to turn file sharing off is nil. If anything interesting comes out of this, I will repost. Chris -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ray Wong Sent: Thursday, September 11, 2003 5:16 PM To: nanog@merit.edu Subject: Re: Some very strange network behaviors
Even if a switch floods all ports, it does not change the fact the packet will not have the correct MAC address and his NIC should never pass it up the stack. Switches do not rewrite the Ethernet addresses on packets.
Correct, ethernet switches do not. The question is, what were the systems in question connecting to? Many hotels bought into proprietary broadband systems, some of which are still in service. Just because there's an ethernet port in the room says nothing about the hotel's internal net. Some of them did(do) a very poor job of encapsulating or translating the ethernet (or even layer 3, some of them were IP-only) at the room, converting to some other p-t-p method (i.e. atm pvc logic, similar to dsl), and again converting (badly) back downstairs. It's entirely possible the next IP speaking box in line does not, in fact, know what the MAC of the client PC on the end of the line actually is. Room 2037A gets the traffic for room 2037A, regardless of what the router's arp cache or the switch's mac map actually says. The MAC seen may very well be generated by the concentrating equipment and not the peecee. Even if the IP is negotiated with the node, a la pppoe, there's no certainty that the traffic isn't modified in between. Without speaking to someone "in the know" about the hotel, there's no telling what actually happened. All of which misses the issue he suggested, that traffic in any public arena must be viewed as suspect. Yes, Corporations who rely on an edge firewall solution and do not standardize on some form of node protection and audit process are likely exposing themselves to this sort of thing all the time. Should they fix it? Probably, but few of them are employing me/us, so there's nothing I or most here can do about it. That's not a technical problem. :-\ -- Ray Wong rayw@rayw.net
participants (4)
-
Christopher Bird -
Crist Clark -
Gregory Hicks -
Ray Wong