3

If we have a switch with empty MAC table, and three hosts are connected to it - let's say host A, host B, and host C. Host A sends something to host B, and switch remember on which port is host A, but it doesn't know where the host B is, so it broadcast the entire encapsulated packet (Layer 2, IP, TCP, etc) on all ports. If in this moment Host C has NIC in promiscuous mode and sniffer running on his/her machine, he/she can see what host A wants to send to host B.

Isn't this behaviour dangerous?

programings
  • 751
  • 1
  • 8
  • 14
  • "see what it wants to send to host B" - you mean the first of the 3-way handshake and not the payload of the application, right? – schroeder Oct 09 '14 at 19:57
  • Hm, yes. In case of TCP connection, this way host C can learn where host A wants to connect (observing the Layer 3 part), but it can be anything, not just TCP. – programings Oct 09 '14 at 20:03
  • sure, but my point is that C cannot see what A is sending to B, just that A wants to connect to B. In your scenario, there is very little actually exposed. – schroeder Oct 09 '14 at 20:21
  • I understand. But imagine that host B is the gateway of the network, and host A is trying to reach Facebook. So, when the packet is send, host C can see that host A is using Facebook. This is not so harmless and is very useful information. But there is a thousands of protocols, and some of them can reveal sensitive information with the first request, too. – programings Oct 09 '14 at 20:26
  • Then you've answered your own question: "for some protocols, where the very first packet can contain interesting information, then the situation can result in data leakage". Most organizations would not see this as a 'danger' though because it is limited to a single packet. – schroeder Oct 09 '14 at 20:47

2 Answers2

7

Not, it's not dangerous because the switch will broadcast only the first packet, not all the next packets.

The status of the switch internal tables will be like this:

  1. On the first instant, the table is empty, so it works like a hub, broadcasting everything

  2. When ComputerA (plugged to port 1), sends a packet to ComputerB (plugged on port 5), the switch will broadcast the packet to everybody, but create a entry on its table: ComputerA is on port 1

  3. ComputerB responds, and the switch will send the package to port 1, and create a new entry on the table: ComputerB is on port 5

  4. Every new packet between ComputerA and ComputerB are sent directly, without broadcast.

Even if ComputerB is the gateway, ComputerC will be able to get only one packet sent from every other computer on the network.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
2

Not inherently dangerous, but there is some risk. This is the way L2 switches work (if you don't want the odd misdirected packet use a point to point link ;-) Unless you have a locked-down layer 2 configuration this is unavoidable, essentially a trade off of security versus ease of configuration & management. Mitigating options include ports with pre-configured MAC addresses and 802.1x port-based NAC.

A point that seems to be misunderstood: some assume that the switch MAC table being empty corresponds with a quiescent state of the network and clients, e.g. the only packets that are flooded are "empty" SYN packets (or more likely ARP or DHCP).

This is not necessarily true, you may have an exposure if an attacker can flush the MAC table directly or indirectly (through SNMP, forced restart by administrative means or through a software bug, resource exhaustion, or good old fashioned power cycling). Such methods aren't great ways to capture packets since most involve (short) interruptions to connectivity, but it may be exploitable. (A layer 2 switch does not behave like a L3/L4 firewall, it only cares about forwarding frames, once it has recovered client connections will continue unaffected.)

A related issue is flooding in the opposite case: when the MAC table is full and the switch has no choice but to drop or flood. This is arguably more useful to an attacker, if he can sustain the CAM exhaustion he has a longer window to capture useful traffic.

Community
  • 1
mr.spuratic
  • 7,937
  • 25
  • 37