'Re: PPPoE + Switch sniffing'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-basics
Subject:    Re: PPPoE + Switch sniffing
From:       "Rob klein Gunnewiek" <rob.kleingunnewiek () gmail ! com>
Date:       2006-07-31 9:33:36
Message-ID: 62e75bc00607310233r1dac805ewb873bd9c860ed6d4 () mail ! gmail ! com
[Download RAW message or body]

On 7/27/06, Carlos de Oliveira <carlos.oliv@gmail.com> wrote:
> Hello friends,
>
> As a manager of my network, I am woried of security. Recently we
> changed the HUB's for switch's in hope that we get more securitty.
>
> In a few days ago, we have seeing another Access concentrator in our
> network sending PADO's to the clients that wanted to connect.
>
> This access concentrator have the same MAC address of one of my clients.
>
> I would like to know what do you think that could be?
> I've searched google for this, but I didn't found any attack baseed on
> PPPoE + switch.
> Could this other access concentrator be trying to give connection to
> some of my clients just to sniff their connection?
>

It doesn't matter whether you use a switch or not. The PPPoE client
will broadcast PADI packets, so they will arive at all hosts on the
subnet. Whether you use a switch or not.

If this is not simply some mistake of having a wrong setup, this looks
like an attack. First of all, do you use some kind of MAC-address
based filtering? That would explain why someone would forge the MAC
address. Much more likely though it is not forged, I think the client
you are talking about /IS/ the attacker!

I think the attacker wants to steal other people's login stuff... I'm
not familiar with Radius, but the PADO packets can include information
on where the client should authenticate with. So I suppose this could
be used to steal the logins of other clients in some way.

That's my guess,

Good luck.

-- 
Regards,
Rob klein Gunnewiek

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic