hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : sniffer <sigh>
Reply

Forum Jump

sniffer <sigh>

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 03-15-2001, 11:54 AM
pyng pyng is offline
WHT Addict
 
Join Date: Feb 2001
Posts: 104
I've discovered a sniffer on a box that was just allocated to me. Without going into the details of who provided me that box, there are some issues nagging at me.

1. Looking at the tcp.log file it's captured so far has awakened me to the possibility that the box may not in fact be on a switched network. My interface has a single ip bound to it but was running in promiscuous mode due to the sniffer. It captured connection attempts from ips to ips which were not bound to my interface at all. Does this strongly imply that I am simply connected to a hub? (if the answer to this is no, then the following questions probably become meaningless).

2. It seems to me that having web servers, or any type of servers for that matter, on a hubbed network is asking to be compromised. My question and challenge to the hosting providers therefore is this: do you provide switched-only networks? And do those of you who provide some hubbed networks dare to stand out and say that you do?

3. (I have no clue about this, but) are there actually any manageable hubs around? ie. hubs that can provide snmp data for mrtg graphs, or can otherwise chart bandwidth usage without double-counting traffic use by other parties on the hub?




Sponsored Links
  #2  
Old 03-15-2001, 12:05 PM
cperciva cperciva is offline
Retired Moderator
 
Join Date: Jan 2001
Posts: 2,603
Switches do not yield any security improvements.

First, whenever a switch doesn't know where a packet should go (ie, the MAC address isn't inside the switch's cache) it will broadcast the packet to all the interfaces. This could be the reason you're seeing connection attempts to other IP addresses -- if you see SYN packets but no later packets, odds are that when the SYN packets arrive the switch doesn't know where to send them, but thereafter it is sending packets to the correct destination.

Second, almost all switches can be spoofed. If another machine on your network claims to have your MAC address, a switch may send packets to you, may send them to the other machine, and may send them to both machines.

Third, almost all switches can be forced into hub mode. Because of the limited size of the MAC caches, if a switch is flooded with random MAC entries, it will not know where to send *any* packets, and so it will revert to sending all packets to all ports -- ie, what a hub normally does.

Basically, switches are useful for performance reasons, but not for security reasons.

  #3  
Old 03-15-2001, 12:21 PM
pyng pyng is offline
WHT Addict
 
Join Date: Feb 2001
Posts: 104
Red face

yes, good points. don't know why i didn't think of that

that makes me feel so much better now

Sponsored Links
Reply

Related posts from TheWhir.com
Title Type Date Posted


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?