Defeating a Acquirements Bridge’s
Forwarding Process
This affiliate discusses assorted agency to get an Ethernet LAN about-face to “fail open” and send
data cartage off ports it does not belong.
NOTE Users already accustomed with basal LAN switching concepts can skip the “Back to Basics”
section.
Back to Basics: Ethernet Switching 101
Before delving into the assorted exploits that can about-face a $50,000 Ethernet about-face into a $12
off-the-shelf bazaar hub, a quick analysis of LAN switching basics is in order. Ethernet
switches usually accomplish at Band 2 (the abstracts articulation layer) of the Open Systems
Interconnection (OSI) advertence model1. Switches accomplish their frame-forwarding decisions
differently than routers. Indeed, area routers are anxious with IP addresses, switches
need alone to attending at the aboriginal few bytes of Ethernet frames to apperceive area it is destined to
go. Actually, what does an Ethernet anatomy attending like?
Ethernet Anatomy Formats
For mostly actual reasons, Ethernet frames arise in assorted shapes and forms, but they
all aback the aforementioned information: area the anatomy originated, area it is destined to, what
payload it carries, and a checksum to verify abstracts integrity. Today, about two slightly
different anatomy formats exist: EthernetV2 and IEEE 802.3.
It is difficult to authoritatively appraise the admeasurement of EthernetV2 against 802.3 in today’s
network—a asperous appraisal would apparently alarm for 80 percent EthernetV2 for 20 percent
of 802.3. However, it is not all-important to anguish about the exact repartition because all LAN
switches abutment both formats, and exploits are adequate with both anatomy formats.
Figure 2-1 shows these anatomy formats.
24 Affiliate 2: Defeating a Acquirements Bridge’s Forwarding Process
Figure 2-1 Ethernet Anatomy Formats
As you attending at Figure 2-1, accumulate these things in mind:
• 802.3 absolutely comprises two added subformats: 802.2 (802.3 with an 802.2 header)
and Subnetwork Access Agreement (SNAP) encapsulation (802.3 with 802.2 and a
SNAP header). (They are not apparent in Figure 2-1 because they are extraneous to this
discussion, and they are above the ambit of this book.) Indeed, LAN switches build
their bridging tables by artlessly acquirements antecedent MAC addresses, and antecedent MAC
addresses consistently arise at the aforementioned account behindhand of the encapsulation actuality used.
It’s a acceptable abstraction to apperceive what 802.2 refers to in case you anytime arise beyond the term.
• Ethernet frames are consistently prefixed by a 64-bit preamble. Put simply, its purpose is
to acquiesce time for the receiver to get accessible to aggregate abstracts $.25 for the MAC band to
process.
The alone account that differentiates EthernetV2 from 802.3 is the estimation of the third
field. In EthernetV2, it is alleged an Ethertype, while in 802.3 it is alleged the breadth acreage and
indicates how abounding bytes of abstracts follow. Because the best burden breadth on Ethernet
(jumbo frames excluded) is 1500 (0x5DC), Ethertypes are never assigned ethics lower than
0x5DC. As a bulk of fact, to abstain any ambiguity, Ethertypes alpha at 0x600. Ethertypes
indicate what upper-layer agreement is agitated by the frame. IP uses 0x0800, for example,
while IEEE 802.1Q tags use 0x8100. The Internet Assigned Numbers Authority (IANA)
assigns Ethertypes.
Learning Bridge
Regardless of the anatomy format, every distinct accessory able with an Ethernet adapter
possesses a globally different MAC address. It is a 6-byte identifier fabricated up of two parts: the
Preamble
8 Bytes 6 6 2 46-1500 4
Ethernetv2 Value
>=0×0600
Destination Abstracts CRC
MAC
Source
MAC
Ethertype
Preamble
8 Bytes 6 6 2 46-1500 4
IEEE 802.3 Value
<0×0600
Destination Abstracts CRC
MAC
Source
MAC
Length
Back to Basics: Ethernet Switching 101 25
three far-left bytes represent a specific vendor, and the three far-right bytes represent a serial
number assigned by that vendor. Combined, these two fields, apery 48 bits, aftereffect in
a abstract cardinal of 281,474,976,710,656 accessible addresses! Every distinct Ethernet
frame consistently contains one antecedent and one destination MAC address. The antecedent uniquely
identifies the sender, and the destination MAC identifies one or added receivers. Based on
the antecedent MAC addresses, an Ethernet about-face builds its forwarding table. This table is then
used to accomplish adapted frame-switching decisions, which ensures that alone the correct
recipient receives traffic. Contrast this with a hub that consistently replicates admission cartage out
all concrete ports of the bug.
Contrary to a hub, a about-face relies on a forwarding table. Initially, it is absolutely blank—in other
words, it doesn’t apperceive area the MAC abode of a PC, printer, or any added attached
device is located. As anon as a concrete anchorage is brought up, however, the about-face starts to
listen to all LAN cartage that arrives on the port. Bytes 7–13 of the frames accommodate the
sender’s antecedent MAC address, which abnormally identifies it.
In Figure 2-2, the Ethernet about-face learns that MAC abode 0000.CAFE.0000 belongs to a
device absorbed to anchorage Fa0/1. The about-face food that advice as the aboriginal access of its
forwarding table.
NOTE You generally see MAC addresses displayed application assorted formats. Sometimes anniversary byte is
separated by a colon, sometimes a dot is used, added times bytes are aggregate by two, and a
dot separates these byte pairs. These are absolutely corrective concerns—the underlying
structure of MAC addresses is unaffected, of course.
Figure 2-2 Alien Unicast Flooding
VLAN Ports
5
MAC Abode VLAN Interface
0000.CAFE.0000 5 Fa0/1
Fa0/1, Fa0/2, Fa0/3
CAFE->B
MAC ..B
MAC ..C
Fa0/2
I see traffic
to B!
Fa0/3
Fa0/1
MAC
0000.CAFE.0000
CAFE->B
CAFE->B
26 Affiliate 2: Defeating a Acquirements Bridge’s Forwarding Process
The anatomy happens to accommodate a destination MAC address. In Figure 2-2, the MAC address
is B. (For accuracy purposes, a distinct byte is represented, alike admitting 6 bytes are necessary
to anatomy a accurate MAC address.) The about-face needs to accelerate this anatomy to the almsman in
possession of MAC abode B. However, the LAN about-face has not yet heard any cartage from
MAC abode B. Therefore, its bridging table does not yet accept an access pointing to the
physical anchorage to which B is attached. What, then, is the about-face declared to do with that
frame? Drop it? Somehow acquaint the sender that the anatomy could not be delivered? Buffer
the anatomy and delay until B starts talking? Not quite. The about-face does article simple: It
floods the frame. That is, it sends a archetype of the anatomy to every distinct anchorage in the VLAN
where the anatomy was received—VLAN 5, in this case. Because a VLAN is a broadcast
domain, a about-face charge never flood the anatomy to addition VLAN. This abnormality is
referred to as alien unicast flooding. The definitions of alien unicast calamity and
broadcast area are as follows:
• Alien unicast flooding—Occurs aback a about-face performs a destination MAC
address lookup to actuate the anchorage to accelerate the anatomy to and comes aback empty
handed. At that point, the about-face sends the anatomy out all ports in the VLAN, hoping
that it alcove its advised recipient.
• Advertisement area or VLAN?—A advertisement area defines how far a advertisement or
unknown unicast flood anatomy can reach. Advertisement frames accommodate an all-1s
destination MAC address, which indicates that they are advised for anybody on the
LAN (or VLAN). A LAN about-face provides abreast amid VLANs and/or broadcast
domains. Both agreement are interchangeable. Abreast agency that a anatomy can’t hop from
one VLAN to addition after the action of a router.
Consequences of Boundless Flooding
Although it’s a accepted and usually amiable operation in a switched LAN environment,
unknown unicast calamity comes with a ancillary effect: Host C now “sees” a anatomy beatific from
0000.CAFE.0000 to B.
If the user abaft workstation C runs a arrangement cartage analyzer, he can eavesdrop on B and
access advice he should not see. Fortunately, C is alone acceptable to accept an extremely
small bulk of information—typically, one or two frames. Why? Because the anatomy sent
from 0000.CAFE.0000 to B will now apparently account B to admit cartage in return. Accumulate in
mind that the LAN about-face continuously listens for LAN cartage to body its forwarding table.
When seeing a anatomy from B, the about-face anon updates its table, as Figure 2-3 shows.
As a aftereffect of the new admittance in its bridging table, the about-face no best floods traffic
between 00:00:CAFE:00:00 and B. Host C’s cartage analyzer is speechless. What would
happen, however, if boundless amounts of calamity occurred? Can host C use some
mechanism to force the LAN about-face to continuously flood cartage destined to B, or to any
other address, for that matter?
Exploiting the Bridging Table: MAC Calamity Attacks 27
Figure 2-3 MAC Abode Acquirements Process
VLAN Ports
5
MAC Abode VLAN Interface
0000.CAFE.0000
..B
5
5
Fa0/1
Fa0/2
Fa0/1, Fa0/2, Fa0/3
B->CAFE
MAC ..B
MAC ..C
Fa0/2
Fa0/3
Fa0/1
MAC
0000.CAFE.0000
1 CAFE->B
2
2
3
4
B->CAFE
I do not see
traffic to B!