Date: Wed, 24 May 2000 18:27:10 +0200 From: Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de> To: Steve Shah <sshah@clickarray.com> Cc: freebsd-net@FreeBSD.ORG Subject: Re: BPF vs. promiscuous mode Message-ID: <4.1.20000524181102.02652a10@mail.rz.fh-wilhelmshaven.de> In-Reply-To: <20000524072320.C14568@clickarray.com> References: <Pine.BSF.4.21.0005232030020.19221-100000@achilles.silby.com> <4.1.20000524031209.027cb820@mail.rz.fh-wilhelmshaven.de> <Pine.BSF.4.21.0005232030020.19221-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 07:23 24.05.00 -0700, you wrote: >On Tue, May 23, 2000 at 08:35:17PM -0500, Mike Silbersack wrote: >> On Wed, 24 May 2000, Olaf Hoyer wrote: >> > Its a chaotic peer-to-peer network, with a DHCP server and a gateway to >> > university. >> > We already had some sniffer attack to sniff out Pop3 passwords. > >Consider forcing all e-mail services to be accessable only through >secure tunnels. If the students are using <sigh> Outlook, then >they can use SSL. If you want to allow generic POP3 clients, then >make the stunnel utility available to them with a batch file >that runs: > >stunnel -c -d 110 -r pop3server.school.edu:995 Hi! Well, sorry forgot t o tell that the dorm is connected via a gateway / router to the university, where the "real" servers (mail etc.) stand. They switched some months ago to the IMAP protocol dueto various reasons. Those attacks that "were done because of showing need to do something" were done by some yet undisclosed party before that. > >Generally the problem is students changing their MAC addy's to get >another IP address from the DHCP server. It's more of an annoyance >than anything else, esp. when you run out of IP addresses and legit >students start whining about it. (Those pesky students! ;-)) Yes, that would be another problem that needs to be adressed, if someone gets more than his available share. (If its just an other IP adress, the pool size will remain the same, and some other chap gets also a changed IP adress handed out from DHCP) The _real_ threat would be if some actions are undertaken with a fake MAC adress, so that you cannot trace the machines. Imagine someone taking the AMC adress of the neighbor whilst his machine is off. sneaking his IP number from DHCP, making Netbios name resolution (Parts of our communication in-house runs via the M$-network style with file shares etc and "popups" in Lan-Manager style via Netbios) and doing some bad things like insulting other fellows, or hacking/cracking their boxes. Even if that leaves traces, it won't be attributed to him... >The tool that you are looking for is "arpwatch". This will watch all >of the MAC<->IP mappings on a segment and alert you if this changes. >A tool that takes DHCP logs and filters out accepted changes could >probably be hacked up quickly. #include "magic_perl_script_here.pl" Looked it up already. Sounds good. (Is this a BSD specific port, or can I expect to find some Linux version? We have some small proxy here, running Linux (was decision and money from university which gave us that box)) >Aside: If you haven't already, I assume you have NAT'd off your dorms >and firewalled them up the wazoo, right? I know at my old university, >unauthorized servers were a real ugly problem. On more than one >occation, we would see MRTG graphs go all green.... It was not a pretty >sight. This was because students were given real IP addy's. What >should have been done (and hopefully done by now... it's been a while >since I've seen their network) is to have all the students NAT off >into the 10.0.0.0 network. This would keep the servers from coming >in. No, not yet. the entire setup was done by the university, so we had only the possibility to accept or decline. AT least, we didn't paid much money for that, they forked over the most... the university is on a Class B net in the 139.13.xxx range. (FH Wilhelmshaven, if someone cares) From that, we got a class C subnet, as we roughly need 240 IP numbers (235 rooms, and some IP numbers for gateway, DHCP server, proxy and some spares) Those are _public IP_ numbers. They wanted to change something some time ago, but notthing happened yet. (we also have a small connection to university, one ISDN line 64kbit) At least there is afirewall in the university... > ><BOFH> >What would have been entertaining is to try and put ever student >on their own subnet. This would keep the script kiddies from >doing broadcast based attacks since all the other hosts would just >ignore the packets within the first few checks in their IP stack. >There are certainly enough networks to support a few thousand >30 bit netmasks.... <grin> ></BOFH> Yes, would be entertaining... But raises the administrative work, as some lusers won't get it or are not willing to get it... (Well, for the nice girls in the first semester (I guess you call them freshmen?) of course you offer free on-site support ;-)) ) As we have an internal 10 Mbit network, bandwidth is no real issue for lots of DoS attacks... Another issue could be the switch... IIRC a 3com manageable switch. I could imagine some real bad things with SNMP etc... Regards Olaf Hoyer -------- Olaf Hoyer www.nightfire.de mailto:Olaf.Hoyer@nightfire.de FreeBSD- Turning PC's into workstations ICQ:22838075 Liebe und Hass sind nicht blind, aber geblendet vom Feuer, dass sie selber mit sich tragen. (Nietzsche) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.20000524181102.02652a10>