Some very strange network behaviors - follow-up

Christopher Bird seabird at msn.com
Tue Oct 7 12:57:12 UTC 2003


For those still interested, here is the status of this issue.

I suspect that my NIC is in promiscuous mode - I run winpcap for traffic
monitoring on my home network. Of course in the world of Microsoft it
isn't always straightforward to determine these things! So it isn't a
great surprise that some packets were detected by me. What is still a
surprise is that the packets were allowed in through the border
gateways. I am having a conference call today with the network security
people from the hotel chain to see if we can come up with a better
approach!

And then of course there is still the problem that from my room, I can
use network neighborhood (using MS terminology) and see the computers of
many of the guests. I just hope that none of them had file sharing on!
Of course since the press releases from the company suggest that users
will have the same level of security when in the hotel than when in
their own offices, the likelihood of anyone remembering to turn file
sharing off is nil.

If anything interesting comes out of this, I will repost.

Chris 

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
Ray Wong
Sent: Thursday, September 11, 2003 5:16 PM
To: nanog at merit.edu
Subject: Re: Some very strange network behaviors



> Even if a switch floods all ports, it does not change the fact the 
> packet will not have the correct MAC address and his NIC should never 
> pass it up the stack. Switches do not rewrite the Ethernet addresses 
> on packets.

Correct, ethernet switches do not.  The question is, what were the
systems in question connecting to?  Many hotels bought into proprietary
broadband systems, some of which are still in service.  Just because
there's an ethernet port in the room says nothing about the hotel's
internal net.

Some of them did(do) a very poor job of encapsulating or translating the
ethernet (or even layer 3, some of them were IP-only) at the room,
converting to some other p-t-p method (i.e. atm pvc logic, similar to
dsl), and again converting (badly) back downstairs.  It's entirely
possible the next IP speaking box in line does not, in fact, know what
the MAC of the client PC on the end of the line actually is.  Room 2037A
gets the traffic for room 2037A, regardless of what the router's arp
cache or the switch's mac map actually says.  The MAC seen may very well
be generated by the concentrating equipment and not the peecee.  Even if
the IP is negotiated with the node, a la pppoe, there's no certainty
that the traffic isn't modified in between. Without speaking to someone
"in the know" about the hotel, there's no telling what actually
happened.

All of which misses the issue he suggested, that traffic in any public
arena must be viewed as suspect.  Yes, Corporations who rely on an edge
firewall solution and do not standardize on some form of node protection
and audit process are likely exposing themselves to this sort of thing
all the time. Should they fix it?  Probably, but few of them are
employing me/us, so
there's nothing I or most here can do about it.   That's not a technical
problem. :-\

-- 

Ray Wong
rayw at rayw.net




More information about the NANOG mailing list