bumbler
December 9th, 2004, 21:14
Can a simple ethernet switch get a virus?
A friend -- whose XP network had been cracked via DSL in the past -- gave me a simple, cheap, AOpen 5-port switch. I was noting in my firewall logs something was trying to get out using an IP not assigned to anything in my system. I connect via dialup, and I compared it with the IP assigned by my ISP, and they don't match, so something in my system is spoofing. When I disconnected from the switch, the firewall stopped logging those outbound attempts.
Could this little switch be compromised?
Bumbler
bmw
December 9th, 2004, 21:37
Cheap switches are simple hardware-based things. They have a large single-chip switching fabric (like a mesh of bridges), but no CPU. They can be compromised by flooding their ARP tables so that they effectively become simple hubs instead of switches, but that's a temporary condition that doesn't last through a power-cycle. So I'd say no, your switch isn't infected.
But can you tell which side these rogue packets are arriving on? A packet with a forged sender-address can look to your firewall as if it originated inside, but actually arrived on the outside interface. That's why it's critical to have anti-spoofing rules in your packet filter config. You have to detect forged sender addresses arriving on the outside or else your firewall will unwittingly pass the replies inbound. That can allow an attacker some access to your internal net.
bumbler
December 9th, 2004, 22:44
It has this line in my firewall.conf:
# Stop spoofing on the outside interface.
$fwcmd add deny ip from any to any in via $oif not verrevpath
I assume that means you can't spoof incoming for outgoing. Here's a sample of the firewall log:
Dec 8 14:55:48 thud kernel: ipfw: 1000 Deny TCP 208.31.95.146:55781 216.154.201.125:80 out via tun0
Dec 8 14:55:56 thud kernel: ipfw: 1000 Deny TCP 208.31.95.146:57640 216.154.201.125:80 out via tun0
Dec 8 14:55:58 thud kernel: ipfw: 1000 Deny TCP 208.31.95.146:58297 216.154.201.125:80 out via tun0
At that point, my assigned IP was neither of these. It was while I had the XP box and mine plugged into the switch, but her machine is clean, AFAICT. When I disconnected her machine, I still had similar packets logged. They stopped only when I unplugged the switch. I am puzzled.
Bumbler