What is port Stealing?
Port stealing is a kind of attack where someone “steals” traffic that is directed to another port of a Ethernet switch. This attacks allows someone to receive packets that were originally directed to another computer. It does so by making the switch believe that the attacker’s port is the correct destination for the packet.
To understand port stealing you have first to understand how Ethernet, and Ethernet switches in particular, works. First, there is the MAC address, which is the unique address of each and every computer that is connected to an Ethernet network, and that is recorded in the network adapter. Ethernet frames have two MAC addresses stamped to it: one is the source address, which identifies the computer that sent the frame; and the other one is the destination address, which is the address of the computer to which the frame has to be delivered.
In the early days of Ethernet (up to the mid 1990s) all frames were sent to everyone, using a shared media, such as a coaxial cables, so everyone could listen to all the traffic. This had several problems, security being just one of them. Ethernet switches improved this situation by segmenting the network, in such a way that every computer now has its own dedicated port.
An Ethernet switch is able to learn who is connect to a port. It does so by listening to the port traffic. As soon as your computer send a Ethernet frame — any frame — the switch looks at the source address, and records it into a internal table. When it receives a frame that is destined for your computer, it sends the frame only for you. The computers in the other ports don’t receive the same frame.
Once you understand how it works up to this point, the port stealing attack becomes easy to understand. An attacker is connected to another port of the switch, and as such, he’s blocked from watching your traffic (it’s being sent only for you). But the attacker can send fake frames to the switch, containing your MAC address as the source address. He’s impersonating your computer, and the switch gets confused. The switch usually transmits the frame to the last port which appeared to be the “owner” of that MAC address, and if the attacker is sending lots of frames, he’s going to receive your frame in your place.
What happens next depends on the attacker’s intention. He may receive your packet and keep it for himself. But he can also send the packet back a few moments later so you receive it, with a little bit of delay, and have no way to tell that it was compromised.
Port stealing rely on the fact that the switch needs to update its address table dynamically, because real networks are not completely static. For example, if you move your computer from one port to the other, you’d expect the traffic to be sent to the new port instead of the old one. However, there are some more advanced configurations that you can apply to a switch in order to make this kind of attack harder to do. These features are typical of the more expensive “entreprise grade” switches and not found in the less expensive small business equipment typically found in most companies and homes, which makes these environments more vulnerable. But at the same time, this isn’t a very useful attack for small networks because involves a lot of work to capture just a small amount of traffic.
