From owner-freebsd-isp  Fri Dec 19 16:40:45 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id QAA06541
          for isp-outgoing; Fri, 19 Dec 1997 16:40:45 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from coal.sentex.ca (coal.sentex.ca [209.112.4.16])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA06527
          for <freebsd-isp@freebsd.org>; Fri, 19 Dec 1997 16:40:39 -0800 (PST)
          (envelope-from mike@sentex.net)
Received: from p7a.neon.sentex.ca (p7a.neon.sentex.ca [207.245.212.200])
	by coal.sentex.ca (8.8.8/8.8.7) with SMTP id TAA27913;
	Fri, 19 Dec 1997 19:55:26 -0500 (EST)
	(envelope-from mike@sentex.net)
From: mike@sentex.net (Mike Tancsa)
To: robmel@nadt.org.uk (Robin Melville)
Cc: freebsd-isp@freebsd.org
Subject: Re: Spoofing attack?
Date: Sat, 20 Dec 1997 00:32:18 GMT
Message-ID: <349b11cc.328590748@coal.sentex.net>
References: <3.0.5.32.19971219103416.007e8b10@wrcmail>
In-Reply-To: <3.0.5.32.19971219103416.007e8b10@wrcmail>
X-Mailer: Forte Agent .99e/32.227
Sender: owner-freebsd-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 19 Dec 1997 10:34:16 +0000, in sentex.lists.freebsd.misc you
wrote:

>One of our FBSD router hosts has begun to report what looks like some kind
>of spoof attack. I wonder whether anyone has seen anything like this or can
>offer a (hopefully benign) explanation. Notice that these rapid arp changes
>all take place within 1 second.
>This is one example of a number over the last 48 hours.
>
>TIA for any help.
>
>--------------------------------------------------
>Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
>00:60:b0:64:c6:5c to 00:00:f4:ea:0c:34


If this is the MAC address of a real device that should not be
changing, look into doing an arp -s to make the arp entry permanent
perhaps.

	---Mike