Date: Sun, 21 Dec 1997 12:57:46 +0000 From: Robin Melville <robmel@nadt.org.uk> To: Philippe Regnauld <regnauld@deepo.prosa.dk>, Andrew Webster <andrew@guardian.fortress.org>, mike@sentex.net (Mike Tancsa) Cc: isp@freebsd.org Subject: Re: spoofing attack Message-ID: <3.0.5.32.19971221125746.007f1df0@wrcmail>
next in thread | raw e-mail | index | archive | help
Many, many thanks for all your replies.. I'm relieved that you seem to be suggesting that this is not a spoofing attack. I had begun to believe so myself after I used tcpdump to see what I was receiving from this address. This is a sample: arp who-has 194.155.219.1 tell 194.155.224.118 arp who-has 194.155.219.1 (ff:ff:ff:ff:ff:ff) tell 194.155.224.118 arp who-has 194.155.219.1 (0:40:af:16:60:a8) tell 194.155.224.118 arp who-has 194.155.219.1 (5c:f7:e1:ed:9e:c6) tell 194.155.224.118 arp who-has 194.155.219.1 (e0:1:0:0:10:8a) tell 194.155.224.118 Anyone know what sort of device/server does this? Philippe Regnauld <regnauld@deepo.prosa.dk> wrote: > Well, are any of those MAC addresses on your wire ? > If they are, do any of them have bogus ARP entries, or > proxyarp for other hosts ? This I don't know... this is all happening on a large WAN covering all the hospitals & health installations in Nottingham. Is there a way of tracking MAC addresses other than doing a ping -c1 <broadcast> then checking the arp db. (this doesn't work BTW because none of these devices seem to respond to a ping). Andrew Webster <andrew@guardian.fortress.org> wrote: >Yow, that looks like fun! >Do you have a windows NT server on the network running DHCP perchance? This is a possibility. There is a rogue DHCP server out there as I discovered because it was allocating stupid IP addresses to our PC's if it got its reply in before our DHCP host. We now use BOOTP with the freeware "billgpc" program on our PC's which works very well. But if it is this I don't understand why a) only one of our FBSD hosts exposed on the WAN is reporting the arp changes; b) why we get a sudden burst of changes, always on this particular IP address, then silence for anything from 5 mins to 8 hours; and c) why all the PCs (if thats what these are) should be trying to use the IP address simultaneously. mike@sentex.net (Mike Tancsa) wrote: >If this is the MAC address of a real device that should not be >changing, look into doing an arp -s to make the arp entry permanent >perhaps. <grin> well if this is a genuine malfunction of something, I guess the owners of this device might not be pleased if I changed the address for them. ---- clipped from original post ---- >One of our FBSD router hosts has begun to report what looks like some kind >of spoof attack. I wonder whether anyone has seen anything like this or can >offer a (hopefully benign) explanation. Notice that these rapid arp changes >all take place within 1 second. >This is one example of a number over the last 48 hours. > >TIA for any help. > >-------------------------------------------------- >Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from >00:60:b0:64:c6:5c to 00:00:f4:ea:0c:34 [...] -------------------------------------------------------- Robin Melville, Addiction & Forensic Information Service Nottingham Alcohol & Drug Team (Extn. 49178) Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 Email: robmel@nadt.org.uk WWW: http://www.innotts.co.uk/nadt/ ---------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19971221125746.007f1df0>