Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 15 Sep 2002 13:46:57 +1200 (NZST)
From:      Andrew McNaughton <andrew@scoop.co.nz>
To:        "Andrew G. Russell IV" <arussell@tyr.agrknives.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Mac address of hacked machine...
Message-ID:  <20020915133649.L47805-100000@a2.scoop.co.nz>
In-Reply-To: <20020914192323.A10984@bifrost.agrknives.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


On Sat, 14 Sep 2002, Andrew G. Russell IV wrote:

> I have a machine that is hitting me with "kali" packets every few minutes.
> I've contacted the ISP, but they can't help unless I supply the MAC address.
>
> I've done tcpdump, I've arped, I suppose I don't know what I'm doing on this
> one.  I've read all the HOWTOS that I can find, even linux ones...  I've
> searched the archives, I guess I'm not asking the right question.
>
> I'm sure this will be a head smacker.
>
> Thanks for any help...   And YES I am subscribed... ;->

Unless the attacker is on the same ethernet subnet, there's no way you can
know the MAC address, and the ISP is either clueless or deliberately
unhelpful.

If the person you are talking to knows enough to make use of a MAC
address, then they almost certainly know enough to know that you can't
provide one based on traffic seen outside of their network.  That said,
it's quite possible that they are simply trying to follow something from a
helpdesk manual without knowing what the information they are supposed
to gather is about or for.

If you're dealing with clueless helpdesk staff, then try asking for
someone from their network operations team.  they will need to be involved
to solve the problem anyway.

Do collect a tcpdump of the traffic demonstrating the problem, making sure
that the timestamps are accurate, and that you tell the ISP what timezone
you are in.  The ISP should be able to identify which machine the IP
address was assigned to at that point in time.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020915133649.L47805-100000>