From owner-freebsd-security  Sat Sep 14 18:47: 2 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4C97C37B400
	for <freebsd-security@FreeBSD.ORG>; Sat, 14 Sep 2002 18:47:00 -0700 (PDT)
Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5577043E42
	for <freebsd-security@FreeBSD.ORG>; Sat, 14 Sep 2002 18:46:59 -0700 (PDT)
	(envelope-from andrew@scoop.co.nz)
Received: from localhost (localhost [127.0.0.1])
	by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g8F1kvn7047890;
	Sun, 15 Sep 2002 13:46:57 +1200 (NZST)
	(envelope-from andrew@scoop.co.nz)
Date: Sun, 15 Sep 2002 13:46:57 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: "Andrew G. Russell IV" <arussell@tyr.agrknives.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Mac address of hacked machine...
In-Reply-To: <20020914192323.A10984@bifrost.agrknives.com>
Message-ID: <20020915133649.L47805-100000@a2.scoop.co.nz>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org



On Sat, 14 Sep 2002, Andrew G. Russell IV wrote:

> I have a machine that is hitting me with "kali" packets every few minutes.
> I've contacted the ISP, but they can't help unless I supply the MAC address.
>
> I've done tcpdump, I've arped, I suppose I don't know what I'm doing on this
> one.  I've read all the HOWTOS that I can find, even linux ones...  I've
> searched the archives, I guess I'm not asking the right question.
>
> I'm sure this will be a head smacker.
>
> Thanks for any help...   And YES I am subscribed... ;->

Unless the attacker is on the same ethernet subnet, there's no way you can
know the MAC address, and the ISP is either clueless or deliberately
unhelpful.

If the person you are talking to knows enough to make use of a MAC
address, then they almost certainly know enough to know that you can't
provide one based on traffic seen outside of their network.  That said,
it's quite possible that they are simply trying to follow something from a
helpdesk manual without knowing what the information they are supposed
to gather is about or for.

If you're dealing with clueless helpdesk staff, then try asking for
someone from their network operations team.  they will need to be involved
to solve the problem anyway.

Do collect a tcpdump of the traffic demonstrating the problem, making sure
that the timestamps are accurate, and that you tell the ISP what timezone
you are in.  The ISP should be able to identify which machine the IP
address was assigned to at that point in time.

Andrew McNaughton


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message