Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Jul 1999 09:51:41 -0500 (CDT)
From:      James Wyatt <jwyatt@RWSystems.net>
To:        Josef Karthauser <joe@pavilion.net>
Cc:        Snob Art Genre <ben@narcissus.net>, Bill Fink <bill@billfink.com>, freebsd-security@FreeBSD.ORG
Subject:   Big MAC attack (was Re: your mail)
Message-ID:  <Pine.BSF.4.05.9907020918390.21228-100000@kasie.rwsystems.net>
In-Reply-To: <19990702095858.V69050@pavilion.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 2 Jul 1999, Josef Karthauser wrote:
> On Thu, Jul 01, 1999 at 06:01:55PM -0400, Snob Art Genre wrote:
	[ ... ]
> As an associated thing can anyone think of an easy way of ignoring traffic
> coming from a particular MAC address on the network?  I've got a user who
> keeps changing their IP address to get arround the fact that I've restricted
> traffic to that address.

If you are on the same segment with this joker, arpwatch (or tcpdump
w/right options) can help you document or torture them.

I usually have enough management support that a list of such behavior and
a short interpretation after the user has received an email warning CC'd
to their manager will get them 'smacked'. If I can show impact to other
user's work (and our time) when address collisions occur, all the better.

It might be fun to have arpwatch (or cron job that just reviews the ARP
table) feed updates to a script that would arp for the address they used
to a local interface... 8{) I'm usually allowed to play with users like
this under the guise of 'enhancing security against ARP attacks.' - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9907020918390.21228-100000>