From owner-freebsd-security  Fri Jul  2  8: 7:26 1999
Delivered-To: freebsd-security@freebsd.org
Received: from host07.rwsystems.net (kasie.rwsystems.net [209.197.192.103])
	by hub.freebsd.org (Postfix) with ESMTP id C89C815279
	for <freebsd-security@FreeBSD.ORG>; Fri,  2 Jul 1999 08:07:10 -0700 (PDT)
	(envelope-from jwyatt@RWSystems.net)
Received: from kasie.rwsystems.net([209.197.192.103]) (1778 bytes) by host07.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@RWSystems.net>) 
	id <m1104fH-000bxmC@host07.rwsystems.net>
	for <freebsd-security@FreeBSD.ORG>; Fri, 2 Jul 1999 09:51:43 -0500 (CDT)
	(Smail-3.2.0.104 1998-Nov-20 #1 built 1998-Dec-24)
Date: Fri, 2 Jul 1999 09:51:41 -0500 (CDT)
From: James Wyatt <jwyatt@RWSystems.net>
To: Josef Karthauser <joe@pavilion.net>
Cc: Snob Art Genre <ben@narcissus.net>,
	Bill Fink <bill@billfink.com>, freebsd-security@FreeBSD.ORG
Subject: Big MAC attack (was Re: your mail)
In-Reply-To: <19990702095858.V69050@pavilion.net>
Message-ID: <Pine.BSF.4.05.9907020918390.21228-100000@kasie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 2 Jul 1999, Josef Karthauser wrote:
> On Thu, Jul 01, 1999 at 06:01:55PM -0400, Snob Art Genre wrote:
	[ ... ]
> As an associated thing can anyone think of an easy way of ignoring traffic
> coming from a particular MAC address on the network?  I've got a user who
> keeps changing their IP address to get arround the fact that I've restricted
> traffic to that address.

If you are on the same segment with this joker, arpwatch (or tcpdump
w/right options) can help you document or torture them.

I usually have enough management support that a list of such behavior and
a short interpretation after the user has received an email warning CC'd
to their manager will get them 'smacked'. If I can show impact to other
user's work (and our time) when address collisions occur, all the better.

It might be fun to have arpwatch (or cron job that just reviews the ARP
table) feed updates to a script that would arp for the address they used
to a local interface... 8{) I'm usually allowed to play with users like
this under the guise of 'enhancing security against ARP attacks.' - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message