From owner-freebsd-isp  Sun Jun 22 19:01:48 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id TAA04379
          for isp-outgoing; Sun, 22 Jun 1997 19:01:48 -0700 (PDT)
Received: from databus.databus.com (databus.databus.com [198.186.154.34])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id TAA04368
          for <freebsd-isp@FreeBSD.ORG>; Sun, 22 Jun 1997 19:01:36 -0700 (PDT)
From: Barney Wolff <barney@databus.com>
To: chas <sweeting@tm.net.my>
Cc: freebsd-isp@FreeBSD.ORG
Date: Sun, 22 Jun 1997 21:53 EDT
Subject: Re: duplicate IP = security problem ?
Content-Type: text/plain
Message-ID: <33add8f90.6d7a@databus.databus.com>
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> Date: Sun, 22 Jun 1997 20:48:34 +0000 (GMT)
> From: spork <spork@super-g.com>
> 
> I don't know of any way to track down what machine it is however...
> 
> On Mon, 23 Jun 1997, chas wrote:
> 
> > 	"/kernel duplicate IP address 202.184.153.15! sent from ethernet
> >         address 00:a0:40:29:e8:08"

Using the first 3 bytes of the Ethernet address is usually a good clue.
In this case, for example, 00:a0:40 is Apple Computer.  Unless you
have a room full of them, of course.  It's probably a misconfiguration
rather than an attack.

You can find the complete listing of manufacturers' codes (OUI's) on
http://standards.ieee.org/db/oui
and I believe it's on IETF servers as well.

Barney Wolff  <barney@databus.com>