Date: Thu, 18 Jul 2002 14:28:38 -0500 From: Chris Boyd <CBoyd@apogeetelecom.com> To: 'Jim Laurenson' <j.laurenson@epicmail.ca>, Craig Miller <craig@millerfam.net>, freebsd-security <freebsd-security@freebsd.org> Subject: RE: wierdness in my security report Message-ID: <5A1E91591378D243B6B6C5425F2B2B3E1DE9B1@apexch.apogeetelecom.com>
next in thread | raw e-mail | index | archive | help
This looks like a customer facing router on ATT Broaband's cable Internet service. They apparently replaced the router interface at the headend, and thus it got a new MAC address on the Ethernet. Since there are a lot of man-in-the-middle attacks that involve changing MAC to IP ARP tables, the FreeBSD box logs a warning, and the warning comes from the kernel. > -----Original Message----- > From: Jim Laurenson [SMTP:j.laurenson@epicmail.ca] > Sent: Thursday, July 18, 2002 12:54 PM > To: Craig Miller; freebsd-security > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds (4.3 I think). The > offending MAC address was found to be a Cisco router on my ISP's network. > I found no solution for it though. > > Jim Laurenson > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller > Sent: July 18, 2002 11:47 AM > To: freebsd-security > Subject: wierdness in my security report > > > Anyone have any ideas as to what might be causing the following to > appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 > on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to > 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they > don't match the MAC addresses of either of the two cards in my free-bsd > box. I have not checked the MAC addresses of the other network cards on > my network. > > Also, where does the "server /kernel" name come from. "kernel" is > not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A1E91591378D243B6B6C5425F2B2B3E1DE9B1>