From owner-freebsd-security Thu Jul 18 12:18:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 849A537B400 for ; Thu, 18 Jul 2002 12:18:15 -0700 (PDT) Received: from apexch.apogeetelecom.com (apexch.apogeetelecom.com [64.245.60.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1455343E58 for ; Thu, 18 Jul 2002 12:18:15 -0700 (PDT) (envelope-from CBoyd@apogeetelecom.com) Received: by apexch.apogeetelecom.com with Internet Mail Service (5.5.2653.19) id <313NPXCJ>; Thu, 18 Jul 2002 14:28:39 -0500 Message-ID: <5A1E91591378D243B6B6C5425F2B2B3E1DE9B1@apexch.apogeetelecom.com> From: Chris Boyd To: 'Jim Laurenson' , Craig Miller , freebsd-security Subject: RE: wierdness in my security report Date: Thu, 18 Jul 2002 14:28:38 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This looks like a customer facing router on ATT Broaband's cable Internet service. They apparently replaced the router interface at the headend, and thus it got a new MAC address on the Ethernet. Since there are a lot of man-in-the-middle attacks that involve changing MAC to IP ARP tables, the FreeBSD box logs a warning, and the warning comes from the kernel. > -----Original Message----- > From: Jim Laurenson [SMTP:j.laurenson@epicmail.ca] > Sent: Thursday, July 18, 2002 12:54 PM > To: Craig Miller; freebsd-security > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds (4.3 I think). The > offending MAC address was found to be a Cisco router on my ISP's network. > I found no solution for it though. > > Jim Laurenson > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller > Sent: July 18, 2002 11:47 AM > To: freebsd-security > Subject: wierdness in my security report > > > Anyone have any ideas as to what might be causing the following to > appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 > on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to > 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from > 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, but they > don't match the MAC addresses of either of the two cards in my free-bsd > box. I have not checked the MAC addresses of the other network cards on > my network. > > Also, where does the "server /kernel" name come from. "kernel" is > not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message