From owner-freebsd-isp  Sun Jun 22 19:35:02 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id TAA05892
          for isp-outgoing; Sun, 22 Jun 1997 19:35:02 -0700 (PDT)
Received: from weblock.tm.net.my ([202.188.0.180])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id TAA05878
          for <freebsd-isp@FreeBSD.ORG>; Sun, 22 Jun 1997 19:34:58 -0700 (PDT)
Received: from lovebox ([202.184.153.17]) by weblock.tm.net.my
          (Post.Office MTA v3.1 release PO203a  evaluation license)
          with SMTP id AAA3346; Mon, 23 Jun 1997 10:35:14 +0800
Message-Id: <3.0.32.19970623102606.00947a80@mail.tm.net.my>
X-Sender: sweeting@mail.tm.net.my
X-Mailer: Windows Eudora Pro Version 3.0 (32)
To: Barney Wolff <barney@databus.com>
From: chas <sweeting@tm.net.my>
Subject: Re: duplicate IP = security problem ?
Cc: freebsd-isp@FreeBSD.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Mon, 23 Jun 1997 10:35:14 +0800
Sender: owner-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

At 09:53 PM 6/22/97 EDT, Barney Wolff wrote:
>> Date: Sun, 22 Jun 1997 20:48:34 +0000 (GMT)
>> From: spork <spork@super-g.com>
>> 
>> I don't know of any way to track down what machine it is however...
>> 
>> On Mon, 23 Jun 1997, chas wrote:
>> 
>> > 	"/kernel duplicate IP address 202.184.153.15! sent from ethernet
>> >         address 00:a0:40:29:e8:08"
>
>Using the first 3 bytes of the Ethernet address is usually a good clue.
>In this case, for example, 00:a0:40 is Apple Computer.  Unless you
>have a room full of them, of course. 

30 Macs here..... so that is a relief. (of sorts)

> It's probably a misconfiguration
>rather than an attack.

I think that you could be correct. (not wishing to tempt fate)

Nothing like a quick scare to start the week and make me 
actually read that security book on my desk,

chas