From owner-freebsd-isp Fri Dec 19 04:47:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id EAA15128 for isp-outgoing; Fri, 19 Dec 1997 04:47:06 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from relay1.mail.uk.psi.net (relay1.mail.uk.psi.net [154.32.105.6]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id EAA15123 for ; Fri, 19 Dec 1997 04:47:01 -0800 (PST) (envelope-from robmel@nadt.org.uk) Received: from sys4.cambridge.uk.psi.net (sys4.cambridge.uk.psi.net [154.32.106.14]) by relay1.mail.uk.psi.net (8.8.5/) with ESMTP id MAA28086 for ; Fri, 19 Dec 1997 12:46:59 GMT Received: by sys4.cambridge.uk.psi.net (8.8.5/SMI-5.5-UKPSINet) id MAA19964; Fri, 19 Dec 1997 12:14:01 GMT Received: from infodev.nadt.org.uk (infodev.nadt.org.uk [172.16.99.205]) by charlie.nadt.org.uk (8.8.8/8.6.12) with SMTP id KAA12744 for ; Fri, 19 Dec 1997 10:34:17 GMT Message-Id: <3.0.5.32.19971219103416.007e8b10@wrcmail> X-Sender: robmel@wrcmail X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 19 Dec 1997 10:34:16 +0000 To: isp@freebsd.org From: Robin Melville Subject: Spoofing attack? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk One of our FBSD router hosts has begun to report what looks like some kind of spoof attack. I wonder whether anyone has seen anything like this or can offer a (hopefully benign) explanation. Notice that these rapid arp changes all take place within 1 second. This is one example of a number over the last 48 hours. TIA for any help. -------------------------------------------------- Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:60:b0:64:c6:5c to 00:00:f4:ea:0c:34 Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:ea:0c:34 to 00:00:f4:ec:24:04 Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:ec:24:04 to 00:00:f4:e4:6e:28 Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:6e:28 to 00:00:f4:e4:5c:f8 Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:5c:f8 to 00:00:f4:ec:0d:82 Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:ec:0d:82 to 00:00:f4:e4:36:7f Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:36:7f to 00:00:f4:e4:59:fb Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:59:fb to 00:00:f4:e4:70:05 Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57 Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26 Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c ----------------------------------------------- -------------------------------------------------------- Robin Melville, Addiction & Forensic Information Service Nottingham Alcohol & Drug Team (Extn. 49178) Vox: +44 (0)115 952 9478 Fax: +44 (0)115 952 9421 Email: robmel@nadt.org.uk WWW: http://www.innotts.co.uk/nadt/ ---------------------------------------------------------