Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 19 Dec 1997 10:34:16 +0000
From:      Robin Melville <robmel@nadt.org.uk>
To:        isp@freebsd.org
Subject:   Spoofing attack?
Message-ID:  <3.0.5.32.19971219103416.007e8b10@wrcmail>
next in thread | raw e-mail | index | archive | help 
One of our FBSD router hosts has begun to report what looks like some kind
of spoof attack. I wonder whether anyone has seen anything like this or can
offer a (hopefully benign) explanation. Notice that these rapid arp changes
all take place within 1 second.
This is one example of a number over the last 48 hours.

TIA for any help.

--------------------------------------------------
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:60:b0:64:c6:5c to 00:00:f4:ea:0c:34
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:ea:0c:34 to 00:00:f4:ec:24:04
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:ec:24:04 to 00:00:f4:e4:6e:28
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:6e:28 to 00:00:f4:e4:5c:f8
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:5c:f8 to 00:00:f4:ec:0d:82
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:ec:0d:82 to 00:00:f4:e4:36:7f
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:36:7f to 00:00:f4:e4:59:fb
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:59:fb to 00:00:f4:e4:70:05
Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57
Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b
Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26
Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c
-----------------------------------------------
--------------------------------------------------------
Robin Melville, Addiction & Forensic Information Service
Nottingham Alcohol & Drug Team (Extn. 49178)
Vox: +44 (0)115 952 9478  Fax: +44 (0)115 952 9421 
Email: robmel@nadt.org.uk
WWW:   http://www.innotts.co.uk/nadt/
---------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19971219103416.007e8b10>