Date: Fri, 19 Dec 1997 15:03:22 +0100 From: Philippe Regnauld <regnauld@deepo.prosa.dk> To: Robin Melville <robmel@nadt.org.uk> Cc: isp@FreeBSD.ORG Subject: Re: Spoofing attack? Message-ID: <19971219150322.10165@deepo.prosa.dk> In-Reply-To: <3.0.5.32.19971219103416.007e8b10@wrcmail>; from Robin Melville on Fri, Dec 19, 1997 at 10:34:16AM %2B0000 References: <3.0.5.32.19971219103416.007e8b10@wrcmail>
next in thread | previous in thread | raw e-mail | index | archive | help
Robin Melville writes: > One of our FBSD router hosts has begun to report what looks like some kind > of spoof attack. I wonder whether anyone has seen anything like this or can > offer a (hopefully benign) explanation. Notice that these rapid arp changes > all take place within 1 second. > This is one example of a number over the last 48 hours. Well, are any of those MAC addresses on your wire ? If they are, do any of them have bogus ARP entries, or proxyarp for other hosts ? > Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57 > Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b > Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26 > Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- "Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?" - S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19971219150322.10165>