Date: Fri, 19 Dec 1997 15:03:22 +0100 From: Philippe Regnauld <regnauld@deepo.prosa.dk> To: Robin Melville <robmel@nadt.org.uk> Cc: isp@FreeBSD.ORG Subject: Re: Spoofing attack? Message-ID: <19971219150322.10165@deepo.prosa.dk> In-Reply-To: <3.0.5.32.19971219103416.007e8b10@wrcmail>; from Robin Melville on Fri, Dec 19, 1997 at 10:34:16AM %2B0000 References: <3.0.5.32.19971219103416.007e8b10@wrcmail>
next in thread | previous in thread | raw e-mail | index | archive | help
Robin Melville writes:
> One of our FBSD router hosts has begun to report what looks like some kind
> of spoof attack. I wonder whether anyone has seen anything like this or can
> offer a (hopefully benign) explanation. Notice that these rapid arp changes
> all take place within 1 second.
> This is one example of a number over the last 48 hours.
Well, are any of those MAC addresses on your wire ?
If they are, do any of them have bogus ARP entries, or
proxyarp for other hosts ?
> Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c
--
-[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
"Pluto placed his bad dog at the entrance of Hades to keep the dead IN and
the living OUT! The archetypical corporate firewall?"
- S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19971219150322.10165>