From owner-freebsd-isp  Fri Dec 19 06:06:11 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id GAA18777
          for isp-outgoing; Fri, 19 Dec 1997 06:06:11 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA18767
          for <isp@FreeBSD.ORG>; Fri, 19 Dec 1997 06:06:05 -0800 (PST)
          (envelope-from regnauld@deepo.prosa.dk)
Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id QAA11374; Fri, 19 Dec 1997 16:43:38 +0100
Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10])
	by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id PAA04781;
	Fri, 19 Dec 1997 15:31:23 +0100 (CET)
Received: (from regnauld@localhost)
	by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id PAA09795;
	Fri, 19 Dec 1997 15:03:22 +0100 (CET)
Message-ID: <19971219150322.10165@deepo.prosa.dk>
Date: Fri, 19 Dec 1997 15:03:22 +0100
From: Philippe Regnauld <regnauld@deepo.prosa.dk>
To: Robin Melville <robmel@nadt.org.uk>
Cc: isp@FreeBSD.ORG
Subject: Re: Spoofing attack?
References: <3.0.5.32.19971219103416.007e8b10@wrcmail>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88e
In-Reply-To: <3.0.5.32.19971219103416.007e8b10@wrcmail>; from Robin Melville on Fri, Dec 19, 1997 at 10:34:16AM +0000
X-Operating-System: FreeBSD 2.2.5-RELEASE i386
Sender: owner-freebsd-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Robin Melville writes:
> One of our FBSD router hosts has begun to report what looks like some kind
> of spoof attack. I wonder whether anyone has seen anything like this or can
> offer a (hopefully benign) explanation. Notice that these rapid arp changes
> all take place within 1 second.
> This is one example of a number over the last 48 hours.

	Well, are any of those MAC addresses on your wire ?
	If they are, do any of them have bogus ARP entries, or 
	proxyarp for other hosts ?

> Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c

-- 
 -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
  "Pluto placed his bad dog at the entrance of Hades to keep the dead IN and
             the living OUT! The archetypical corporate firewall?"
   - S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] -