From owner-freebsd-isp Fri Dec 19 10:53:03 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA07779 for isp-outgoing; Fri, 19 Dec 1997 10:53:03 -0800 (PST) (envelope-from owner-freebsd-isp) Received: from ponyexpress.gwc.cccd.edu (ponyexpress.gwc.cccd.edu [159.115.129.50]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA07757 for ; Fri, 19 Dec 1997 10:52:51 -0800 (PST) (envelope-from mpeer@ponyexpress.gwc.cccd.edu) Received: from mpeer (mpeer.csc.gwc.cccd.edu [159.115.129.100]) by ponyexpress.gwc.cccd.edu (8.8.7/8.8.7) with SMTP id KAA00578; Fri, 19 Dec 1997 10:52:33 -0800 (PST) (envelope-from mpeer@ponyexpress.gwc.cccd.edu) Message-Id: <3.0.1.32.19971219105738.00ca2dc0@rustler.gwc.cccd.edu> X-Sender: mpeer@rustler.gwc.cccd.edu X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 19 Dec 1997 10:57:38 -0800 To: Philippe Regnauld , Robin Melville From: Michael Peer Subject: Re: Spoofing attack? Cc: isp@FreeBSD.ORG In-Reply-To: <19971219150322.10165@deepo.prosa.dk> References: <3.0.5.32.19971219103416.007e8b10@wrcmail> <3.0.5.32.19971219103416.007e8b10@wrcmail> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I have seen this with duplicate IP addresses on same subnet. One guy on my network was using his laptop that he brought in, and just used the IP address from his desktop, and ignored all the messages about duplicate IP address on network. At 03:03 PM 12/19/97 +0100, Philippe Regnauld wrote: >Robin Melville writes: >> One of our FBSD router hosts has begun to report what looks like some kind >> of spoof attack. I wonder whether anyone has seen anything like this or can >> offer a (hopefully benign) explanation. Notice that these rapid arp changes >> all take place within 1 second. >> This is one example of a number over the last 48 hours. > > Well, are any of those MAC addresses on your wire ? > If they are, do any of them have bogus ARP entries, or > proxyarp for other hosts ? > >> Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from >> 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57 >> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from >> 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b >> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from >> 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26 >> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from >> 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c > >-- > -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- > "Pluto placed his bad dog at the entrance of Hades to keep the dead IN and > the living OUT! The archetypical corporate firewall?" > - S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] - > ---------------------------------------------------------------------- Michael Peer Data Electronics Technician I Golden West College Computer Services Center 15744 Goldenwest St. Huntington Beach, CA 92647 e-mail: mpeer@gwc.cccd.edu Voice: (714)892-7711 ext 55067 WWW: http://pioneer.gwc.cccd.edu FAX: (714)895-8980