Date: Fri, 19 Dec 1997 10:57:38 -0800 From: Michael Peer <mpeer@ponyexpress.gwc.cccd.edu> To: Philippe Regnauld <regnauld@deepo.prosa.dk>, Robin Melville <robmel@nadt.org.uk> Cc: isp@FreeBSD.ORG Subject: Re: Spoofing attack? Message-ID: <3.0.1.32.19971219105738.00ca2dc0@rustler.gwc.cccd.edu> In-Reply-To: <19971219150322.10165@deepo.prosa.dk> References: <3.0.5.32.19971219103416.007e8b10@wrcmail> <3.0.5.32.19971219103416.007e8b10@wrcmail>
next in thread | previous in thread | raw e-mail | index | archive | help
I have seen this with duplicate IP addresses on same subnet.
One guy on my network was using his laptop that he brought in, and just
used the IP address from his desktop, and ignored all the messages about
duplicate IP address on network.
At 03:03 PM 12/19/97 +0100, Philippe Regnauld wrote:
>Robin Melville writes:
>> One of our FBSD router hosts has begun to report what looks like some kind
>> of spoof attack. I wonder whether anyone has seen anything like this or can
>> offer a (hopefully benign) explanation. Notice that these rapid arp changes
>> all take place within 1 second.
>> This is one example of a number over the last 48 hours.
>
> Well, are any of those MAC addresses on your wire ?
> If they are, do any of them have bogus ARP entries, or
> proxyarp for other hosts ?
>
>> Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
>> 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57
>> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
>> 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b
>> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
>> 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26
>> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
>> 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c
>
>--
> -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]-
> "Pluto placed his bad dog at the entrance of Hades to keep the dead IN and
> the living OUT! The archetypical corporate firewall?"
> - S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] -
>
----------------------------------------------------------------------
Michael Peer
Data Electronics Technician I Golden West College
Computer Services Center 15744 Goldenwest St.
Huntington Beach, CA 92647
e-mail: mpeer@gwc.cccd.edu Voice: (714)892-7711 ext 55067
WWW: http://pioneer.gwc.cccd.edu FAX: (714)895-8980
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.1.32.19971219105738.00ca2dc0>