From owner-freebsd-isp  Fri Dec 19 14:24:25 1997
Return-Path: <owner-freebsd-isp>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id OAA25559
          for isp-outgoing; Fri, 19 Dec 1997 14:24:25 -0800 (PST)
          (envelope-from owner-freebsd-isp)
Received: from thecore.com (sfinn@guardian.thecore.com [206.136.149.11])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA25531
          for <isp@FreeBSD.ORG>; Fri, 19 Dec 1997 14:24:18 -0800 (PST)
          (envelope-from sfinn@thecore.com)
Received: from localhost (sfinn@localhost) by thecore.com (8.8.8/8.8.8) with SMTP id RAA23936; Fri, 19 Dec 1997 17:22:41 -0500 (EST)
Date: Fri, 19 Dec 1997 17:22:40 -0500 (EST)
From: Shaun <sfinn@thecore.com>
To: Michael Peer <mpeer@ponyexpress.gwc.cccd.edu>
cc: Philippe Regnauld <regnauld@deepo.prosa.dk>,
        Robin Melville <robmel@nadt.org.uk>, isp@FreeBSD.ORG
Subject: Re: Spoofing attack?
In-Reply-To: <3.0.1.32.19971219105738.00ca2dc0@rustler.gwc.cccd.edu>
Message-ID: <Pine.BSF.3.96.971219171907.23446B-100000@guardian.thecore.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


I see this all the time when a dial-in user with a static IP address
disconnects from one terminal server and quickly reconnects to another.

> One of our FBSD router hosts has begun to report what looks like some kind
> of spoof attack. I wonder whether anyone has seen anything like this or can
> offer a (hopefully benign) explanation. Notice that these rapid arp changes
> all take place within 1 second.
> This is one example of a number over the last 48 hours.
>
> Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26
> Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from
> 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c

+------------------- http://www.download.net ----------------------+
| Shaun M. Finn                    TechnoCore Communications, Inc. |
| sfinn@thecore.com                Internet Web Services & Access  |
| VOICE: (732)928-7400             P.O. Box 106                    |
|   FAX: (732)928-7402             Jackson, NJ 08527-0106          |
+------------------- http://www.thecore.com/ ----------------------+