Date: Fri, 19 Dec 1997 17:22:40 -0500 (EST) From: Shaun <sfinn@thecore.com> To: Michael Peer <mpeer@ponyexpress.gwc.cccd.edu> Cc: Philippe Regnauld <regnauld@deepo.prosa.dk>, Robin Melville <robmel@nadt.org.uk>, isp@FreeBSD.ORG Subject: Re: Spoofing attack? Message-ID: <Pine.BSF.3.96.971219171907.23446B-100000@guardian.thecore.com> In-Reply-To: <3.0.1.32.19971219105738.00ca2dc0@rustler.gwc.cccd.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I see this all the time when a dial-in user with a static IP address disconnects from one terminal server and quickly reconnects to another. > One of our FBSD router hosts has begun to report what looks like some kind > of spoof attack. I wonder whether anyone has seen anything like this or can > offer a (hopefully benign) explanation. Notice that these rapid arp changes > all take place within 1 second. > This is one example of a number over the last 48 hours. > > Dec 18 09:53:18 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:70:05 to 00:00:f4:e4:5a:57 > Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:5a:57 to 00:00:f4:e4:5b:0b > Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:5b:0b to 00:00:f4:e4:5d:26 > Dec 18 09:53:19 charlie /kernel: arp: 194.155.224.118 moved from > 00:00:f4:e4:5d:26 to 00:60:b0:64:c6:5c +------------------- http://www.download.net ----------------------+ | Shaun M. Finn TechnoCore Communications, Inc. | | sfinn@thecore.com Internet Web Services & Access | | VOICE: (732)928-7400 P.O. Box 106 | | FAX: (732)928-7402 Jackson, NJ 08527-0106 | +------------------- http://www.thecore.com/ ----------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971219171907.23446B-100000>