Security Basics mailing list archives
RE: possible arp spoofing
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 6 Nov 2003 08:30:10 -0800
I don't think it's "arp spoofing", which would be somebody changing their MAC address. It looks, from your description, like the machine with MAC address 00:c0:26:2b:d0:1d is changing its IP address, and colliding with IP addresses in use by other clients. Dave Gillett
-----Original Message----- From: greg gede [mailto:mymilis2000 () yahoo com] Sent: November 5, 2003 18:07 To: security-basics () securityfocus com Subject: possible arp spoofing i've got a bunch of email from arpwatch telling me that there are flip flop and changing ethernet address. does this mean there's an arp spoofing going on in my network?? how do i stop this?? these users also reported that their operating system told them on their screen there's another machine using the same ip# as theirs and their connection to the network was also disconnected. i notice that most of the mac address flip flop are using the same mac address which is 0:c0:26:2b:d0:1d. here's the arpwatch email sample : 1. hostname: CAHYADI ip address: 192.168.5.44 ethernet address: 0:80:48:1e:27:32 ethernet vendor: Compex, used by Commodore and DEC at least old ethernet address: 0:c0:26:2b:d0:1d old ethernet vendor: <unknown> timestamp: Monday, November 3, 2003 14:21:06 +0700 previous timestamp: Monday, November 3, 2003 14:13:56 +0700 delta: 7 minutes 2. hostname: DENY ip address: 192.168.5.105 ethernet address: 0:2:b3:17:81:33 ethernet vendor: <unknown> old ethernet address: 0:c0:26:2b:d0:1d old ethernet vendor: <unknown> timestamp: Monday, November 3, 2003 14:16:22 +0700 previous timestamp: Monday, November 3, 2003 14:15:22 +0700 delta: 1 minute there are many more..... please help... regards, gregor __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -------------------------------------------------------------- ------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-bas
ics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- possible arp spoofing greg gede (Nov 05)
- RE: possible arp spoofing David Gillett (Nov 06)
- RE: possible arp spoofing Jimi Thompson (Nov 07)
- Re: possible arp spoofing B. McAninch (Nov 07)
- RE: possible arp spoofing David Gillett (Nov 06)