Security Basics mailing list archives
RE: Strange pings from 127.0.0.1
From: "Andrew Aris" <andrew () dev bigfishinternet co uk>
Date: Thu, 24 Jun 2004 17:02:39 +0100
Yeah sorry... this was sort of what I meant - the original post was written in a hurry and I didnt go into great details. When I said that with the address being the same all the time it can at least be partially traced. As long as the environment is a) switched and b) controlled by the investgator MAC spoofing is only really effective where they get rotated. regards, Andrew
-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: 24 June 2004 16:35 To: 'Kelly John Rose'; 'Andrew Aris' Cc: security-basics () securityfocus com Subject: RE: Strange pings from 127.0.0.1 If it's an internal machine (a big if, granted!), then you may be able to query your switch infrastructure to find the physical port where that MAC address was learned as a source. Even if they spoof the same MAC address as an existing legit user, that should narrow it down to 2 possibilities (and if one of those ports has been seeing multiple sources...). If they spoof a broadcast/multicast source MAC address, this should not be learned by the switch, and so they will be harder to track, but those cases are somewhat more specific than just "they are spoofing". David Gillett-----Original Message----- From: Kelly John Rose [mailto:mllists () ptbcanadian net] Nope, that's completely useless. You can for one spoof macaddresses,so having any mac address is more or less meaningless. But, also, there is no reliable way to use the mac address to find themachine,unless it's an internal machine, you having the macaddresses of allinternal machines written down, and the person is not spoofing. Eitherway, having the mac address doesn't help you at all tracking down the culprit really. Andrew Aris wrote:I'm coming into this thread partway through so sorry if this is a dumb reply but if the mAC address is always the same then surely this could be used to trace the culprit host?
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 14)
- Re: Strange pings from 127.0.0.1 Murad Talukdar (Jun 18)
- <Possible follow-ups>
- Re: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 18)
- Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 21)
- Re: Strange pings from 127.0.0.1 Nelson Santos (Jun 23)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 21)
- Strange pings from 127.0.0.1 Andrew Aris (Jun 22)
- Re: Strange pings from 127.0.0.1 Alan Hicks (Jun 23)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
- RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
- Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)