Security Basics mailing list archives

Re: Strange pings from 127.0.0.1

From: Ranjeet Shetye <ranjeet.shetye2 () zultys com>
Date: Fri, 25 Jun 2004 12:19:39 -0700

* Steven Trewick (STrewick () joplings co uk) wrote:

Next, (assuming non-promiscuous mode of operation by the NIC) I fail to
understand how the author of this attack intends to reach his/her targets,
if the dest MAC addresses are fake! I might be missing something obvious,
so if someone can point it out to me, that would be great. thanks.


The OP doesn't say what the SRC and DEST MAC are, (which would be helpful),
but its entirely possible that they are multicast MAC addresses, which
would be broadcast to every switch port.

This is not always obvious if you don't know what to look for,
multicast MAC addresses are identifiable by the low order bit of 
their first byte, if this is set to 1, (eg the byte is odd) the frame 
is multicast.

To take an example, if the destination MAC address is 01:xx:xx:xx:xx:xx 
then it is a multicast address, same for 03:xx:xx:xx:xx:xx, but not
for 02::xx:xx:xx:xx:xx

See http://www.iana.org/assignments/ethernet-numbers for a discussion
of MAC addressing in general, and an explanation (?) of MAC multicast

While I doubt this is related to the OP's problem, I hope it will
prove useful.


You are right, I made a bad assumption that if the MAC addresses were not
unicast (i.e. they were multicast or broadcast) the OP would have made
a specific mention of it.

-- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely those of
the author. The message contents have not been reviewed or approved by Zultys.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Re: Strange pings from 127.0.0.1, (continued)
- - Re: Strange pings from 127.0.0.1 Alan Hicks (Jun 23)
  - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
    - RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
    - RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
    - Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 24)
  - RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- RE: Strange pings from 127.0.0.1 Steven Trewick (Jun 24)
  - Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)
- RE: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 28)