Re: SECURITY Digest - 8 Sep 2008 to 9 Sep 2008 (#2008-173)

["Erwin L. Carrow" <erwin.carrow () USG EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"Two-Bits" of possibility:  Some IP spoofing tactics employ creation
of bogus MACs - per MAC standards those listed should not violate /
step -on others in your network and can therefore be used to build the
logical IP layer on top of them, e.g., do Vlan ACL (VACLs) and forget
about them.

- --
Erwin (Chris) Louis Carrow,
CISSP, INFOSEC, CSSP, CCNP, OCM
IT Auditor II
Board of Regents, University System of Georgia
270 Washington Street S.W., Ste. 7087
Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, Email: erwin.carrow () usg edu


> ------------------------------
>
> Date:    Tue, 9 Sep 2008 09:50:03 -0400
> From:    Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
> Subject: Mac addresses
>
> I am seeing "sequential" MAC addresses on my network in the form of:
>
> 02-00-00-00-00-01
> 02-00-00-00-00-02
> 02-00-00-00-00-03
> 02-00-00-00-00-04
> 02-00-00-00-00-05
> 02-00-00-00-00-06
> 02-00-00-00-00-07
> 02-00-00-00-00-08
> 02-00-00-00-00-09
> 02-00-00-00-00-10
> 02-00-00-00-00-11
> 02-00-00-00-00-12
> 02-00-00-00-00-13
> 02-00-00-00-00-14
> 02-00-00-00-00-15
> 02-00-00-00-00-16
> 02-00-00-00-00-17
> 02-00-00-00-00-18
> 02-00-00-00-00-19
> 02-00-00-00-00-20
>
> These are only a few ... I have about 100 of them.  They only exist in
> my "BlachHole" VLAN -- no connectivity to anything else, no routers no
> nothing.
>
> I can't find any documentation on what these MAC addresses are.  I am
> guessing that they are some sort of LLDP MAC address, but it seems
> weird that I don't get any search engine hits about them.
>
> This is not one machine spewing out multiple bogus addresses, but many
> machines .... one to one?  Not sure.
>
> Ideas?
>
>
> PeteC
>
>
> Peter Charbonneau
> Sr. Network and Systems Administrator
> Williams College
> (413) 597-3408 (office)
> (413) 822-2922 (cell)
>
> ------------------------------
>
> Date:    Tue, 9 Sep 2008 10:00:43 -0400
> From:    "Di Fabio, Andrea" <adifabio () NSU EDU>
> Subject: Re: Mac addresses
>
> This is a multipart message in MIME format.
>
> ------=_NextPart_000_0079_01C91262.EC70CC00
> Content-Type: text/plain;
>     charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
> I would start with finding what switchport they are coming from and
then pay
> a visit to that machine if it is just one machine or one switchport.  Could
> be a CAM flood attach or a bad NIC or hub attached to the port.  Did you
> take a packet capture to see what's on layer 3-7?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIx710+lAww4pSzJURAvudAKDZQA4o+MvmYpZMXvB+YaU/jKXs0gCgw/Tn
OTtG4HAVPrZIZvfY4FcF0f4=
=JM9R
-----END PGP SIGNATURE-----

Attachment: erwin_carrow.vcf
Description: