Security Incidents mailing list archives
Arp Warnings on @Home Network
From: Mike Forrester <mikef () POCKETLINT COM>
Date: Tue, 6 Feb 2001 21:57:43 -0700
Greetings, I started getting arp warnings the console to my OpenBSD system at home (no pun intended :-) ). Below are excerpts from /var/log/messages and the ethereal decoding of one of those packets. To me it appears that someone is either trying to be the default router on their network or mis-configured their new Mac. 08:00:07 a vendor id for Apple Computer and 00:01:63 is a vendor id for Cisco. Is there a way to determine who is the correct host? Either MAC could be spoofed and the packet logs from tcpdump (on the OpenBSD system) or from Ethereal (on my Windows 98 system), don't really give any detailed info. My guess is that someone just bought a new Mac and connected it to their cable modem. They don't know what they are doing and put the wrong ip address in the wrong field. If I am downloading a file when this happens, the connection gets reset. I believe that this is due to my reply packets getting temporarily re-routed to the bogus gateway. Since their system doesn't have a connection open on that port, their system sends a reset packet which drops the connection. I'm still in the process of trying to get a tcpdump when this happens while downloading a file, but getting the timing right has been difficult. Since I am on what is essentially an unswitched cable network, my logs fill up quickly with all my neighbors downstream traffic. I have contacted @Home and their generic support people have been getting a lot of calls about failed downloads. I talked to someone in their NOC and they are looking into the problem. I'm just curious as to others thoughts on this as I have not played around too much with arp. I do however, have a few questions: 1) Is it standard practice for certain systems to use an IP already in use? 2) Is there a tool that could be used at the Ethernet level (layer 2) to try and get more information from a system if you know it's MAC address? Mike
From /var/log/messages:
Feb 6 20:27:09 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:27:09 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:36:32 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:36:32 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:37:06 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:37:10 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:37:57 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:37:57 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:37:59 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:37:59 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:38:12 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:38:12 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:38:17 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:38:17 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:38:38 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:38:38 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:38:38 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:38:39 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:38:40 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:38:40 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:38:57 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:38:57 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:39:09 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:39:09 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:39:36 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:39:36 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:40:00 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:40:02 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 20:40:19 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 20:40:19 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 21:00:22 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 21:00:22 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Feb 6 21:11:06 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0 Feb 6 21:11:06 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0 Ethereal decoded packet: Frame 14 (60 on wire, 60 captured) Arrival Time: Feb 6, 2001 13:10:34.4509 <-- ingnore :) Time delta from previous packet: 0.007676 seconds Time relative to first packet: 0.349069 seconds Frame Number: 14 Packet Length: 60 bytes Capture Length: 60 bytes Ethernet II Destination: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff) Source: 08:00:07:c4:28:53 (08:00:07:c4:28:53) Type: ARP (0x0806) Trailer: 00000000000000000000000000000000... Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender hardware address: 08:00:07:c4:28:53 Sender protocol address: 24.1.8.1 Target hardware address: ff:ff:ff:ff:ff:ff Target protocol address: 24.1.14.32
Current thread:
- Arp Warnings on @Home Network Mike Forrester (Feb 06)
- Re: Arp Warnings on @Home Network Ryan Russell (Feb 07)
- Re: Arp Warnings on @Home Network Dragos Ruiu (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Gordon Messmer (Feb 07)
- <Possible follow-ups>
- Re: Arp Warnings on @Home Network Forrester, Mike (Feb 07)
- Re: Arp Warnings on @Home Network Mathias Wegner (Feb 07)
- Re: Arp Warnings on @Home Network Forrester, Mike (Feb 09)