Security Incidents mailing list archives
RE: A bit strange ARP queries
From: "Jeroen van Meeuwen" <kanarip () pczone-clan nl>
Date: Sun, 18 Dec 2005 02:07:59 +0100
RFC says that the target MAC in the who-has requests has no meaning but they can be present in the who-has requests. And there was no such packets in that net -- they appeared recently. So if the terget MAC is normally ignored, such packets can be used for ARP spoofing (of any kind) only if we have some strange ARP stacks that are caching the target MAC's from the ARP requests.
Have you investigated the requestor? Is it the same host over and over again? Kind regards, Jeroen van Meeuwen -- kanarip
Current thread:
- A bit strange ARP queries Eygene A. Ryabinkin (Dec 15)
- Re: A bit strange ARP queries incidents (Dec 17)
- RE: A bit strange ARP queries Jason Burton (Dec 17)
- Re: A bit strange ARP queries wayne dawson (Dec 17)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- RE: A bit strange ARP queries Craig Skelton (Dec 17)
- RE: A bit strange ARP queries Jeroen van Meeuwen (Dec 17)
- Re: A bit strange ARP queries Samuel R. Baskinger (Dec 21)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 17)
- Re: A bit strange ARP queries Tillmann Werner (Dec 17)
- Re: A bit strange ARP queries Jeff Kell (Dec 17)
- <Possible follow-ups>
- RE: A bit strange ARP queries Paul Farrington (Dec 17)
- RE: A bit strange ARP queries Dave Hawkins (Dec 19)
- RE: A bit strange ARP queries Koike, Rafael Marcelino (Dec 22)
- Re: A bit strange ARP queries Eygene A. Ryabinkin (Dec 22)