Vulnerability Development mailing list archives

Re: spoofing the ethernet address

From: robbins.7 () OSU EDU (James A. Robbins)
Date: Wed, 15 Mar 2000 09:54:42 -0500


At 11:15 AM 3/14/00 -0500, Arnold, Jamie wrote:

I have a question that one/some of you may be able to help with.  We have a
user in one of our dorms (DHCP) that is reporting his MAC address as
changing about every 10 minutes.  When he first powers-on his system, the
MAC is correct and DHCP renews his lease.  After a while, the master switch
shows his IP having about 10 different MAC addresses, all variations of the
first where the first 4 digits remain constant, the second 4 go to the last
position and the middle 4 change randomly.  Has anyone seen this, or have
any idea what's going on.  My theory is a cheap NIC with bad firmware.  We
have seen an influx of inexpensive cards coming into campus that have had
duplicate MACs or no MACs (000000000000) at all.

Arnold,  we see this all the time.  It usually means that a NIC is going
bad.  Another symptom is when the IP addresses get all shuffled
around:

From: 128.146.20.14 To: 128.146.20.254

becomes

From: xxx.xxx.128.146 To: 20.14.xxx.xxx

Also, we see all zeros in MAC addresses all the time, especially on
Mac PowerPCs. It usually happens during large file transfers.

--
James A. Robbins
Senior Design Engineer, Network Engineer
The Ohio State University
Chemistry Department

Current thread:

Re: information being stored from cgi forms, (continued)
- - - Re: information being stored from cgi forms Crispin Cowan (Mar 10)
- Re: spoofing the ethernet address Timothy J. Miller (Mar 13)
- Re: spoofing the ethernet address Arnold, Jamie (Mar 14)
  - Re: spoofing the ethernet address John Flux (Mar 14)
  - Re: spoofing the ethernet address Juan M. Courcoul (Mar 15)
  - Linux Mandrake 6.1 PAM/userhelper exploit Paulo Ribeiro (Mar 16)
  - AIM 3.0 Buffer Overflow exploit lewkir () YAHOO COM (Mar 17)
    - Re: AIM 3.0 Buffer Overflow exploit Jamal Hendershot (Mar 19)
    - Re: AIM 3.0 Buffer Overflow exploit - - (Mar 21)
- Re: spoofing the ethernet address Arnold, Jamie (Mar 15)
- Re: spoofing the ethernet address James A. Robbins (Mar 15)
- Re: spoofing the ethernet address Pierre Landau (Mar 21)
  - Re: spoofing the ethernet address Ex Machina (Mar 22)
    - Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 24)
    - IPSec research Bep Verberk (Mar 24)
    - Re: IPSec research Dug Song (Mar 24)
    - Re: IPSec research Mike Hudack (Mar 25)
    - Re: IPSec research potential problem areas. Patrick Denton (Mar 25)
- Re: spoofing the ethernet address Pauli Ojanpera (Mar 22)