Vulnerability Development mailing list archives
Re: spoofing the ethernet address
From: courcoul () CAMPUS QRO ITESM MX (Juan M. Courcoul)
Date: Wed, 15 Mar 2000 14:16:34 -0600
On Tue, 14 Mar 2000, Arnold, Jamie wrote:
I have a question that one/some of you may be able to help with. We have a user in one of our dorms (DHCP) that is reporting his MAC address as changing about every 10 minutes. When he first powers-on his system, the MAC is correct and DHCP renews his lease. After a while, the master switch shows his IP having about 10 different MAC addresses, all variations of the first where the first 4 digits remain constant, the second 4 go to the last position and the middle 4 change randomly. Has anyone seen this, or have any idea what's going on. My theory is a cheap NIC with bad firmware. We have seen an influx of inexpensive cards coming into campus that have had duplicate MACs or no MACs (000000000000) at all.
Just a wild guess: what OS is this user running ? Might it be that they have some flavor of Windows NT with RAS activated ? The RAS server might try to hoard IP addresses in this fashion, even if it doesn't use them. J. Courcoul courcoul () campus qro itesm mx Servicios Computacionales Directo (4) 238-3181 ITESM Campus Queretaro Secretaria (4) 238-3175 Queretaro, Qro. Mexico Sky (800) 723-4500 PIN 5597110
Current thread:
- Re: spoofing the ethernet address, (continued)
- Re: spoofing the ethernet address Pavel Kankovsky (Mar 09)
- Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
- DoS in ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win* Knud Erik Højgaard (Feb 11)
- Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
- Security auditing of network infrastructure Martin M Samson (Mar 11)
- information being stored from cgi forms Bob Johnson (Mar 10)
- Re: information being stored from cgi forms Crispin Cowan (Mar 10)
- Re: spoofing the ethernet address John Flux (Mar 14)
- Re: spoofing the ethernet address Juan M. Courcoul (Mar 15)
- Linux Mandrake 6.1 PAM/userhelper exploit Paulo Ribeiro (Mar 16)
- AIM 3.0 Buffer Overflow exploit lewkir () YAHOO COM (Mar 17)
- Re: AIM 3.0 Buffer Overflow exploit Jamal Hendershot (Mar 19)
- Re: AIM 3.0 Buffer Overflow exploit - - (Mar 21)
- Re: spoofing the ethernet address Ex Machina (Mar 22)
- Re: spoofing the ethernet address (license managers) Eric Sherrill (Mar 24)
- IPSec research Bep Verberk (Mar 24)