Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spoofing the ethernet address

From: courcoul () CAMPUS QRO ITESM MX (Juan M. Courcoul)
Date: Wed, 15 Mar 2000 14:16:34 -0600

On Tue, 14 Mar 2000, Arnold, Jamie wrote:


I have a question that one/some of you may be able to help with.  We have a
user in one of our dorms (DHCP) that is reporting his MAC address as
changing about every 10 minutes.  When he first powers-on his system, the
MAC is correct and DHCP renews his lease.  After a while, the master switch
shows his IP having about 10 different MAC addresses, all variations of the
first where the first 4 digits remain constant, the second 4 go to the last
position and the middle 4 change randomly.  Has anyone seen this, or have
any idea what's going on.  My theory is a cheap NIC with bad firmware.  We
have seen an influx of inexpensive cards coming into campus that have had
duplicate MACs or no MACs (000000000000) at all.


Just a wild guess: what OS is this user running ? Might it be that they
have some flavor of Windows NT with RAS activated ? The RAS server might
try to hoard IP addresses in this fashion, even if it doesn't use them.

J. Courcoul                               courcoul () campus qro itesm mx
Servicios Computacionales                 Directo    (4) 238-3181
ITESM Campus Queretaro                    Secretaria (4) 238-3175
Queretaro, Qro. Mexico                    Sky (800) 723-4500 PIN 5597110
Previous By Date Next
Previous By Thread Next

Current thread: