Vulnerability Development mailing list archives
Re: spoofing the ethernet address
From: jnduncan () CISCO COM (Jim Duncan)
Date: Thu, 2 Mar 2000 03:18:02 -0500
Ben Grubin writes:
Trivial, actually. Most cards allow programmable MAC addressing, so changing them around is usually easy. Of course, since the source MAC is only visible on the directly attached segment, this is only useful if you are doing "bad things" on the segment your machine physically resides on. Once you hit a routing device, it's IP only.
_All_ cards allow it, or things like DECnet break horribly. That's why DEC networking gear had port security functions that always allowed _two_ MAC addresses to be defined per port, just in case DECnet was in use. The host would possibly come up first with its "real" MAC address, and then promptly switch to a DECnet MAC address once the DECnet stack was loaded. For those that don't know, DECnet addresses are encoded in the MAC address.
Since the MAC address is programmable, and typically not tracked, it can't be used as a reliable forensic data source.
Tools like arpwatch and arpsnmp that have been around for years can track the use of MAC addresses reasonably reliably, and MAC addresses _can_ be used as forensic evidence as long as the reliability is addressed truthfully. Your mileage may vary, and I'm not a lawyer. The important point here that the poster has emphasized is that (1) contrary to popular belief, MAC addresses are not "carved in stone" and can be changed at the whim of the user. Therefore, (2) unless proper steps are taken, the veracity of MAC address logging is questionable at best. Jim -- Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc. <http://www.cisco.com/warp/public/707/sec_incident_response.shtml> E-mail: <jnduncan () cisco com> Phone(Direct/FAX): +1 919 392 6209
Current thread:
- Re: spoofing the ethernet address, (continued)
- Re: spoofing the ethernet address Mudge (Mar 01)
- Re: spoofing the ethernet address Dug Song (Mar 02)
- Re: spoofing the ethernet address Ben Grubin (Mar 01)
- Re: spoofing the ethernet address -DAL- (Mar 01)
- Re: spoofing the ethernet address Iván Arce (Mar 01)
- Re: spoofing the ethernet address hypoclear - lUSt - (Linux Users Strike Today) (Mar 01)
- Re: spoofing the ethernet address The I (Mar 01)
- [Fwd: spoofing the ethernet address] Fredrik Widlund (Mar 02)
- spoofing the ethernet address (PPPoE) mike (Mar 02)
- Re: spoofing the ethernet address John Hall (Mar 01)
- Re: spoofing the ethernet address Jim Duncan (Mar 02)
- Re: spoofing the ethernet address Bluefish (Mar 02)
- Re: spoofing the ethernet address Ben Grubin (Mar 02)
- Re: spoofing the ethernet address Trevor Schroeder (Mar 02)
- TCP John Flux (Mar 03)
- Re: TCP antirez (Mar 05)
- Re: TCP Ranieri Argentini (Mar 06)
- [Fwd: Single SignOn] Blue Boar (Mar 06)
- Re: TCP CyberPsychotic (Mar 06)
- callbook in services ? Maurycy Prodeus (Mar 04)
- Re: spoofing the ethernet address Mudge (Mar 01)
- Re: spoofing the ethernet address Pauli Ojanpera (Mar 02)