Vulnerability Development mailing list archives
Re: spoofing the ethernet address
From: BGrubin () SCIENT COM (Ben Grubin)
Date: Thu, 2 Mar 2000 21:02:40 -0600
I seem to recall sometime in my past seeing "secure" cards, which would stamp an absolute MAC address on every frame no matter WHAT you tried to do in the networking stack. Though now that I'm thinking this might have been token ring... too many years.. it all starts to blend together.. *sigh*
-----Original Message----- From: Jim Duncan [mailto:jnduncan () CISCO COM] Sent: Thursday, March 02, 2000 3:18 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: spoofing the ethernet address Ben Grubin writes:Trivial, actually. Most cards allow programmable MAC addressing, so changing them around is usually easy. Of course, since thesource MAC isonly visible on the directly attached segment, this is onlyuseful if youare doing "bad things" on the segment your machinephysically resides on.Once you hit a routing device, it's IP only._All_ cards allow it, or things like DECnet break horribly. That's why DEC networking gear had port security functions that always allowed _two_ MAC addresses to be defined per port, just in case DECnet was in use. The host would possibly come up first with its "real" MAC address, and then promptly switch to a DECnet MAC address once the DECnet stack was loaded. For those that don't know, DECnet addresses are encoded in the MAC address.Since the MAC address is programmable, and typically nottracked, it can'tbe used as a reliable forensic data source.Tools like arpwatch and arpsnmp that have been around for years can track the use of MAC addresses reasonably reliably, and MAC addresses _can_ be used as forensic evidence as long as the reliability is addressed truthfully. Your mileage may vary, and I'm not a lawyer. The important point here that the poster has emphasized is that (1) contrary to popular belief, MAC addresses are not "carved in stone" and can be changed at the whim of the user. Therefore, (2) unless proper steps are taken, the veracity of MAC address logging is questionable at best. Jim -- Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc. <http://www.cisco.com/warp/public/707/sec_incident_response.shtml> E-mail: <jnduncan () cisco com> Phone(Direct/FAX): +1 919 392 6209
Current thread:
- Re: spoofing the ethernet address, (continued)
- Re: spoofing the ethernet address Ben Grubin (Mar 01)
- Re: spoofing the ethernet address -DAL- (Mar 01)
- Re: spoofing the ethernet address Iván Arce (Mar 01)
- Re: spoofing the ethernet address hypoclear - lUSt - (Linux Users Strike Today) (Mar 01)
- Re: spoofing the ethernet address The I (Mar 01)
- [Fwd: spoofing the ethernet address] Fredrik Widlund (Mar 02)
- spoofing the ethernet address (PPPoE) mike (Mar 02)
- Re: spoofing the ethernet address John Hall (Mar 01)
- Re: spoofing the ethernet address Jim Duncan (Mar 02)
- Re: spoofing the ethernet address Bluefish (Mar 02)
- Re: spoofing the ethernet address Ben Grubin (Mar 02)
- Re: spoofing the ethernet address Trevor Schroeder (Mar 02)
- TCP John Flux (Mar 03)
- Re: TCP antirez (Mar 05)
- Re: TCP Ranieri Argentini (Mar 06)
- [Fwd: Single SignOn] Blue Boar (Mar 06)
- Re: TCP CyberPsychotic (Mar 06)
- callbook in services ? Maurycy Prodeus (Mar 04)
- Re: spoofing the ethernet address Pauli Ojanpera (Mar 02)
- Re: spoofing the ethernet address Seth R Arnold (Mar 05)
- Re: spoofing the ethernet address H D Moore (Mar 05)