Security Basics mailing list archives
RE: possible arp spoofing
From: Jimi Thompson <jimit () myrealbox com>
Date: Thu, 6 Nov 2003 22:59:50 -0600
Go to your router and put this mac address 0:c0:26:2b:d0:1d in your black hole list. See who complains and then smack them around, find out what they've been doing with their IP address and tell them not to do that any more. It almost looks like someone is parking themselves as a static IP smack in the middle of your DHCP lease space. I don't know about your network, but on mine that's generally cause for public humiliation and physical beatings :)
2 cents, Jimi At 8:30 AM -0800 11/6/03, David Gillett wrote:
I don't think it's "arp spoofing", which would be somebody changing their MAC address. It looks, from your description, like the machine with MAC address 00:c0:26:2b:d0:1d is changing its IP address, and colliding with IP addresses in use by other clients. Dave Gillett-----Original Message----- From: greg gede [mailto:mymilis2000 () yahoo com] Sent: November 5, 2003 18:07 To: security-basics () securityfocus com Subject: possible arp spoofing i've got a bunch of email from arpwatch telling me that there are flip flop and changing ethernet address. does this mean there's an arp spoofing going on in my network?? how do i stop this?? these users also reported that their operating system told them on their screen there's another machine using the same ip# as theirs and their connection to the network was also disconnected. i notice that most of the mac address flip flop are using the same mac address which is 0:c0:26:2b:d0:1d. here's the arpwatch email sample : 1. hostname: CAHYADI ip address: 192.168.5.44 ethernet address: 0:80:48:1e:27:32 ethernet vendor: Compex, used by Commodore and DEC at least old ethernet address: 0:c0:26:2b:d0:1d old ethernet vendor: <unknown> timestamp: Monday, November 3, 2003 14:21:06 +0700 previous timestamp: Monday, November 3, 2003 14:13:56 +0700 delta: 7 minutes 2. hostname: DENY ip address: 192.168.5.105 ethernet address: 0:2:b3:17:81:33> ethernet vendor: <unknown> > old ethernet address: 0:c0:26:2b:d0:1dold ethernet vendor: <unknown> timestamp: Monday, November 3, 2003 14:16:22 +0700 previous timestamp: Monday, November 3, 2003 14:15:22 +0700 delta: 1 minute there are many more..... please help... regards, gregor __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree -------------------------------------------------------------- ------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCEThe Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- possible arp spoofing greg gede (Nov 05)
- RE: possible arp spoofing David Gillett (Nov 06)
- RE: possible arp spoofing Jimi Thompson (Nov 07)
- Re: possible arp spoofing B. McAninch (Nov 07)
- RE: possible arp spoofing David Gillett (Nov 06)