RE: possible arp spoofing

[Jimi Thompson <jimit () myrealbox com>]

Go to your router and put this mac address 0:c0:26:2b:d0:1d in your 
black hole list.  See who complains and then smack them around, find 
out what they've been doing with their IP address and tell them not 
to do that any more.  It almost looks like someone is parking 
themselves as a static IP smack in the middle of your DHCP lease 
space.  I don't know about your network, but on mine that's generally 
cause for public humiliation and physical beatings :)

2 cents,

Jimi

At 8:30 AM -0800 11/6/03, David Gillett wrote:
>   I don't think it's "arp spoofing", which would be
> somebody changing their MAC address.  It looks, from
> your description, like the machine with MAC address
> 00:c0:26:2b:d0:1d is changing its IP address, and
> colliding with IP addresses in use by other clients.
>
> Dave Gillett
>
> >  -----Original Message-----
> >  From: greg gede [mailto:mymilis2000 () yahoo com]
> >  Sent: November 5, 2003 18:07
> >  To: security-basics () securityfocus com
> >  Subject: possible arp spoofing
> >
> >
> >  i've got a bunch of email from arpwatch telling me
> >  that there are flip flop and changing ethernet
> >  address. does this mean there's an arp spoofing going
> >  on in my network?? how do i stop this?? these users
> >  also reported that their operating system told them on
> >  their screen there's another machine using the same
> >  ip# as theirs and their connection to the network was
> >  also disconnected.
> >
> >  i notice that most of the mac address flip flop are
> >  using the same mac address which is 0:c0:26:2b:d0:1d.
> >
> >  here's the arpwatch email sample :
> >  1.
> >   hostname: CAHYADI
> >            ip address: 192.168.5.44
> >      ethernet address: 0:80:48:1e:27:32
> >       ethernet vendor: Compex, used by Commodore and
> >  DEC at least
> >  old ethernet address: 0:c0:26:2b:d0:1d
> >   old ethernet vendor: <unknown>
> >             timestamp: Monday, November 3, 2003
> >  14:21:06 +0700
> >    previous timestamp: Monday, November 3, 2003
> >  14:13:56 +0700
> >                 delta: 7 minutes
> >
> >  2.
> >  hostname: DENY
> >            ip address: 192.168.5.105
> >      ethernet address: 0:2:b3:17:81:33
>  >      ethernet vendor: <unknown>
>  > old ethernet address: 0:c0:26:2b:d0:1d
> >   old ethernet vendor: <unknown>
> >             timestamp: Monday, November 3, 2003
> >  14:16:22 +0700
> >    previous timestamp: Monday, November 3, 2003
> >  14:15:22 +0700
> >                 delta: 1 minute
> >
> >  there are many more..... please help...
> >
> >  regards,
> >  gregor
> >
> >  __________________________________
> >  Do you Yahoo!?
> >  Protect your identity with Yahoo! Mail AddressGuard
> >  http://antispam.yahoo.com/whatsnewfree
> >
> >  --------------------------------------------------------------
> >  -------------
> >  Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> >  The Presidio integrates PGP data encryption and XML Web
> >  Services security to
> >  simplify the management and deployment of PGP and reduce
> >  overall PGP costs
> >  by up to 80%.
> >  FREE WHITEPAPER & 30 Day Trial -
> >  http://www.securityfocus.com/sponsor/ForumSystems_security-bas
> ics_031027
> ----------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
> The Presidio integrates PGP data encryption and XML Web Services security to
> simplify the management and deployment of PGP and reduce overall PGP costs
> by up to 80%.
> FREE WHITEPAPER & 30 Day Trial -
> http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------