Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: possible arp spoofing

From: "B. McAninch" <b () planbproduktions com>
Date: Fri, 7 Nov 2003 08:32:52 -0600
We have this happen from time to time where I work. The tech-support team
connects a newly built desktop and chooses an arbitrary IP address which
triggers an arpwatch violation (specifically a flip-flop). Nevertheless,
it's worth checking out...

Bryan

----- Original Message ----- 
From: "David Gillett" <gillettdavid () fhda edu>
To: "'greg gede'" <mymilis2000 () yahoo com>;
<security-basics () securityfocus com>
Sent: Thursday, November 06, 2003 10:30
Subject: RE: possible arp spoofing



  I don't think it's "arp spoofing", which would be
somebody changing their MAC address.  It looks, from
your description, like the machine with MAC address
00:c0:26:2b:d0:1d is changing its IP address, and
colliding with IP addresses in use by other clients.

Dave Gillett


-----Original Message-----
From: greg gede [mailto:mymilis2000 () yahoo com]
Sent: November 5, 2003 18:07
To: security-basics () securityfocus com
Subject: possible arp spoofing


i've got a bunch of email from arpwatch telling me
that there are flip flop and changing ethernet
address. does this mean there's an arp spoofing going
on in my network?? how do i stop this?? these users
also reported that their operating system told them on
their screen there's another machine using the same
ip# as theirs and their connection to the network was
also disconnected.

i notice that most of the mac address flip flop are
using the same mac address which is 0:c0:26:2b:d0:1d.

here's the arpwatch email sample :
1.
 hostname: CAHYADI
          ip address: 192.168.5.44
    ethernet address: 0:80:48:1e:27:32
     ethernet vendor: Compex, used by Commodore and
DEC at least
old ethernet address: 0:c0:26:2b:d0:1d
 old ethernet vendor: <unknown>
           timestamp: Monday, November 3, 2003
14:21:06 +0700
  previous timestamp: Monday, November 3, 2003
14:13:56 +0700
               delta: 7 minutes

2.
hostname: DENY
          ip address: 192.168.5.105
    ethernet address: 0:2:b3:17:81:33
     ethernet vendor: <unknown>
old ethernet address: 0:c0:26:2b:d0:1d
 old ethernet vendor: <unknown>
           timestamp: Monday, November 3, 2003
14:16:22 +0700
  previous timestamp: Monday, November 3, 2003
14:15:22 +0700
               delta: 1 minute

there are many more..... please help...

regards,
gregor

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

--------------------------------------------------------------
-------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web
Services security to
simplify the management and deployment of PGP and reduce
overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-bas

ics_031027
--------------------------------------------------------------------------

--



--------------------------------------------------------------------------

-

Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security

to

simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
--------------------------------------------------------------------------

--





---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: