mac address issue

["Brian Whitehead" <brian () whiteheadconsulting com>]

I was wondering if anyone could point me in the right direction.  Lately
we have been having problems with IP duplication.  Looking at the arp
cache and dhcp logs it looks like either a mac address spoofing issue or
maybe just a hardware problem.  I'm seeing two different mac addresses
that appear to take over 20-30 different IP's all at one time causing an
IP conflict and then they are immediately released.  I haven't been able
to find these mac addresses on any device in the building.  The switches
don't seem to agree either.  One port on the core switch may have it in
it's arp cache, but the switch plugged into that port doesn't.  Nothing is
making a lot of sense.  This has happened once or twice a day for the last
4-5 days.  If anyone has an idea of what to look at I would appreciate it.

-- 
Brian


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------