Security Basics mailing list archives

RE: Strange pings from 127.0.0.1

From: Steven Trewick <STrewick () joplings co uk>
Date: Thu, 24 Jun 2004 10:15:33 +0100

Next, (assuming non-promiscuous mode of operation by the NIC) I fail to
understand how the author of this attack intends to reach his/her targets,
if the dest MAC addresses are fake! I might be missing something obvious,
so if someone can point it out to me, that would be great. thanks.

The OP doesn't say what the SRC and DEST MAC are, (which would be helpful),
but its entirely possible that they are multicast MAC addresses, which
would be broadcast to every switch port.

This is not always obvious if you don't know what to look for,
multicast MAC addresses are identifiable by the low order bit of
their first byte, if this is set to 1, (eg the byte is odd) the frame
is multicast.

To take an example, if the destination MAC address is 01:xx:xx:xx:xx:xx
then it is a multicast address, same for 03:xx:xx:xx:xx:xx, but not
for 02::xx:xx:xx:xx:xx

See http://www.iana.org/assignments/ethernet-numbers for a discussion
of MAC addressing in general, and an explanation (?) of MAC multicast

While I doubt this is related to the OP's problem, I hope it will
prove useful.

</code>
The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only.
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by
viruses being passed.
joplings.co.uk

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Strange pings from 127.0.0.1, (continued)
- Strange pings from 127.0.0.1 Andrew Aris (Jun 22)
  - Re: Strange pings from 127.0.0.1 Alan Hicks (Jun 23)
  - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 23)
    - RE: Strange pings from 127.0.0.1 David Gillett (Jun 24)
    - RE: Strange pings from 127.0.0.1 Andrew Aris (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
    - Re: Strange pings from 127.0.0.1 SecurityFocus Lists (Jun 24)
    - Re: Strange pings from 127.0.0.1 Kelly John Rose (Jun 25)
- Re: Strange pings from 127.0.0.1 Tim Schwimer (Jun 24)
  - RE: Strange pings from 127.0.0.1 David Gillett (Jun 25)
- RE: Strange pings from 127.0.0.1 Steven Trewick (Jun 24)
  - Re: Strange pings from 127.0.0.1 Ranjeet Shetye (Jun 26)
- RE: Strange pings from 127.0.0.1 Timothy Schwimer (Jun 28)