Re: Mac addresses

[Brian Kaye <bdk () UNB CA>]

Thes are not assigned addresses as you probably know. Could it be that
there are some machines on your blackhole VLAN that are communicating
amongst thenmselves with one of them routing to a real VLAN? Have you
checked for layer 3 traffic on the blackhole vlan?

Another possibility is you have someone experimenting with changing their
MAC addresses and seeing how your network handles them? Or looking for a
valid MAC address that they can hijack.


......Brian Kaye
......UNB

On Tue, 9 Sep 2008, Peter Charbonneau wrote:

> Date: Tue, 9 Sep 2008 09:50:03 -0400
> From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv
>     <SECURITY () LISTSERV EDUCAUSE EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Mac addresses
>
> I am seeing "sequential" MAC addresses on my network in the form of:
>
> 02-00-00-00-00-01
> 02-00-00-00-00-02
> 02-00-00-00-00-03
> 02-00-00-00-00-04
> 02-00-00-00-00-05
> 02-00-00-00-00-06
> 02-00-00-00-00-07
> 02-00-00-00-00-08
> 02-00-00-00-00-09
> 02-00-00-00-00-10
> 02-00-00-00-00-11
> 02-00-00-00-00-12
> 02-00-00-00-00-13
> 02-00-00-00-00-14
> 02-00-00-00-00-15
> 02-00-00-00-00-16
> 02-00-00-00-00-17
> 02-00-00-00-00-18
> 02-00-00-00-00-19
> 02-00-00-00-00-20
>
> These are only a few ... I have about 100 of them.  They only exist in my
> "BlachHole" VLAN -- no connectivity to anything else, no routers no nothing.
>
> I can't find any documentation on what these MAC addresses are.  I am
> guessing that they are some sort of LLDP MAC address, but it seems weird that
> I don't get any search engine hits about them.
>
> This is not one machine spewing out multiple bogus addresses, but many
> machines .... one to one?  Not sure.
>
> Ideas?
>
>
> PeteC
>
>
> Peter Charbonneau
> Sr. Network and Systems Administrator
> Williams College
> (413) 597-3408 (office)
> (413) 822-2922 (cell)