Re: Mac addresses

[Brian Kaye <bdk () UNB CA>]

There is a script I found called maidwts.pl (mac addresses I don't want to
see) available somewhere which helps look for invalid mac addresses.
Basically it uses a list of valid OUIs and picks out ones with invalid
ones. This might help a little in case there are other less obvious
forgeries.

.....Brian Kaye
.....UNB


On Tue, 9 Sep 2008, Peter Charbonneau wrote:

> Date: Tue, 9 Sep 2008 09:50:03 -0400
> From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv
>     <SECURITY () LISTSERV EDUCAUSE EDU>
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Mac addresses
>
> I am seeing "sequential" MAC addresses on my network in the form of:
>
> 02-00-00-00-00-01
> 02-00-00-00-00-02
> 02-00-00-00-00-03
> 02-00-00-00-00-04
> 02-00-00-00-00-05
> 02-00-00-00-00-06
> 02-00-00-00-00-07
> 02-00-00-00-00-08
> 02-00-00-00-00-09
> 02-00-00-00-00-10
> 02-00-00-00-00-11
> 02-00-00-00-00-12
> 02-00-00-00-00-13
> 02-00-00-00-00-14
> 02-00-00-00-00-15
> 02-00-00-00-00-16
> 02-00-00-00-00-17
> 02-00-00-00-00-18
> 02-00-00-00-00-19
> 02-00-00-00-00-20
>
> These are only a few ... I have about 100 of them.  They only exist in my
> "BlachHole" VLAN -- no connectivity to anything else, no routers no nothing.
>
> I can't find any documentation on what these MAC addresses are.  I am
> guessing that they are some sort of LLDP MAC address, but it seems weird that
> I don't get any search engine hits about them.
>
> This is not one machine spewing out multiple bogus addresses, but many
> machines .... one to one?  Not sure.
>
> Ideas?
>
>
> PeteC
>
>
> Peter Charbonneau
> Sr. Network and Systems Administrator
> Williams College
> (413) 597-3408 (office)
> (413) 822-2922 (cell)