Security Incidents mailing list archives
Re: INCIDENTS Digest - 5 Feb 2001 to 6 Feb 2001 (#2001-33)
From: "Jeffrey D. Carter" <jeffc () SHORE NET>
Date: Wed, 7 Feb 2001 09:20:36 -0500
Automatic digest processor <LISTSERV () lists securityfocus com> writes:
-------------------------------------------------------------------------<
| Date: Tue, 6 Feb 2001 21:57:43 -0700 | From: Mike Forrester <mikef () POCKETLINT COM> | Subject: Arp Warnings on @Home Network | | Greetings, | I started getting arp warnings the console to my OpenBSD system at home (no | pun intended :-) ). Below are excerpts from /var/log/messages and the | ethereal decoding of one of those packets. To me it appears that someone is | either trying to be the default router on their network or mis-configured | their new Mac. 08:00:07 a vendor id for Apple Computer and 00:01:63 is a | vendor id for Cisco. Is there a way to determine who is the correct host? | Either MAC could be spoofed and the packet logs from tcpdump (on the OpenBSD | system) or from Ethereal (on my Windows 98 system), don't really give any | detailed info. | ... | I have contacted @Home and their generic support people have been getting a | lot of calls about failed downloads. I talked to someone in their NOC and | they are looking into the problem. | | I'm just curious as to others thoughts on this as I have not played around | too much with arp. I do however, have a few questions: | | 1) Is it standard practice for certain systems to use an IP already in use? | 2) Is there a tool that could be used at the Ethernet level (layer 2) to try | and get more information from a system if you know it's MAC address?
-------------------------------------------------------------------------<
You can temporarily protect yourself by inserting a static ARP entry (your syntax may vary): /sbin/arp -s 24.1.8.1 00:01:63:f1:d8:80 I've been forced to do this to temporarily get around a g^^%#$amn RedCreek Ravelin box that proxy-ARPs for IP addresses it thinks aren't on the local wire (piece of junk). This is @home's problem, and they need to find & thwack the customer promptly. It should be the guy on hold complaining that he can't get his new iMAC to connect to the Internet. Jeff Carter
Current thread:
- Re: INCIDENTS Digest - 5 Feb 2001 to 6 Feb 2001 (#2001-33) Jeffrey D. Carter (Feb 07)