Re: INCIDENTS Digest - 5 Feb 2001 to 6 Feb 2001 (#2001-33)

["Jeffrey D. Carter" <jeffc () SHORE NET>]

Automatic digest processor <LISTSERV () lists securityfocus com>  writes:
> -------------------------------------------------------------------------<
| Date:    Tue, 6 Feb 2001 21:57:43 -0700
| From:    Mike Forrester <mikef () POCKETLINT COM>
| Subject: Arp Warnings on @Home Network
|
| Greetings,
| I started getting arp warnings the console to my OpenBSD system at home (no
| pun intended :-) ).  Below are excerpts from /var/log/messages and the
| ethereal decoding of one of those packets.  To me it appears that someone is
| either trying to be the default router on their network or mis-configured
| their new Mac.  08:00:07 a vendor id for Apple Computer and 00:01:63 is a
| vendor id for Cisco.  Is there a way to determine who is the correct host?
| Either MAC could be spoofed and the packet logs from tcpdump (on the OpenBSD
| system) or from Ethereal (on my Windows 98 system), don't really give any
| detailed info.
|

 ...

| I have contacted @Home and their generic support people have been getting a
| lot of calls about failed downloads.  I talked to someone in their NOC and
| they are looking into the problem.
|
| I'm just curious as to others thoughts on this as I have not played around
| too much with arp.  I do however, have a few questions:
|
| 1) Is it standard practice for certain systems to use an IP already in use?
| 2) Is there a tool that could be used at the Ethernet level (layer 2) to try
| and get more information from a system if you know it's MAC address?
> -------------------------------------------------------------------------<

You can temporarily protect yourself by inserting a static ARP entry
(your syntax may vary):

/sbin/arp -s 24.1.8.1 00:01:63:f1:d8:80

I've been forced to do this to temporarily get around a g^^%#$amn
RedCreek Ravelin box that proxy-ARPs for IP addresses it thinks
aren't on the local wire (piece of junk).

This is @home's problem, and they need to find & thwack the
customer promptly. It should be the guy on hold complaining
that he can't get his new iMAC to connect to the Internet.

Jeff Carter