Date: Thu, 18 Jul 2002 17:07:18 -0400 From: "Barkell, Bill" <Bill.Barkell@compuware.com> To: "'Z. Frazier'" <zfrazier@u.washington.edu>, faSty <fasty@i-sphere.com> Cc: Craig Miller <craig@millerfam.net>, freebsd-security@FreeBSD.ORG Subject: RE: wierdness in my security report Message-ID: <A58643BEDEF7D211BABB0008C75D853F109742B9@fhpri01.compuware.com>
next in thread | raw e-mail | index | archive | help
I'm not sure if I'm repeating anything here or not, but it looks like 12.236.220.1 may be a router. If so, it's possible for an attacker to poison your arp cache to make your machine think the attacker's machine is 12.236.220.1. This would cause the mac address change. Packets for the net can then be routed thru the attacker's machine, allowing him/her to view everything. One must look at mac address changes of the router address very carefully (and suspiciously). There are programs available that do this arp cache poisoning (dsniff suite and others). Bill Barkell, CISSP -----Original Message----- From: Z. Frazier [mailto:zfrazier@u.washington.edu] Sent: Thursday, July 18, 2002 4:53 PM To: faSty Cc: Craig Miller; freebsd-security@FreeBSD.ORG Subject: Re: wierdness in my security report I dont have my logs in front of me, but i remember getting something similar when my ATT cable connection goes down. You are right that they disagree over who gets the IP address, the owner will switch everytime the ATT network goes down and comes back up. I am however basing most of this on what a freind told me about my similar logs. The good news is that you can parse your logs for such events and get reimbursed for the time your network was down. -zach On Thu, 18 Jul 2002, faSty wrote: > DO you have bridge on your server? > > I have that same similar and the bridge 2 ethernet port fight over who master the > primary IP address. > > -fasty > > On Thu, Jul 18, 2002 at 10:47:21AM -0700, Craig Miller wrote: > > Anyone have any ideas as to what might be causing the following to appear in my security report? > > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > > > I thought those : delimited fields would be MAC addresses, but they don't match the MAC addresses of either of the two cards in my free-bsd box. I have not checked the MAC addresses of the other network cards on my network. > > > > Also, where does the "server /kernel" name come from. "kernel" is not the name I gave my kernel, so I am suspicious. > > > > Thanks, > > > > --Craig > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?A58643BEDEF7D211BABB0008C75D853F109742B9>