From owner-freebsd-security  Thu Nov 15 20:31:55 2001
Delivered-To: freebsd-security@freebsd.org
Received: from d150h247.resnet.uconn.edu (d150h247.resnet.uconn.edu [137.99.150.247])
	by hub.freebsd.org (Postfix) with SMTP id 57B6B37B416
	for <security@FreeBSD.ORG>; Thu, 15 Nov 2001 20:31:52 -0800 (PST)
Received: (qmail 421 invoked by uid 1001); 16 Nov 2001 04:30:53 -0000
Date: Thu, 15 Nov 2001 23:30:53 -0500
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: Mitch Collinsworth <mitch@collinsworth.info>
Cc: Greg <greg@rapidfx.com>, security@FreeBSD.ORG
Subject: Re: Re[2]: unusual  log in var/log/messages
Message-ID: <20011115233053.F80130@cowbert.2y.net>
Reply-To: peter.lai@uconn.edu
References: <12126694534.20011115181537@rapidfx.com> <Pine.LNX.4.10.10111152219470.1744-100000@ruby.ccmr.cornell.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.LNX.4.10.10111152219470.1744-100000@ruby.ccmr.cornell.edu>; from mitch@collinsworth.info on Thu, Nov 15, 2001 at 10:21:44PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I have seen this continously when someone is trying to spoof a router.
I have tested this by spoofing a router, but I think it can
also be generalized to any pair of hosts with the same IP and
neither wants to let it go (which is what is being done when one
spoofs a host).

On Thu, Nov 15, 2001 at 10:21:44PM -0500, Mitch Collinsworth wrote:
> 
> On Thu, 15 Nov 2001, Greg Wirth wrote:
> 
> > I also see these from time to time, and have never pinned down
> > exactly what it means. I've never found any damage or abuse
> > during or after these messages. I would really like to know.
> > The times always match, and happen at random times.
> > Versions don't seem to matter, as it has happened since 3.3
> > 
> > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from
> >  00:40:c7:81:22:04 to 00:04:ac:1a:4e:e7 on dc0
> > Nov 12 06:18:41 aix /kernel: arp: 24.237.82.161 moved from
> >  00:04:ac:1a:4e:e7 to 00:40:c7:81:22:04 on dc0
> 
> Have you checked to find out which system(s) are involved?  It has
> to be someone on the same subnet with you.
> 
> -Mitch
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Peter C. Lai
University of Connecticut
Dept. of Residential Life | Programmer
Dept. of Molecular and Cell Biology |
Undergraduate Research Assistant
http://cowbert.2y.net/
860.427.4542
203.206.3784

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message