From owner-freebsd-questions@FreeBSD.ORG Mon Mar 17 03:36:20 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 535EA1065671 for ; Mon, 17 Mar 2008 03:36:20 +0000 (UTC) (envelope-from modulok@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.freebsd.org (Postfix) with ESMTP id BED0D8FC25 for ; Mon, 17 Mar 2008 03:36:19 +0000 (UTC) (envelope-from modulok@gmail.com) Received: by wx-out-0506.google.com with SMTP id i29so5663762wxd.7 for ; Sun, 16 Mar 2008 20:36:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=9AQkB0VfUH3AS6xaYML8rUn5xtLd5Ksl6ZT3EbuH5eg=; b=XRdizNQcSNRW3GjfWpid9tUbWZLn0CI/4FLvo/s/bGkma4hmvXinCAI8QIFdxrnvf8kefY2UPK+oJyGG85EwYOodAQwlpQY970/2Wc773w1Gwit1FeJQ/2qJ0/Gf41v0Tfw6m85RCrQD+GZOJokspmZlsnxi9RmyBfopH162LDo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=UvC8tspMNiZ32Tg0tCDDTgTlAoz4qb74JtFNcPiC0v8MlNtINPu1yRd3r6JoNgfgpfjwzsleRsaAbmxNj5uLF01Jg5bwiL9liycAlxoB8mIcO3AoDXFihglXxrNZlLkbY8S3vwPbVMAdZBgY3LyR9ZAZpo4/L2oUAwl71KceCE8= Received: by 10.70.115.17 with SMTP id n17mr16208836wxc.17.1205724978850; Sun, 16 Mar 2008 20:36:18 -0700 (PDT) Received: by 10.70.70.2 with HTTP; Sun, 16 Mar 2008 20:36:18 -0700 (PDT) Message-ID: <64c038660803162036x661ae5fbgdf2d00f0dcc7d163@mail.gmail.com> Date: Sun, 16 Mar 2008 21:36:18 -0600 From: Modulok To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ARP(4) spoofing? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Mar 2008 03:36:20 -0000 Would this be ARP(4) spoofing, or is it just me? How would I confirm it? arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 last message repeated 18 times last message repeated 19 times last message repeated 9 times last message repeated 10 times last message repeated 19 times last message repeated 24 times last message repeated 24 times last message repeated 24 times last message repeated 34 times last message repeated 23 times last message repeated 23 times last message repeated 26 times last message repeated 26 times last message repeated 26 times last message repeated 25 times last message repeated 25 times last message repeated 27 times last message repeated 30 times last message repeated 27 times last message repeated 27 times last message repeated 30 times last message repeated 10 times ... This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) is LAN facing and permanent entry in the arp cache. This happens constantly and is slowly filling my log files. Thoughts? Suggestions? -Modulok-