[Dshield] Strange arpwatch reports

Jon R. Kibler Jon.Kibler at aset.com
Fri Oct 29 07:46:59 GMT 2004


Greetings all,

OK, I have been scratching my head on this one for a couple of days now... it has me REALLY baffled. Tuesday morning I was stunned to see Arpwatch report new stations on my network:

>             hostname: <unknown>
>           ip address: X.Y.50.91
>     ethernet address: 0:4:27:fd:b8:59
>      ethernet vendor: Cisco Systems, Inc.
>            timestamp: Tuesday, October 26, 2004 8:31:50 -0400

and

>             hostname: <unknown>
>           ip address: X.Y.50.90
>     ethernet address: 0:4:27:fd:b8:59
>      ethernet vendor: Cisco Systems, Inc.
>            timestamp: Tuesday, October 26, 2004 8:31:46 -0400
> 

Looking at my arpwatch data files, I find the MAC is the same as an ethernet interface on one of my routers:

> 0:4:27:fd:b8:59	X.Y.2.254	1003034255	border6837
> 0:4:27:fd:b8:59	X.Y.50.90	1099033875
> 0:4:27:fd:b8:59	X.Y.50.91	1098793910

Checking the router, no one has telnet-ed to it since early September, the configuration or NVRAM hasn't changed since August, and SNMP and HTTP are all turned off. Furthermore, the X.Y.50/24 network is not valid internally and should not be internally routable. (That Ethernet interface has an IP and netmask of X.Y.2.254 255.255.255.0.) 
Process accounting shows that all systems on that network were basically idle at the time of the incident, logs are internally consistent and show no evidence of tampering, IDSes report nothing suspect, all systems have been thoroughly checked for compromise, etc. Also, it is not possible that this is external data from a spoofed source IP because the associated netblock is filtered inbound for such addresses and the interface in question is an outbound interface.

I'm completely stumped as to what is going on here... anyone have any ideas?

TIA!

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list