[unisog] Xbox: making up MAC 00:50:F2:* and IP address 0.0.0.1

David P. Allen allendp at plu.edu
Tue Dec 4 16:47:59 GMT 2001


On Tue, 4 Dec 2001, Irwin Tillman wrote:

> I've begun seeing IP traffic apparently from a Microsoft Xbox attached
> to our campus network.
>
> I'm seeing UDP broadcasts from 0.0.0.1(3074) to 255.255.255(3074).
> (Although in a few cases, the IPsrc was 255.255.255.255(3074).  Yes,
> that's right.)  Naturally, these hit my IP egress spoof filters.
>
> 3074 is assigned as the xbox port (as per IANA).
>
> The broadcasts are coming from a wide variety of MAC sources, all
> starting with 00:50:F2.  These are all apparently coming from a single
> device; it seems to me that the device uses (makes up?) many different
> MAC addresses, changing often.
>
> I've looked for any technical information that would explain why the
> device grabs an IP address not belonging to it, and appears to make up
> all those MAC addresses.  (This doesn't appear right to me.)  Haven't
> found anything at Microsoft's xbox site, or other news/web searches,
> other than to confirm that someone else has begun seeing the traffic
> too.
>
> Anyone have any pointers to technical info about why the device is doing
> this (and how to get it to behave better)?

I am under the impression that the XBox uses IPv6 for it's addressing
system.  That's how it can basically cluster with other XBoxen for
multiplayer games.  As you may know, with IPv6 it is designed to
automatically find the addresses it needs for a variety of communication
zones possibly resulting in _multiple_ addresses for any given device on
the network.

I'll take a wild guess and say that what you're seeing is possibly a
result of some non-IPv6 aware hardware/software trying to interpret those
packets.

I haven't had a chance to test this theory (anyone willing to give me an
XBox?), but it was my impression that by default the XBox was not IPv4
addressable and was reliant on IPv6 to avoid confusing users with
configuration options.

Can anyone else comment on this hypothesis?

David P. Allen
Network Manager
Pacific Lutheran University

{ (253) 535-7524          | "...one of the main causes of the fall of  }
{ allendp at PLU.edu         |  Rome was that, lacking zero, they had no  }
{ www.plu.edu/~allendp    |  way to indicate successful termination of }
{                         |  their C programs."         --Robert Firth }




More information about the unisog mailing list