[unisog] Xbox: making up MAC 00:50:F2:* and IP address

Curtis Kline ckline at housing.ucsb.edu
Tue Dec 4 17:06:48 GMT 2001

Not too sure about your strange mac and IP addresses, but here's a few
tidbits on how xBox gamers may be using their "equipment".

First, Microsoft isn't supporting broadband play until Fall 2002 [
http://www.xbox.com/support/default.htm ]

So, industrious folks have come out with ways to convince their xBox
that it is on a local net with some other, much more remote, xBoxes...
thus allowing for multiplayer use over the Internet.

Here's a couple of currently popular ways, one using Windows XP VPN
functionality, and one using RedHat Linux as a "bridge" of sorts.


One question... how did you determine that your 00:50:F2 traffic was
coming from a single machine? Sure you don't just have a group of people
trying to play xBox games across your net? I'm assuming 00:50:F2 is a
legitimate prefix for xBox, since it is registered to MS.


-----Original Message-----
From: Irwin Tillman [mailto:irwin at princeton.edu]
Sent: Tuesday, December 04, 2001 7:37 AM
To: unisog at sans.org
Subject: [unisog] Xbox: making up MAC 00:50:F2:* and IP address

I've begun seeing IP traffic apparently from a Microsoft Xbox
attached to our campus network.

I'm seeing UDP broadcasts from to 255.255.255(3074).
(Although in a few cases, the IPsrc was 
Yes, that's right.)  Naturally, these hit my IP egress spoof filters.

3074 is assigned as the xbox port (as per IANA).

The broadcasts are coming from a wide variety of MAC sources, all
with 00:50:F2.  These are all apparently coming from a single device; it
to me that the device uses (makes up?) many different MAC addresses,
changing often.

I've looked for any technical information that would explain why the
device grabs an IP address not belonging to it, and appears to make up 
all those MAC addresses.  (This doesn't appear right to me.)  Haven't
found anything at Microsoft's xbox site, or other news/web searches,
other than to confirm that someone else has begun seeing the traffic

Anyone have any pointers to technical info about why the device is doing
this (and how to get it to behave better)?

Irwin Tillman
OIT Network Systems/Princeton University

More information about the unisog mailing list