[unisog] Strange things from our residence.

David P. Allen allendp at plu.edu
Wed Oct 23 01:06:16 GMT 2002

Pete Hickey wrote:

>SO we've had a weird problem (on a subnet) in one of our residences.
>It seems like people were gradually loosing connectivity.  What was
>happening is that someone was sending out ethernet packets with a
>source MAC address of FFFFFFFFFFFF..  A broadcast as the asource.
>NOw, what the switch was doing (a bug IMO) was noting that this was
>the MAC associated with that port.  Then, all broadcasts were directed
>to that port, and not broadcast.  Arps would then stop working, new
>connections wouldn't DHCP, etc...
>What I'm wondering, is what was he doing.  I want to capture the
>guy and torture him to find out, but I seem to be running into
>some resistence.
>Did he just screw up, or is this some kind of (bungled?) way to do
>something nasty?

Sound a lot like a tool I've seen that is designed to "overload" a 
switch's ARP cache and force broadcast of traffic to all ports. 
 Essentially turning a switch into a hub until it eventually relearns 
everyone's port location.  Obviously, this tool is designed to provide a 
mechanism for sniffing even on a supposed "secure" segment, but it does 
have its drawbacks.  Not the least of which is the obvious user 
reactions of "something is broken".

BTW, for anyone interested, I can't remember the name of the utility at 
the moment, but will supply it (once I remember) upon request.

David P. Allen
Network Manager
Pacific Lutheran University

{ (253) 535-7524          | "...one of the main causes of the fall of  }
{ allendp at PLU.edu         |  Rome was that, lacking zero, they had no  }
{ www.plu.edu/~allendp    |  way to indicate successful termination of }
{                         |  their C programs."         --Robert Firth }

More information about the unisog mailing list