[unisog] Strange things from our residence.
schoenk at utulsa.edu
Wed Oct 23 01:17:17 GMT 2002
Sounds to me like someone trying to poison the arp table. If they
answer to broadcast, then they receive all arp requests. If they learn
the MAC of the router (which is easy), they can report in response to
ARPs that they are the IP and MAC of the router. If all the machines on
the subnet are convinced that the student's machine is the router, then
the student's computer receives all traffic on the subnet, which the
student can then forward to the real router (after inspection of
course). I would be seriously investigating this issue immediately.
Pete Hickey wrote:
>SO we've had a weird problem (on a subnet) in one of our residences.
>It seems like people were gradually loosing connectivity. What was
>happening is that someone was sending out ethernet packets with a
>source MAC address of FFFFFFFFFFFF.. A broadcast as the asource.
>NOw, what the switch was doing (a bug IMO) was noting that this was
>the MAC associated with that port. Then, all broadcasts were directed
>to that port, and not broadcast. Arps would then stop working, new
>connections wouldn't DHCP, etc...
>What I'm wondering, is what was he doing. I want to capture the
>guy and torture him to find out, but I seem to be running into
>Did he just screw up, or is this some kind of (bungled?) way to do
More information about the unisog