[unisog] Strange things from our residence.

Keith Schoenefeld schoenk at utulsa.edu
Wed Oct 23 01:17:17 GMT 2002

Sounds to me like someone trying to poison the arp table.  If they 
answer to broadcast, then they receive all arp requests.  If they learn 
the MAC of the router (which is easy), they can report in response to 
ARPs that they are the IP and MAC of the router.  If all the machines on 
the subnet are convinced that the student's machine is the router, then 
the student's computer receives all traffic on the subnet, which the 
student can then forward to the real router (after inspection of 
course).  I would be seriously investigating this issue immediately.

-- KS

Pete Hickey wrote:

>SO we've had a weird problem (on a subnet) in one of our residences.
>It seems like people were gradually loosing connectivity.  What was
>happening is that someone was sending out ethernet packets with a
>source MAC address of FFFFFFFFFFFF..  A broadcast as the asource.
>NOw, what the switch was doing (a bug IMO) was noting that this was
>the MAC associated with that port.  Then, all broadcasts were directed
>to that port, and not broadcast.  Arps would then stop working, new
>connections wouldn't DHCP, etc...
>What I'm wondering, is what was he doing.  I want to capture the
>guy and torture him to find out, but I seem to be running into
>some resistence.
>Did he just screw up, or is this some kind of (bungled?) way to do
>something nasty?

More information about the unisog mailing list