[unisog] Odd MAC addresses on switch

Glenn Forbes Fleming Larratt glratt at io.com
Mon Jul 12 14:00:38 GMT 2004


I've seen two instances of this on our ResNet, with fifteen of the 
sixteen highest-order bits of the MAC address totally in flux (the
only one *not* changing, per the docs at
http://www.mynetwatchman.com/pckidiot/chap04.htm, was the bit that
designates unicast/multicat - they were always unicast addresses),
for a total number of MAC address approaching 32K.
 
We turned off the user's port and requested that the user use a
different NIC in each case, as that one was either broken (most
likely) or so poorly designed it was causing brownouts of service in
that corner of ResNet. 

	-g

On Mon, 12 Jul 2004, Alan Moen wrote:

> On our residential network we've got a student who stands out because of his
> repeated viral infections and stubborn denials of having done nothing wrong.
> 
> 
> Today, one of our network security folks took a look at his port on the
> switch and came up with a very large number of MAC addresses associated with
> it - 271 addresses. The odd part is that all but the last address (which was
> the MAC on the machine we found when we went to investigate) had the form
> xx-xx-61-21-18-9f where the first two bytes changed but the last four
> remained the same. No one here has seen anything like this, so we're not
> sure if this guy was running an application to change his MAC or had some
> other device connected earlier in the day - he wasn't home when we went
> there.
> 
> Does anyone have an idea what he may have been doing there?
> 
> Thanks for your time,
> Alan
-- 
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at io.com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.




More information about the unisog mailing list