[unisog] Odd MAC addresses on switch

Glenn Forbes Fleming Larratt glratt at io.com
Mon Jul 12 14:00:38 GMT 2004

I've seen two instances of this on our ResNet, with fifteen of the 
sixteen highest-order bits of the MAC address totally in flux (the
only one *not* changing, per the docs at
http://www.mynetwatchman.com/pckidiot/chap04.htm, was the bit that
designates unicast/multicat - they were always unicast addresses),
for a total number of MAC address approaching 32K.
We turned off the user's port and requested that the user use a
different NIC in each case, as that one was either broken (most
likely) or so poorly designed it was causing brownouts of service in
that corner of ResNet. 


On Mon, 12 Jul 2004, Alan Moen wrote:

> On our residential network we've got a student who stands out because of his
> repeated viral infections and stubborn denials of having done nothing wrong.
> Today, one of our network security folks took a look at his port on the
> switch and came up with a very large number of MAC addresses associated with
> it - 271 addresses. The odd part is that all but the last address (which was
> the MAC on the machine we found when we went to investigate) had the form
> xx-xx-61-21-18-9f where the first two bytes changed but the last four
> remained the same. No one here has seen anything like this, so we're not
> sure if this guy was running an application to change his MAC or had some
> other device connected earlier in the day - he wasn't home when we went
> there.
> Does anyone have an idea what he may have been doing there?
> Thanks for your time,
> Alan
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-) 
glratt at io.com                        http://www.io.com/~glratt  
There are imaginary bugs to chase in heaven.

More information about the unisog mailing list