[unisog] Odd MAC addresses on switch

Frank Sweetser fs at WPI.EDU
Mon Jul 12 14:10:52 GMT 2004

On Mon, Jul 12, 2004 at 08:21:22AM -0400, Alan Moen wrote:
> Today, one of our network security folks took a look at his port on the
> switch and came up with a very large number of MAC addresses associated with
> it - 271 addresses. The odd part is that all but the last address (which was
> the MAC on the machine we found when we went to investigate) had the form
> xx-xx-61-21-18-9f where the first two bytes changed but the last four
> remained the same. No one here has seen anything like this, so we're not
> sure if this guy was running an application to change his MAC or had some
> other device connected earlier in the day - he wasn't home when we went
> there.

My first thought, is that the machine was trying to fill up the forwarding
database on the switch by flooding it with as many source mac addresses as
possible.  By populating the FDB with bogus addresses, the attacker can try
and force legitimate entries out and keep them from being relearned.  This
menas that all traffic destined to the legitimate machines will be flooded out
all ports, making it possible to sniff their traffic without being inline.

Frank Sweetser fs at wpi.edu
WPI Network Engineer
GPG fingerprint = 6174 1257 129E 0D21 D8D4  E8A3 8E39 29E3 E2E8 8CEC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20040712/78f9c024/attachment-0004.bin

More information about the unisog mailing list