[unisog] Odd MAC addresses on switch

Bob Johnson bob88 at eng.ufl.edu
Mon Jul 12 14:20:08 GMT 2004



Alan Moen wrote:
> On our residential network we've got a student who stands out because of his
> repeated viral infections and stubborn denials of having done nothing wrong.
> 
> 
> Today, one of our network security folks took a look at his port on the
> switch and came up with a very large number of MAC addresses associated with
> it - 271 addresses. The odd part is that all but the last address (which was
> the MAC on the machine we found when we went to investigate) had the form
> xx-xx-61-21-18-9f where the first two bytes changed but the last four
> remained the same. No one here has seen anything like this, so we're not
> sure if this guy was running an application to change his MAC or had some
> other device connected earlier in the day - he wasn't home when we went
> there.
> 
> Does anyone have an idea what he may have been doing there?
> 

Most (?) switches failover to acting like broadcast hubs when their 
address tables overflow, so one method of sniffing traffic on a switched 
network is to feed the switch enough bogus MAC addresses to overflow the 
address tables.

If that is what is going on, it could be a trojan on his system 
attempting to sniff your network under remote control, or he could be 
doing it intentionally.  Or it could be something else entirely, so 
don't be too quick to accuse him.

On the other hand, I would contend that if he is repeatedly getting 
virus infections, he is doing something wrong, whether he knows it or not.

- Bob

> Thanks for your time,
> Alan
> 
> --
> Alan K. Moen
> Lead Business Systems Analyst
> Business and Auxiliary Operations
> Wayne State University
> 313.577.4763

-- 

*********************************************************
   Bob Johnson            Senior Systems Programmer
   bob88 at eng.ufl.edu      College of Engineering
                          340-A Weil Hall
   352-392-9217 Office    University of Florida
   352-392-7063 Fax       Gainesville, FL  32611
*********************************************************
"Security isn't a tangible thing, it is applied psychology."
                                                         - Alec Muffett




More information about the unisog mailing list