Re: help: duplicate MAC address

To: Lestat V <dreameration@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: help: duplicate MAC address
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Thu, 19 Oct 2006 21:21:29 +0200
Message-id: <[🔎] 20061019192129.GB7500@javifsp.no-ip.org>
Mail-followup-to: Lestat V <dreameration@gmail.com>, debian-security@lists.debian.org
In-reply-to: <[🔎] b2bbfcb60610182001h7c1f1905u3d551f4b7c7b6c3d@mail.gmail.com>
References: <[🔎] b2bbfcb60610172009q52a81f70q93b86264e613c152@mail.gmail.com> <[🔎] 20061018230027.GB30401@javifsp.no-ip.org> <[🔎] b2bbfcb60610181653w66b61705jc711f72b61073d0e@mail.gmail.com> <[🔎] b2bbfcb60610182001h7c1f1905u3d551f4b7c7b6c3d@mail.gmail.com>

On Thu, Oct 19, 2006 at 11:01:39AM +0800, Lestat V wrote:
> On 10/19/06, Lestat V <dreameration@gmail.com> wrote:
> >On 10/19/06, Javier Fernández-Sanguino Peña <jfs@computer.org> wrote:
> >> On Wed, Oct 18, 2006 at 11:09:35AM +0800, Lestat V wrote:
> 
> I tried "/usr/sbin/tcpdump -ei eth0 arp" for a while and got results
> as excerpted as follows: (10.100.105.105 is me)
(...)

> 10:19:53.811841 00:e0:4c:8c:a2:d1 (oui Unknown) > 00:11:2f:57:9b:6f
> (oui Unknown), ethertype ARP (0x0806), length 60: arp reply
> 10.100.105.13 is-at 00:e0:4c:8c:a2:d1 (oui Unknown)
> ^^^^^^^^^^^^^^^^^ got two MAC's for .13

Can you 'arping' 00:e0:4c:8c:a2:d1 ?

> 10:28:24.678589 00:11:2f:57:9b:6f (oui Unknown) > Broadcast, ethertype
> ARP (0x0806), length 42: arp who-has 10.100.105.99 tell 10.100.105.105
> 10:28:24.678930 00:11:2f:7c:e6:83 (oui Unknown) > 00:11:2f:57:9b:6f
> (oui Unknown), ethertype ARP (0x0806), length 60: arp reply
> 10.100.105.99 is-at 00:11:2f:7c:e6:83 (oui Unknown)
> 10:28:24.679134 00:07:84:52:55:3c (oui Unknown) > 00:11:2f:57:9b:6f
> (oui Unknown), ethertype ARP (0x0806), length 60: arp reply
> 10.100.105.99 is-at 00:00:0c:07:ac:00 (oui Cisco)
> ^^^^^^^^^^^^^^^^^two MAC for .99

Can you 'arping' 00:07:84:52:55:3c ?

> From above can we deduce that .251 .252 are gateway, and .99 and .13
> reside in the same subnet as .105, while .14 and .88 reside outside?

We can deduce that you are being ARP poisoned by 00:00:0c:07:ac:00 for only
a given set of MAC addresses (which do not include your gateway). The fact
that you get only an ARP packet for .14 might be because collisions in the
switch made it drop the ARP prely for the *legitimate* .14.

Have you tried to use 'arptables' to filter out 00:00:0c:07:ac:00 so that
you don't listen to its ARP replies? Also, did you try any of the tools to
*detect* arp poisoning I pointed out in my first e-mail?

BTW, that MAC address seems to be a multicast address used by HSRP routers.
Do you have any Cisco HSRP routers in your network?

Regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: help: duplicate MAC address
  - From: "Lestat V" <dreameration@gmail.com>

References:
- help: duplicate MAC address
  - From: "Lestat V" <dreameration@gmail.com>
- Re: help: duplicate MAC address
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: help: duplicate MAC address
  - From: "Lestat V" <dreameration@gmail.com>
- Re: help: duplicate MAC address
  - From: "Lestat V" <dreameration@gmail.com>

Prev by Date: Re: help: duplicate MAC address
Next by Date: Re: Remote Root In Nvidia xserver Driver
Previous by thread: Re: help: duplicate MAC address
Next by thread: Re: help: duplicate MAC address
Index(es):
- Date
- Thread