Educause Security Discussion mailing list archives
Re: SECURITY Digest - 8 Sep 2008 to 9 Sep 2008 (#2008-173)
From: "Erwin L. Carrow" <erwin.carrow () USG EDU>
Date: Wed, 10 Sep 2008 08:28:36 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Two-Bits" of possibility: Some IP spoofing tactics employ creation of bogus MACs - per MAC standards those listed should not violate / step -on others in your network and can therefore be used to build the logical IP layer on top of them, e.g., do Vlan ACL (VACLs) and forget about them. - -- Erwin (Chris) Louis Carrow, CISSP, INFOSEC, CSSP, CCNP, OCM IT Auditor II Board of Regents, University System of Georgia 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, Email: erwin.carrow () usg edu
------------------------------ Date: Tue, 9 Sep 2008 09:50:03 -0400 From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU> Subject: Mac addresses I am seeing "sequential" MAC addresses on my network in the form of: 02-00-00-00-00-01 02-00-00-00-00-02 02-00-00-00-00-03 02-00-00-00-00-04 02-00-00-00-00-05 02-00-00-00-00-06 02-00-00-00-00-07 02-00-00-00-00-08 02-00-00-00-00-09 02-00-00-00-00-10 02-00-00-00-00-11 02-00-00-00-00-12 02-00-00-00-00-13 02-00-00-00-00-14 02-00-00-00-00-15 02-00-00-00-00-16 02-00-00-00-00-17 02-00-00-00-00-18 02-00-00-00-00-19 02-00-00-00-00-20 These are only a few ... I have about 100 of them. They only exist in my "BlachHole" VLAN -- no connectivity to anything else, no routers no nothing. I can't find any documentation on what these MAC addresses are. I am guessing that they are some sort of LLDP MAC address, but it seems weird that I don't get any search engine hits about them. This is not one machine spewing out multiple bogus addresses, but many machines .... one to one? Not sure. Ideas? PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (office) (413) 822-2922 (cell) ------------------------------ Date: Tue, 9 Sep 2008 10:00:43 -0400 From: "Di Fabio, Andrea" <adifabio () NSU EDU> Subject: Re: Mac addresses This is a multipart message in MIME format. ------=_NextPart_000_0079_01C91262.EC70CC00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I would start with finding what switchport they are coming from and
then pay
a visit to that machine if it is just one machine or one switchport. Could be a CAM flood attach or a bad NIC or hub attached to the port. Did you take a packet capture to see what's on layer 3-7?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIx710+lAww4pSzJURAvudAKDZQA4o+MvmYpZMXvB+YaU/jKXs0gCgw/Tn OTtG4HAVPrZIZvfY4FcF0f4= =JM9R -----END PGP SIGNATURE-----
Attachment:
erwin_carrow.vcf
Description:
Current thread:
- Re: SECURITY Digest - 8 Sep 2008 to 9 Sep 2008 (#2008-173) Erwin L. Carrow (Sep 10)