ANOTHER DNS MAC ADDRESS Change w/h Unix Log File

[mikeyv1970 () SNSWORLD NET (Michael Vaughan)]

Hello all,

Below is the log file from a Unix server that appears
to have logged the fact that an NT 4.0 DNS servers MAC
address decided to change.
This is the second time this has happened within a
month. The first involved a change for six minutes
(around midnight...no one on campus) This time...0-1
second. This is what I am initially recommending...

1) A scan of EVERY device connected to the network to
determine MAC addresses. This would be done more than
once of course.
Compare to see if any match the detected address.
2) Use a 'sniffer' to monitor the network for this MAC
address (if not initially found) henceforth...and to
monitor for any 'suspicious' activity.

What I am attempting to do is determine if this is
simply a node MAC address conflict (possible) or a
spoofing attack.

Any suggestions for determining the cause?

<log>
Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved
from 00:30:80:1f:60:5f to 00:50:04:6b:ff:bf on x10
Jan 14 19:14:25 druid /kernel: arp: 10.1.11.32 moved
from 00:50:04:6b:ff:bf to 00:30:80:1f:60:5f on x10
</log>

Thanks in advance for any help!!

Respectfully,
-Michael Vaughan
Microsoft Certified Systems Engineer
Web Site: http://www.nku.edu/~vaughan
Mail: vaughan () nku edu
ICQ: 20031116

-"Sic pas pacem, para bellum"
-If you desire peace, prepare for war