arp info overwritten
Oliver Bode
reboot just at the time I'm prompted for my ssl passphrase.
I've been tightening up my ipf.rules recently and AFAIK the messages have
only just started appearing. Should I be suspicious? What else can I do to
get more info on this bicycle seat sniffer - if it is one.
Oliver
----- Original Message -----
From: "Dimitry Andric" <d...@xs4all.nl>
To: "Oliver Bode" <oli...@optushome.com.au>
Cc: <mi...@openbsd.org>
Sent: Friday, December 07, 2001 1:46 AM
Subject: Re: arp info overwritten
> On 2001-12-06 at 15:03:42 Oliver Bode wrote:
>
> OB> Dec 6 05:31:47 firewall /bsd: arp info overwritten for
> OB> xxx.xxx.xxx.xxx by 00:30:80:6e:88:8c on ne3
>
> Usually this is caused by to machines having the same IP address,
> either erroneously or maliciously. :)
>
>
> OB> I think xxx.xxx.xxx.xxx is the address of the default gateway.
>
> If it really is your default gateway (not hard to check, just see
> netstat -rn), then it could be that somebody is trying to spoof it.
> That is a common trick to be able to sniff all outgoing traffic.
>
> If these messages continue, contact your ISP's abuse department, while
> keeping your log files handy. They'll need the ethernet address of the
> offender. :)
>
> Cheers,
> --
> Dimitry Andric <d...@xs4all.nl>
> PGP Key: http://www.xs4all.nl/~dim/dim.asc
> Fingerprint: 7AB462D2CE35FC6D42394FCDB05EA30A2E2096A3
> Lbh ner abj va ivbyngvba bs gur QZPN
Stoyan Genov
Can't it just be somebody replacing ethernet cards?
( ISPs also burn out hardware, no? )
Regards,
Stoyan Genov
Dimitry Andric wrote about Re: arp info overwritten:
Jacques-Alexis Lemieux
that they re changing the NIC on the gateway (changing the MAC, so updating
your arp table)?
someguy with a computer
----- Original Message -----
From: "Oliver Bode" <oli...@optushome.com.au>
To: <mi...@openbsd.org>
Sent: Thursday, December 06, 2001 9:03 AM
Subject: arp info overwritten
> My isp has been having a few problems over the past few days and I'm
> noticing these messages. I am trying to understand what they mean
>
> Dec 6 05:31:47 firewall /bsd: arp info overwritten for xxx.xxx.xxx.xxx by
> 00:30:80:6e:88:8c on ne3
> Dec 6 06:03:34 firewall /bsd: arp info overwritten for xxx.xxx.xxx.xxx by
> 00:30:80:6e:88:a8 on ne3
> Dec 6 07:09:31 firewall /bsd: arp info overwritten for xxx.xxx.xxx.xxx by
> 00:30:80:6e:88:a8 on ne3
>
> I think xxx.xxx.xxx.xxx is the address of the default gateway. I am on
cable
> modem and have a dynamic IP address that has remained static for months,
> until yesterday when it changed, it has since changed back to the original
> address.
>
> Any suggestions on what could be going on?
Arvid Grøtting
> My isp has been having a few problems over the past few days and I'm
> noticing these messages. I am trying to understand what they mean
>
> Dec 6 05:31:47 firewall /bsd: arp info overwritten for xxx.xxx.xxx.xxx by
> 00:30:80:6e:88:8c on ne3
> Dec 6 06:03:34 firewall /bsd: arp info overwritten for xxx.xxx.xxx.xxx by
> 00:30:80:6e:88:a8 on ne3
> Dec 6 07:09:31 firewall /bsd: arp info overwritten for xxx.xxx.xxx.xxx by
> 00:30:80:6e:88:a8 on ne3
>
> I think xxx.xxx.xxx.xxx is the address of the default gateway. I am on cable
> modem and have a dynamic IP address that has remained static for months,
> until yesterday when it changed, it has since changed back to the original
> address.
00:30:80:... ethernet addresses are assigned to cisco, so either your
provider is running some load-balancing or failover scheme that uses
the HW ethernet addresses, or whoever's intercepting traffic for the
gateway actually bothered to use a cisco HW address.
Most probably it's a failover scheme called "manual intervention";
that is, they replaced a broken cisco router with a working one to
repair things; then they switched back.
--
Arvid