OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: spoofing the ethernet address
From: James A. Robbins (robbins.7OSU.EDU)
Date: Wed Mar 15 2000 - 08:54:42 CST

At 11:15 AM 3/14/00 -0500, Arnold, Jamie wrote:
>I have a question that one/some of you may be able to help with. We have a
>user in one of our dorms (DHCP) that is reporting his MAC address as
>changing about every 10 minutes. When he first powers-on his system, the
>MAC is correct and DHCP renews his lease. After a while, the master switch
>shows his IP having about 10 different MAC addresses, all variations of the
>first where the first 4 digits remain constant, the second 4 go to the last
>position and the middle 4 change randomly. Has anyone seen this, or have
>any idea what's going on. My theory is a cheap NIC with bad firmware. We
>have seen an influx of inexpensive cards coming into campus that have had
>duplicate MACs or no MACs (000000000000) at all.

Arnold, we see this all the time. It usually means that a NIC is going
bad. Another symptom is when the IP addresses get all shuffled
around:

From: 128.146.20.14 To: 128.146.20.254

becomes

From: xxx.xxx.128.146 To: 20.14.xxx.xxx

Also, we see all zeros in MAC addresses all the time, especially on
Mac PowerPCs. It usually happens during large file transfers. 

--
James A. Robbins
Senior Design Engineer, Network Engineer
The Ohio State University
Chemistry Department