Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4552
  • Last Modified:

MAC Spoofing Question

nbtstat - a 10.0.1.82

Local Area Connection:
Node IpAddress: [10.0.1.76] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    MARIA-PC       <00>  UNIQUE      Registered
    MARIA-PC       <20>  UNIQUE      Registered
    ARC            <00>  GROUP       Registered
    ARC            <1E>  GROUP       Registered

    MAC Address = 00-1D-09-87-2B-71


Right away the address in request changes to 76. Why is that?


Symantec Endpoint Protection gives this:



Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100
Occurrence: 1
Alert: 1
Begin Time: 10/12/2008 22:42:58
End Time: 10/12/2008 22:42:58
Domain Name: Default
Site Name: Site server2
Server Name: server2
Group Name: My Company\team ARC
Computer Name  
Current: maria-pc
When event occurred: maria-pc
 
IP Address  
Current: 10.0.1.82

 
Operating system name: Windows XP Professional
Location Name: Default
User Name: maria
Severity: Minor
Local MAC: 001D09872B71
Remote MAC: 001D092868F4
Hardware Key: F99127C11A4FC6F9A870D8029F5CD7E7
Network Protocol: Other
Traffic Direction: Inbound
Send SNMP trap: 1
Remote Host Name:  
Hack Type: 0
Application Name:


About 20 of those messages came up before the PC got disconnected from the network by the firewall.


There is a thread on symantec forums here:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=17717&query.id=324180#M17717

But what I really need is way to get down to the bottom of this and see what's causing it in on my network.

Being new to dealing with MAC address I tried things like lookin both of them up in the vendor DB which came up as Dell for both addresses.

I only have 1 network adapter on that PC.

Points are 250.

0
Anti-Mhz
Asked:
Anti-Mhz
  • 4
  • 2
1 Solution
 
TolomirAdministratorCommented:
Could you post an

arp -a

result here too please.

And what is your setup. Are you on a bigger network, or connected to the Internet by cable /DSL / modem ?
0
 
Anti-MhzAuthor Commented:
Interface: 10.0.1.82 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.1              00-0c-86-3d-4a-b0     dynamic
  10.0.1.100            00-1d-09-28-68-f4     dynamic
  10.0.1.129            00-0f-1f-f8-78-ec     dynamic
  10.0.1.150            00-0d-56-6f-b7-b3     dynamic


.1 - gateway
 .100, .129, .150 - 3 servers

all of these connections should be allowed.

im on a network with 3 servers all running windows 2003 flavors (2 standard and 1 sbs) with 15 workstations.

0
 
TolomirAdministratorCommented:
OK so basically symantec found a computer using IP 10.0.1.76 and you wonder how did it get into your network, right?

Is there anything WLAN related around?

How big is the network (in physical terms) ? Is it permanently installed with wall plugs or are all computers connected on a single switch?




0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
Anti-MhzAuthor Commented:
actually i mislead u. 76 is the pc im running nbtstat -a from. My mistake. What doesn't change is that

there is a workstation on the network under class D IP of 82 which has SED screaming that there is MAC spoofing going in.  u can see the log in my first post.

this is a small network with 1 switch, 3 servers ( 1 dc), about 15 workstations


0
 
TolomirAdministratorCommented:
OK could be the case that there is a server with 2 network cards for load balancing with one IP.

Thus having 2 networks card with different MACS and one "shared" IP, could result in Symantec shouting crime and murder.

Tolomir


0
 
TolomirAdministratorCommented:
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100

---

.100, .129, .150 - 3 servers

Please check if server .100 is connected with 2 network cards to the switch.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now