Re: Strange pings from 127.0.0.1

From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: 06/25/04

  • Next message: Alexandre Zglav: "Re: Personal firewall for lambda users"
    Date: Fri, 25 Jun 2004 12:19:39 -0700
    To: security-basics@securityfocus.com
    
    

    * Steven Trewick (STrewick@joplings.co.uk) wrote:
    >
    > >Next, (assuming non-promiscuous mode of operation by the NIC) I fail to
    > >understand how the author of this attack intends to reach his/her targets,
    > >if the dest MAC addresses are fake! I might be missing something obvious,
    > >so if someone can point it out to me, that would be great. thanks.
    >
    > The OP doesn't say what the SRC and DEST MAC are, (which would be helpful),
    > but its entirely possible that they are multicast MAC addresses, which
    > would be broadcast to every switch port.
    >
    > This is not always obvious if you don't know what to look for,
    > multicast MAC addresses are identifiable by the low order bit of
    > their first byte, if this is set to 1, (eg the byte is odd) the frame
    > is multicast.
    >
    > To take an example, if the destination MAC address is 01:xx:xx:xx:xx:xx
    > then it is a multicast address, same for 03:xx:xx:xx:xx:xx, but not
    > for 02::xx:xx:xx:xx:xx
    >
    > See http://www.iana.org/assignments/ethernet-numbers for a discussion
    > of MAC addressing in general, and an explanation (?) of MAC multicast
    >
    > While I doubt this is related to the OP's problem, I hope it will
    > prove useful.

    You are right, I made a bad assumption that if the MAC addresses were not
    unicast (i.e. they were multicast or broadcast) the OP would have made
    a specific mention of it.

    -- 
    Ranjeet Shetye
    Senior Software Engineer
    Zultys Technologies
    Ranjeet dot Shetye at Zultys dot com
    http://www.zultys.com/
     
    The views, opinions, and judgements expressed in this message are solely those of
    the author. The message contents have not been reviewed or approved by Zultys.
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Alexandre Zglav: "Re: Personal firewall for lambda users"