Re: Strange pings from 127.0.0.1

From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: 06/25/04

  • Next message: Alexandre Zglav: "Re: Personal firewall for lambda users"
    Date: Fri, 25 Jun 2004 12:19:39 -0700
    To: security-basics@securityfocus.com
    
    

    * Steven Trewick (STrewick@joplings.co.uk) wrote:
    >
    > >Next, (assuming non-promiscuous mode of operation by the NIC) I fail to
    > >understand how the author of this attack intends to reach his/her targets,
    > >if the dest MAC addresses are fake! I might be missing something obvious,
    > >so if someone can point it out to me, that would be great. thanks.
    >
    > The OP doesn't say what the SRC and DEST MAC are, (which would be helpful),
    > but its entirely possible that they are multicast MAC addresses, which
    > would be broadcast to every switch port.
    >
    > This is not always obvious if you don't know what to look for,
    > multicast MAC addresses are identifiable by the low order bit of
    > their first byte, if this is set to 1, (eg the byte is odd) the frame
    > is multicast.
    >
    > To take an example, if the destination MAC address is 01:xx:xx:xx:xx:xx
    > then it is a multicast address, same for 03:xx:xx:xx:xx:xx, but not
    > for 02::xx:xx:xx:xx:xx
    >
    > See http://www.iana.org/assignments/ethernet-numbers for a discussion
    > of MAC addressing in general, and an explanation (?) of MAC multicast
    >
    > While I doubt this is related to the OP's problem, I hope it will
    > prove useful.

    You are right, I made a bad assumption that if the MAC addresses were not
    unicast (i.e. they were multicast or broadcast) the OP would have made
    a specific mention of it.

    -- 
    Ranjeet Shetye
    Senior Software Engineer
    Zultys Technologies
    Ranjeet dot Shetye at Zultys dot com
    http://www.zultys.com/
     
    The views, opinions, and judgements expressed in this message are solely those of
    the author. The message contents have not been reviewed or approved by Zultys.
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Alexandre Zglav: "Re: Personal firewall for lambda users"

    Relevant Pages

    • Re: understand multicasting from the client/host perspective .
      ... multicast group. ... If the multicast mac is ... separate ARP mapping for each host involved. ... And you can't have an ARP ...
      (comp.dcom.sys.cisco)
    • Re: understand multicasting from the client/host perspective .
      ... multicast group, my teacher told me that ... ... The multicast MAC part is where I have difficulty to understand well .. ... who lives there - he just delivers a mail. ... which MAC address available thriugh which port. ...
      (comp.dcom.sys.cisco)
    • RE: Strange pings from 127.0.0.1
      ... The OP doesn't say what the SRC and DEST MAC are,, ... but its entirely possible that they are multicast MAC addresses, ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • Re: Spoof ethernet MAC address
      ... mac addresses are multicast addresses (there are more than just the ... If you are referring to the multicast and locally administered ... were not issuing address ranges consecutively, ... OUIs used for the classic 3C509 NIC. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: Network Security
      ... prg wrote: ... _unless_ it is multicast -- I think I read that in one of the IEEE ... > to outfox the cable modems that expect to see one, and only one MAC ... that the "standard" for serial link transmission is LSB first. ...
      (linux.redhat)