News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: Strange Ip + Mac Address
Pages: [1]
Topic: Strange Ip + Mac Address  (Read 2150 times)
« on: April 14, 2007, 11:31:36 »
cybernetamd *
Posts: 5
In the last few days, i think my M0n0Wall has been breached, or im just over Parinoid for some reason. In my Arp Table, i have a strange Ip address in there, my Ip range only goes to 192.168.5.1-192.168.5.20. The Ip address found in the Arp Table was 192.168.5.255: Mac Address FF:FF:FF:FF:FF:FF. I have all my ports closed off and no network device in my network would have that ip. Has my network been breached through M0n0wall? Or is it just a misconfiguration that would lead to this little error?

Cybernetamd
« Reply #1 on: April 14, 2007, 14:19:36 »
wallacebw *
Posts: 5
If you are using a 24 bit sunbet mask I.E. 255.255.255.0  then the address that you are seeing (192.168.5.255: Mac Address FF:FF:FF:FF:FF:FF) is the broadcast adddress of your subnet and can be safely be ignored  (this is the addressed used when a machine want every other machine on the subnet to receive a packet 'message').


Some of the descriptions above are 'over-simplifed' but suffice to answer the question. 

Brian
« Reply #2 on: April 14, 2007, 23:03:35 »
cmb *****
Posts: 851
As wallacebw said, that's normal. That's the broadcast address and broadcast MAC.
« Reply #3 on: April 15, 2007, 19:25:43 »
cybernetamd *
Posts: 5
Thank you for replying guys. Just to add onto that, there was one pc that i had on my network for some time but was unplugged completly from the network itself. The network cable, the power plug, all of it wasnt even  in the tower, and i even tried to do a factory default restart on M0n0 wall itself, the Computer that has been unplugged kept coming back over and over on the Arp Table and then it tried to attack my other machines that was on the network. I think i have been spoofed, even tho there is nothing open on my router at all. What do u think i can do to prevent myself from being breached if i havent already. Thanks again guys.
« Reply #4 on: April 15, 2007, 21:49:36 »
cmb *****
Posts: 851
Unless someone is physically plugged into the LAN side of your network (or on wireless if you have an AP on your LAN), there's no way they're spoofing ARP unless they compromised a PC on your internal network. ARP is layer 2 (L2), and to do anything at L2 you have to be on the same broadcast domain, which means nobody from the Internet can do that.

This MAC and IP that keeps showing up in your ARP table, what is it? Does the MAC match up to any of your other machines? What vendor is associated with that MAC?

By "and then it tried to attack my other machines", what are you talking about? What makes you think that?
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines