[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] SQL-worm 1 IP multiple MAC???

To: Ariesto <skivebug2@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] SQL-worm 1 IP multiple MAC???
From: Christopher Carey <security@xxxxxxxxxxxxxx>
Date: Tue, 02 Mar 2004 19:40:19 -0700

Possibly: This MAC Flooding is an ARP Cache Poisoning technique aimed at
network switches. When certain switches are overloaded they often drop
into a "hub" mode. In "hub" mode, the switch is too busy to enforce its
port security features and just broadcasts all network traffic to every
computer in your network.

Chris Carey

On Tue, 2004-03-02 at 17:31, Ariesto wrote:
> Hi all,
> 
>  
> 
> Iâ??ve just found the old SQL-slammer again in my customer network and
> notice something that Iâ??ve never notice before:
> 
>  
> 
> The worm sends UDP packet using 1 static spoof source IP and 1 static
> spoof dest IP, but the MAC address changes in every packet (mostly the
> source mac).  What is happening here??  Have anybody notice this
> before?? 
> 
>  
> 
> Cheers,
> 
>  
> 
> -A
> 
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] SQL-worm 1 IP multiple MAC???
  - From: Ariesto

Prev by Date: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
Next by Date: RE: [Full-Disclosure] Backdoor not recognized by Kaspersky
Previous by thread: [Full-Disclosure] SQL-worm 1 IP multiple MAC???
Next by thread: [Full-Disclosure] recursive DNS issue
Index(es):
- Date
- Thread