Arpwatch positive question.
-
Arpwatch is detecting MAC changes to an ipaddress on random intervals. There is no manufacturer management software on this server. Has anyone seen positives like this?
May 1 10:11:54 kernel: arp: 10.10.1.12 moved from XX:XX:XX:XX:XX:0c to
XX:XX:XX:XX:XX:08 on bge0
May 1 10:10:46 kernel: arp: 10.10.1.12 moved from XX:XX:XX:XX:XX:08 to
XX:XX:XX:XX:XX:0c on bge0May 1 07:35:54 kernel: arp: 10.10.1.12 moved from XX:XX:XX:XX:XX:0c to
XX:XX:XX:XX:XX:08 on bge0May 1 07:30:11 kernel: arp: 10.10.1.12 moved from XX:XX:XX:XX:XX:08 to
XX:XX:XX:XX:XX:0c on bge0This repeats all day long, never closer than 1hr15min intervals, and at most double that.
-
Why are you obfuscating the MAC-addresses O_o
But the message is pretty much self explaining.
Check your network for the devices with these MAC-addresses and debug why they have the same IP address. -
Obfuscation: You only needed to see that the last part is the one changing.
And the only device on the network with mac's that have those matching parts are in the same box, and each nic is on a different network.
-
There's really no point in obfuscating MAC addresses because they are only in your local network visible. No attack surface to be gained here.
On the other side it helps someone analysing your problem. I could have seen if they are from the same manufacturer (same device?), or if the local administered bit is set, which would be an indication of virtual MACs (eg. CARP).Please provide a network diagram how your stuff is set up.
Obviously somewhere is traffic leaking between your networks.In the diagram please don't obfuscate your internal network addresses.
It does not help your security and makes it harder to wrap ones mind around your setup.
Also don't leave out "non-critical devices".
You may think they have no impact, but maybe they do.