[nsp] Duplicate MAC Addresses (1605)

From: Brian (signal@shreve.net)
Date: Fri Oct 27 2000 - 13:53:09 EDT


This is s wierd one. I noticed we were being used to wage a DoS attack on
some peoples networks. I also noticed I was getting emails from amplifier
scanners that one of our customers subnets was a potential amplifier.

The customer has a 1605 running 12.0.4T. It has "no ip
directed-broadcast" setup in its config for both interfaces as well. I
did some tests and noticed multiple stations responding to pings and the
like. Then I noticed in the arp tables, two totally different customers
with the same MAC address (next hop).

So I go into each router, and this is what I find:

Customer1:

aoandg-gw#show int eth1
Ethernet1 is up, line protocol is up
  Hardware is QUICC Ethernet, address is 0050.730d.724e (bia 0050.730d.724d)

aoandg-gw#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.0(4)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Wed 28-Apr-99 16:50 by kpma
Image text-base: 0x02005000, data-base: 0x024E895C

Customer2:

atco-gw#show int eth1
Ethernet1 is up, line protocol is up
  Hardware is QUICC Ethernet, address is 0050.730d.724e (bia 0050.730d.724d)

atco-gw#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 1600 Software (C1600-Y-M), Version 12.0(4)T, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-1999 by cisco Systems, Inc.
Compiled Wed 28-Apr-99 16:50 by kpma
Image text-base: 0x02005000, data-base: 0x024E895C

Is this wierd or what? I call TAC to open a ticket, they tell me "This is
impossible.", but I stood by what I am seeing and they are having some
hardware people call me. I am thinking that the above two customers
routers were probably purchased at the same time and came from the same
"batch" and that some PROM burner at Cisco was on the fritz burning
duplicate MAC addresses. Yes I know I could override the BIA address, but
would just like the anomoly to be gone.

Whats also interesting is that neither is using the BIA address, even
though they match. Does the IOS detect a duplicate address, and then move
to an alternate address? If so, the algorithm it uses to calculate the
LAA, or the pool it gets it from must be identical on each router as well
(probably comes from the PROM and since they are the same.....)

I just wanted to see if others have seen anything like this. I have lots
of other 1605's but they are on 11.3 and don't have this problem. I
wondered if it may have been a problem with the IOS 12.0.4T reading the
addresses wrong or something like that......if someone has a 1605 on
12.0.4T and could verify their eth1 address to make sure it doesn't match
mine.

Brian

-----------------------------------------------
Brian Feeny, CCNP, CCDP signal@shreve.net
Network Administrator
ShreveNet Inc. (ASN 11881)



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:20 EDT