[90792] in North American Network Operators' Group
Re: Interesting new spam technique - getting a lot more popular.
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Jun 14 12:45:03 2006
From: Florian Weimer <fw@deneb.enyo.de>
To: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
Cc: Suresh Ramasubramanian <ops.lists@gmail.com>,
NANOG <nanog@merit.edu>
Date: Wed, 14 Jun 2006 17:49:15 +0200
In-Reply-To: <Pine.GSO.4.58.0606140410060.19686@marvin.argfrp.us.uu.net>
(Christopher L. Morrow's message of "Wed, 14 Jun 2006 04:10:51 +0000
(GMT)")
Errors-To: owner-nanog@merit.edu
* Christopher L. Morrow:
> On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote:
>>
>> http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html
>>
>> * Monitor your local network for interfaces transmitting ARP
>> responses they shouldn't be.
>
> how about just mac security on switch ports? limit the number of mac's at
> each port to 1 or some number 'valid' ?
The attack is not visible at layer 2, so this won't help. You need
static ARP tables on relevant hosts, but even that is only a stopgag
measure. Better invest into one (virtual) router port per customer
host. 8-/
