I'm more interested to know about the endpoint that was responding to all IPs.
Also, minor nitpick:
> Without that we would have been reduced to tracing through switch ARP tables (for switches smart enough to report that)
You'd only need your switch to have a viewable mac address table rather than an ARP table.
no_carrier
I accidentally took down our corporate network multiple times ~20 years ago, because I was setting up virtual networks with Linux machines acting as l2 bridges, and with proxy_arp to on. The DHCP server only checked for an arp reply, and I caused our server to run out of IPs. It had a cache and nobody knew how to clear it, so we just had to wait it out.
sargun
Isn’t that a DoS vulnerability?
drdexebtjl
Oh wow, that's a fun one. It sounds like the network card was in promiscuous mode.
>As promiscuous mode can be used in a malicious way to capture private data in transit on a network, computer security professionals might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine.
comments (5)
Also, minor nitpick:
> Without that we would have been reduced to tracing through switch ARP tables (for switches smart enough to report that)
You'd only need your switch to have a viewable mac address table rather than an ARP table.
no_carrier
sargun
drdexebtjl
The wikipedia page even has a bit about this.
https://en.wikipedia.org/wiki/Promiscuous_mode
>As promiscuous mode can be used in a malicious way to capture private data in transit on a network, computer security professionals might be interested in detecting network devices that are in promiscuous mode. In promiscuous mode, some software might send responses to frames even though they were addressed to another machine.
pixl97
ram_rattle