MAC spoofing?

[rk77]

Hi

In the last couple of weeks I have seen this entry in the syslog once every 3-4 days:
kernel: eth1: received packet with own address as source address

Nothing has been changed for several months:
Same firmware.
Exactly the same config and hardware.
Same clients connecting to the router.
All MAC-addresses are unique.

The setup:
Broadband switch -> RT-N66U (patch cable cat6) -> Synology nas (patch cable cat6)
All clients connecting through WiFi, DHCP (2.4 GHz or 5 GHz)

So obviously nothing in my network that can cause this.

I have searched the Internet but haven’t fount anything useful!

 

[CaptainSTX]

At one time I was seeing the same thing. Could not find the cause.

Currently not seeing the issue.

 

[rk77]

Hi

Some more info:

Now I see this much more frequent:
Apr 9 21:57:29 kernel: eth1: received packet with own address as source address
Apr 9 22:56:24 kernel: eth1: received packet with own address as source address
Apr 9 23:03:37 kernel: eth1: received packet with own address as source address
Apr 9 23:21:38 kernel: eth1: received packet with own address as source address
Apr 9 23:21:39 kernel: eth1: received packet with own address as source address

Apr 10 04:44:11 kernel: eth1: received packet with own address as source address
Apr 10 04:44:12 kernel: eth1: received packet with own address as source address
Apr 10 04:44:12 kernel: eth1: received packet with own address as source address
Apr 10 04:44:13 kernel: eth1: received packet with own address as source address
Apr 10 04:44:14 kernel: eth1: received packet with own address as source address

Apr 10 08:22:45 kernel: eth1: received packet with own address as source address
Apr 10 08:34:40 kernel: eth1: received packet with own address as source address
Apr 10 08:34:41 kernel: eth1: received packet with own address as source address
Apr 10 08:48:07 kernel: eth1: received packet with own address as source address

I ran KisMac yesterday for about 5 min to see if I could identify another nearby device using the same address, but nothing!

Something is wrong.

 

[Nerre]

Do you have two access points or use both 2.4 and 5 GHz?

From what I understand the message is often caused by a WiFi-connected unit getting connected to another access point (so the ARP lists are not correct for a few packets).

 

[rk77]

Nerre: Thanks for your replay!

Hi

After some more research I found this:

Linux/net/bridge/br_fdb.c

void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
const unsigned char *addr)
{
struct hlist_head *head = &br->hash[br_mac_hash(addr)];
struct net_bridge_fdb_entry *fdb;

/* some users want to always flood. */
if (hold_time(br) == 0)
return;

fdb = fdb_find(head, addr);
if (likely(fdb)) {
/* attempt to update an entry for a local interface */
if (unlikely(fdb->is_local)) {
if (net_ratelimit())
printk(KERN_WARNING "%s: received packet with "
" own address as source address\n",
source->dev->name);
} else {
/* fastpath: update of existing entry */
fdb->dst = source;
fdb->ageing_timer = jiffies;
}
} else {
spin_lock(&br->hash_lock);
if (!fdb_find(head, addr))
fdb_create(head, source, addr, 0);
/* else we lose race and someone else inserts
* it first, don't bother updating
*/
spin_unlock(&br->hash_lock);
}
}



What I don’t understand is that this is bridge related, I only use 1 router??

 

[RMerlin]

The router bridges the switch, 2.4 GHz and 5 GHz wifi together, as br0.

 

[reza.kashef]

2.4 and switch share the same MAC.

 

[rk77]

Another thing is that I see the log entry in the midle of the night when there is no activity on the network (all my clients off).

 

[rk77]

Some updates:
I have contacted Asus support (via mail) and had received several mails asking the obvious:

Latest FW, check unique addresses, disconnect clients, restart, reset…

And I have done everything, even resetting and reflashing, but nothing helps.
I have even disconnected the router from the fiber/broadband switch with none of my clients connected to it, and it still happens.

Can this be external dhcp request packages (a neighbour with the same MAC address trying to connect to my router) on the 2.4 GHz band??

Perhaps the router is broken after 6 months?

I appreciate any help and idea!

 

[linkmaster]

It COULD be someone trying to use your router externally by spoofing one of your own MAC addresses , this would mean they have actually managed to connect to your wifi network.

Have you enabled per-item logging to an external USB device in merlins and looked to see whats connected to your wifi?

or change your wifi passwords and see if it still happens.

Reported Common issues that see this message are when devices switch between two or more access points , but that doesn't seem to apply to you.

Or when multiple eth ports are all bonded br0.


Clutching at straws here a little 8)

 

[rk77]

Linkmaster: thanks for the tip.

If someone has managed to connect to my router, shouldn’t I see that client (with the cloned address) at some point in the general log , perhaps as DHCP request, The log entry appears at the middle of the night with no DHCP events pre or post it.

But another interesting thing is:
http://forums.smallnetbuilder.com/showthread.php?t=10863

I have seen (for quite a while) this in the wireless log:

00:20:00:91:69B associated

This is NOT one of my clients, a search on the net shows that this is a Lexmark MAC.
Normally when my clients connect I see:

[MAC-address] associated authorized

What I understand from the 802.11 standard is that a client can bee associated AFTER successfully authenticated???

So is this client connected to my router in any way?


I have done some changes and will report back with the result.

 

[rk77]

RMerlin:
Can this be related to my issue?

3.0.0.4.270.25 changelog
- FIXED: No longer forward packets with a LAN IP as destination
(Asus bug, fixed CDRouter test firewall_2)

Currently I'm running .220

 

[RMerlin]

RMerlin:
Can this be related to my issue?

3.0.0.4.270.25 changelog
- FIXED: No longer forward packets with a LAN IP as destination
(Asus bug, fixed CDRouter test firewall_2)

Currently I'm running .220

Probably unrelated. That issue was a minor and hard-to-exploit potential security issue.

I do get the same error message once in a while as well, mostly when my laptop has just connected to the wifi network. I simply ignore it.

 

[rk77]

RMerlin:Thank you for taking the time to answer my question!

I do get the same error message once in a while as well, mostly when my laptop has just connected to the wifi network. I simply ignore it.

Perhaps I should too, just curious about what is causing it!

 

[RMerlin]

RMerlin:Thank you for taking the time to answer my question!

Perhaps I should too, just curious about what is causing it!

If you have a way to accurately reproduce it, you would need to do some traffic sniffing using a tool such as Wireshark to determine the actual source of it.

 

[rk77]

Hi

The problem is that it happens so randomly, often with no clients (and no traffic) connected to the router.
I’m running out of ideas here.

But I know for sure that no one has connected to the router, as I changed the SSID, key and admin password Sunday afternoon.

 

[bradr]

We have been seeing this issue. Traced it to a reproducible client behavior. One user was saturating our 5G with a large download. Second user would disconnect from 5g by turning off wireless card in windows and plug directly into the switch on the router.

Every few seconds we would get the
Mar 20 11:56:11 kernel: br0: received packet on eth1 with own address as source address

This is using the ASUS firmware. 3.0.0.4.374_205. Router is in AP mode.

As soon as he unplugged from wired or flushed arp cache the error message would stop. Clue was earlier in the thread that 2.4G and router on the same MAC and 5g is on a different MAC.

Sorry for posting on an old thread, but seemed to be most relevant.