Book now with code EOY2025
JohnnyBiggles wrote: » So I DL'd that program and I'm seeing a public address that registers somewhere in Japan with an IP lookup, but when I check my firewall I don't see any traffic traversing through it with that address and don't understand how an external IP could be used as an internal DHCP. How can I track this down? It seems to be live because every few minutes it appears and the offered address has changed. I can't ping it either, obviously. Any suggestions?
it_consultant wrote: » A possible way to address this is to write an ACL blocking all access to that IP and apply it on the ingress and egress of all the switchports in that VLAN.
PurpleIT wrote: » Don't get thrown off by the IP of the rogue device, it really isn't a factor. I can stick any IP I want on a device and since DHCP is listening for the broadcasts it doesn't have to be on the same subnet as the rest of the VLAN, as a matter of fact, if I were trying to hide it that's exactly what I would do. I would start hunting for it by MAC; I haven't used the tool it_consultant mentioned in a long time, so I can't guarantee this would work, but it should... You should be able to look at your ARP table to get the MAC of this rogue DHCP server. Look at your MAC tables on your switches and you can trace it back to the correct switch and then finally the exact port it is connected to. Disabling that port should stop the problem, but I would prefer to have physical possession of whatever is attached to that port so I can see if this was malicious or perhaps just someone putting a home router on the network so they can get WiFi for their cell phone.
phoeneous wrote: » C'mon now, a ccnp should know this!
JohnnyBiggles wrote: » Ok, so what I did was, I ran Wireshark on the PC that was running that DHCP program. When I refreshed it (the DHCP app), the same info came up with that 220.x.x.x address as the DHCP server which was offering an address we have defined in our scope... let's say it's 192.168.100.x. At the same time, I monitored wireshark, and as expected, a Discover packet went out sourced from this machine and an Offer packet came back from 2 of our DHCP servers. I checked the data for both lines that popped up (I have the filter set to "bootp.option.type == 53" to view DHCP traffic only) and neither of the MAC addresses that were reporting IP conflicts or the 220.x.x.x IP were displayed, only the DHCP server on our network. I did this on another suubnet we have that gets DHCP relayed from that same server, and got the same, but the program is NOT showing that 220.x.x.x address, only our DHCP server on 192.168.100.x. So, there IS a difference between the subnets but I can't figure out where this address is coming from and arp checks don't show anything for it either. Now the hard part of all this, is that all this strange activity is on a network that is using "dumb" (unmanaged) Dell switches, so I can't really even log in to check MAC tables and such and, for now, am limited to the devices connected to them. I'm still working on this but if you have any other insight on this that would be great.
I know, I know but this is easier said than done. First off, I just got it a few months ago and while I have it, that is Cisco and almost our entire network is Dell equipment (actually not far from it config-wise, but still)... and as mentioned above, these are dumb switches which predate my role here. Also, we had some other issues occur at the same time so trying to pinpoint things which may or may not be related while trying to tackle basic operations/functionality/availability has been a challenge.
PurpleIT wrote: » OK, first things first - you got TWO offer packets? Since I don't want to assume anything, have you checked that the scopes don't overlap? They might not have overlapped a few days ago, but obviously something changed...
PurpleIT wrote: » It's not exactly a high-tech way of doing things, but IF you could ping the address you could essentially ping-flood it and look for the constantly blinking light on the switches. Of course that depends on your network traffic, access to switches, etc. You could also start disconnecting switches so you can isolate which switch the rogue is connected to and then start checking the ports one at a time. Obviously, this would be best done after hours or during a maintenance window, but I am just brain-storming here.
it_consultant wrote: » You can also trace each cable. You know whatever device is the problem is plugged into your stack somewhere. Identify where each port goes and verify they are legitimate. I realize that is an awful lot of work but if you bring a labeler, you will be better off for it in the long run.
apr911 wrote: » Hi Johnny, Admittedly, I havent read through the entire posting here so I dont know what all you have or have not done or found so far but I wanted to point out that it is possible that the MAC address flood may cause erroneous reports of duplicate IPs. Windows uses ARP to determine if an IP is in use. If an ARP request receives a positive response or the address already exists in the local ARP cache, windows will flag that IP as in use elsewhere on the network and not allow it to be used on that machine. I believe Linux does the same thing. So yes, a mac address flood can result in the appearance of duplicate IP addresses even when they dont really exist.
it_consultant wrote: » I would have to see this in a lab in order to believe it. The affect of a flood would be much different than the OP describes, machines would be going offline with NO error or duplicate IPs regularly. As he describes, the go offline AND they alert for a duplicate IP. In the case of a MAC flood attack we would see things go offline in mass quantities without the correlation of the error message in Windows.
Use code EOY2025 to receive $250 off your 2025 certification boot camp!
