Security Basics mailing list archives
Re: mac address issue
From: "Jude Naidoo" <jude007 () jnaidoo fsnet co uk>
Date: Tue, 2 Sep 2003 19:52:47 +0100
Hi Brian I'm running MetaIP and have had similar problems. The solution usually was changing the way the client requested a lease or a mac address that was different in some way that just resulted in the DHCP server getting its knickers in a twist. What do your logs say ? Sounds like the client is sent our a DHCP request, your DHCP server is replying with an offer, but the client is sending back an acknowledgement, but not using the ip address. The DHCP server, though, has now reserved this ip address with a limited lease time. The client then send out another DHCP discover and your DHCP server send out an offer. This sometimes causes the DHCP server to hand out loads of addresses, until it runs out. The safest thing to do is give that client a static if you don't have the energy or time to find out why it's behaving the way it is... I hope this helps. Jude ----- Original Message ----- From: "Brian Whitehead" <brian () whiteheadconsulting com> To: "Jude Naidoo" <jude007 () jnaidoo fsnet co uk> Sent: Tuesday, September 02, 2003 6:26 PM Subject: Re: mac address issue
Everything has been flushed, several times in fact. The DHCP server is running on a Netware 6 box. -- Brian Jude Naidoo said:Hi Brian Have you tried flushing the arp cache on your switch ? What DHCP server are you using ? Jude ----- Original Message ----- From: "Brian Whitehead" <brian () whiteheadconsulting com> To: <security-basics () securityfocus com> Sent: Tuesday, September 02, 2003 5:19 PM Subject: mac address issue I was wondering if anyone could point me in the right direction. Lately we have been having problems with IP duplication. Looking at the arp cache and dhcp logs it looks like either a mac address spoofing issue or maybe just a hardware problem. I'm seeing two different mac addresses that appear to take over 20-30 different IP's all at one time causing an IP conflict and then they are immediately released. I haven't been able to find these mac addresses on any device in the building. The switches don't seem to agree either. One port on the core switch may have it in it's arp cache, but the switch plugged into that port doesn't. Nothing
is
making a lot of sense. This has happened once or twice a day for the
last
4-5 days. If anyone has an idea of what to look at I would appreciate
it.
-- Brian--------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Federal, September 29-30
(Training),
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event
in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- mac address issue Brian Whitehead (Sep 02)
- Re: mac address issue Jude Naidoo (Sep 02)
- Message not available
- Re: mac address issue Jude Naidoo (Sep 02)
- Message not available
- Re: mac address issue Jude Naidoo (Sep 02)