Date: Mon, 23 Jun 1997 06:40:22 +0800 From: chas <sweeting@tm.net.my> To: freebsd-isp@freebsd.org Subject: duplicate IP = security problem ? Message-ID: <3.0.32.19970623063113.00941100@mail.tm.net.my>
next in thread | raw e-mail | index | archive | help
Please excuse this slightly long description but I'm
perturbed about possible security problems :
----------------------------------------------------
10:00 pm - collect mail fine from our FreeBSD-based mailhub.
10:30 pm - a couple of users informed me that they were being
refused connection to the mailserver.
I tried to download and send mail ... and sure enough,
no reply.
So, I went to the console and found this error message
appear whenever someone tried to collect mail :
"/kernel duplicate IP address 202.184.153.15! sent from ethernet
address 00:a0:40:29:e8:08"
(This also occured if I tried to ping any other
machine on our network from the mailserver)
My initial thought was that the NIC was going schizo...
it's a dodgy 3Com job.
But then ifconfig for the mailserver produced :
lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 202.184.153.15 netmask 0xffffff00 broadcast 202.184.153.255
ether 00:c0:4f:db:17:29
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
which means that the duplicate IP was out on another machine.
To make sure, I disconnected the mailserver from the network
and, sure enough, was still able to ping the IP (that
belongs to the mailserver) from one of our webservers.
The following is a session on the DEC webserver :
( note : mail.heaven.com.my = 202.184.153.15 = the mailserver.
This machine was disconnected from the network
during this session !
love.com.my = 202.184.153.17 is just another machine
on our network, shown here for a comparison of traceroute
output)
# ping mail.heaven.com.my
PING mail.heaven.com.my (202.184.153.15): 56 data bytes
64 bytes from 202.184.153.15: icmp_seq=0 ttl=255 time=5 ms
64 bytes from 202.184.153.15: icmp_seq=1 ttl=255 time=1 ms
----mail.heaven.com.my PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 1/3/5 ms
ie. I could ping a machine that was supposedly offline.
# traceroute mail.heaven.com.my
traceroute to mail.heaven.com.my (202.184.153.15), 30 hops max, 40 byte
packets
1 * * *
2 *
weird traceroute results ! compare with :
# traceroute love.com.my
traceroute to love.com.my (202.184.153.17), 30 hops max, 40 byte packets
1 lovebox (202.184.153.17) 0 ms 0 ms 1 ms
and then suddenly :
# ping mail.heaven.com.my
PING peace.com.my (202.184.153.15): 56 data bytes
----peace.com.my PING Statistics----
5 packets transmitted, 0 packets received, 100% packet loss
it had disappeared !
---------------------------------------------------------------
So, my questions are :
1) Could it be possible for someone to be using our IP ?
And hence be on our network ?
2) What could I do if this happens again to gain control
of the IP again ?
3) Any other explanations or advice ?
Thank you very much.
chas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.32.19970623063113.00941100>