Date: Sun, 22 Jun 1997 20:48:34 +0000 (GMT) From: spork <spork@super-g.com> To: chas <sweeting@tm.net.my> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: duplicate IP = security problem ? Message-ID: <Pine.BSF.3.95q.970622202913.12939B-100000@super-g.inch.com> In-Reply-To: <3.0.32.19970623063113.00941100@mail.tm.net.my>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, The part that confuses me here is that this is coming from a machine on you local ethernet... Do you share an ethernet resource with others? It's a good thing to avoid if you're concerned about security, as anyone with access to the wire can trash and replace any of your machines (DOS it to death and then configure their machine to answer requests as it were yours, logging passwords the whole time). Also, if you're not on a switched ethernet segment, others on the ethernet can sniff any and all packets, even with simple DOS-based programs. If you must share ethernet, consider setting up a router (or better yet a FBSD box with 2 eth cards doing routing; I believe it can handle wire speed) to give yourself a little bit of privacy. It's also possible someone has broken into one of your machines and either mistakenly brought it up with the wrong IP after doing some kernel mods to sniff packets, or it could even be a dumb Win95 user misconfiguring their box... I don't know of any way to track down what machine it is however... Charles On Mon, 23 Jun 1997, chas wrote: > Please excuse this slightly long description but I'm > perturbed about possible security problems : > ---------------------------------------------------- > > 10:00 pm - collect mail fine from our FreeBSD-based mailhub. > > 10:30 pm - a couple of users informed me that they were being > refused connection to the mailserver. > I tried to download and send mail ... and sure enough, > no reply. > > So, I went to the console and found this error message > appear whenever someone tried to collect mail : > > "/kernel duplicate IP address 202.184.153.15! sent from ethernet > address 00:a0:40:29:e8:08" > > (This also occured if I tried to ping any other > machine on our network from the mailserver) > > My initial thought was that the NIC was going schizo... > it's a dodgy 3Com job. > > But then ifconfig for the mailserver produced : > > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > ep0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet 202.184.153.15 netmask 0xffffff00 broadcast 202.184.153.255 > ether 00:c0:4f:db:17:29 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 > tun0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 > > > which means that the duplicate IP was out on another machine. > > To make sure, I disconnected the mailserver from the network > and, sure enough, was still able to ping the IP (that > belongs to the mailserver) from one of our webservers. > > The following is a session on the DEC webserver : > ( note : mail.heaven.com.my = 202.184.153.15 = the mailserver. > This machine was disconnected from the network > during this session ! > love.com.my = 202.184.153.17 is just another machine > on our network, shown here for a comparison of traceroute > output) > > # ping mail.heaven.com.my > PING mail.heaven.com.my (202.184.153.15): 56 data bytes > 64 bytes from 202.184.153.15: icmp_seq=0 ttl=255 time=5 ms > 64 bytes from 202.184.153.15: icmp_seq=1 ttl=255 time=1 ms > > ----mail.heaven.com.my PING Statistics---- > 2 packets transmitted, 2 packets received, 0% packet loss > round-trip (ms) min/avg/max = 1/3/5 ms > > ie. I could ping a machine that was supposedly offline. > > # traceroute mail.heaven.com.my > traceroute to mail.heaven.com.my (202.184.153.15), 30 hops max, 40 byte > packets > 1 * * * > 2 * > > weird traceroute results ! compare with : > > # traceroute love.com.my > traceroute to love.com.my (202.184.153.17), 30 hops max, 40 byte packets > 1 lovebox (202.184.153.17) 0 ms 0 ms 1 ms > > and then suddenly : > > # ping mail.heaven.com.my > PING peace.com.my (202.184.153.15): 56 data bytes > > ----peace.com.my PING Statistics---- > 5 packets transmitted, 0 packets received, 100% packet loss > > > it had disappeared ! > > > --------------------------------------------------------------- > > So, my questions are : > > 1) Could it be possible for someone to be using our IP ? > And hence be on our network ? > 2) What could I do if this happens again to gain control > of the IP again ? > 3) Any other explanations or advice ? > > Thank you very much. > > chas >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970622202913.12939B-100000>