Hello,
We have a server, we'll call it Steve. Steve was happily purring along,
handling network requests, etc. Suddenly a user, who is on the same subnet
as Steve, booted up a machine (a Mac) with Steve's IP address. When Steve
detected this, he logged a message that said:
Apr 20 08:39:35 steve vmunix: arp: local IP address 111.222.xxx.xxx in use
by hardware address 00-05-02-xx-xx-xx
Steve then stopped responding to the network, couldn't even ping his own
gateway, etc., even though the offending machine had been removed. Upon
reboot, Steve was once again happy.
Questions:
Is there a way to configure Steve to be more contentious when it detects
that his IP address had been stolen, and to continue to attempt to hold it?
Luckily, this is the only server we have that is on the same subnet as any
of our users, but it seems like an awfully easy way to shut down a server.
Was there a simpler solution that rebooting Steve? (Taking the ethernet
interface tu0 down and then back up, for example?)
The user claimed that she had used Steve's IP only briefly and only once,
approx. 12 hours before Steve detected the dup IP and shut down his
connection. Is this likely?
Happily, I found some information in the archives that enabled me to dump
the arp cache to associate the MAC address with the current IP, confirming
who the offender was.
-- - thanks for any info, I'll summarize
--
Keith Piepho kap_at_uakron.edu
Technical Services (330) 972-6130
The University of Akron
Received on Tue Apr 20 1999 - 15:42:19 NZST