Original message:
Hello,
We have a server, we'll call it Steve. Steve was happily purring along,
handling network requests, etc. Suddenly a user, who is on the same subnet
as Steve, booted up a machine (a Mac) with Steve's IP address. When Steve
detected this, he logged a message that said:
Apr 20 08:39:35 steve vmunix: arp: local IP address 111.222.xxx.xxx in use
by hardware address 00-05-02-xx-xx-xx
Steve then stopped responding to the network, couldn't even ping his own
gateway, etc., even though the offending machine had been removed. Upon
reboot, Steve was once again happy.
Questions:
Is there a way to configure Steve to be more contentious when it detects
that his IP address had been stolen, and to continue to attempt to hold it?
Luckily, this is the only server we have that is on the same subnet as any
of our users, but it seems like an awfully easy way to shut down a server.
Was there a simpler solution that rebooting Steve? (Taking the ethernet
interface tu0 down and then back up, for example?)
The user claimed that she had used Steve's IP only briefly and only once,
approx. 12 hours before Steve detected the dup IP and shut down his
connection. Is this likely?
Happily, I found some information in the archives that enabled me to dump
the arp cache to associate the MAC address with the current IP, confirming
who the offender was.
-- - thanks for any info, I'll summarize
---------------------------------------------------------
Several good responses, reproduced after my summary.
To restart the network interface, run netsetup, then exit, and it'll ask
you if you want to reset the interface. Alternatively, you could just do a
'/usr/sbin/rcinet startup' (which, I'm fairly sure, is how netsetup resets
the interface).
This may have solved the problem, or perhaps I would also have needed to
remove the offender's entry in Steve's ARP cache (using the 'arp' command).
This may also not have solved the problem, as other network devices
(especially Steve's switch) may have 'learned' the offender's MAC address
as being correct for Steve's IP. We'd just have to wait for this learned
misinfomation to decay. Luckily, all the clients that Steve served were on
a different subnet, so they hadn't learned the wrong MAC address. I'm not
sure if Steve's switch did either, since everthing worked after reboot.
Oh, and finally: yes DHCP is a better way to manage IPs. In fact, DHCP is
what the offender SHOULD have been using, instead of picking random IPs,
but "It was late, and I couldn't get DHCP working, and I just thought...".
Sigh...
Thanks for all the help!
On to the responses:
From: Burch Seymour
------------------------------------------------------------
Hmm, I'd use arp -a to dump the current arp cache on steve, then delete
the entries for the IP address in question. You can restart the
networking stuff by just running netsetup and exiting immediately. It
will ask you if you want to restart networking. There are probably
other ways but that one is easy.
You could have problems with other things on the network caching the
wrong MAC address for the troubles IP address. I'm not sure how to,
or even if you can, send a command to everything on the net to
flush an old arp entry. I guess eventually things will time out and
go away on their own.
Sorry if this is all obvious stuff, but it's all I can think of at the
moment.
------------------------------------------------------------
From: Leonard, Roger
------------------------------------------------------------
going into netsetup and then exiting and answering yes to the restart
network question will reset your interfaces. this should clear your
problems.
------------------------------------------------------------
From:
------------------------------------------------------------
> Is there a way to configure Steve to be more contentious when it detects
> that his IP address had been stolen, and to continue to attempt to hold it?
It is not quite up to Steve: each time any of the hosts on the same subnet
want to talk to Steve's IP, they'll broadcast an ARP address query. If
Steve is the first to answer it, it will get the traffic. If it isn't,
it wont. If only relatively a few (unix) hosts want to communicate with
Steve, you can establish a static ARP entry for Steve's IP on all hosts
(see man arp).
> Was there a simpler solution that rebooting Steve? (Taking the ethernet
> interface tu0 down and then back up, for example?)
This is not very likely to help. You'll have to purge ARP caches on all
hosts on the same subnet wishing to communicate with Steve using
"arp -d steve's_ip". With properly implemented ARP caches, the learned
MAC addresses will decay after some time, but....
> The user claimed that she had used Steve's IP only briefly and only once,
> approx. 12 hours before Steve detected the dup IP and shut down his
> connection. Is this likely?
Unless you have a switch with security mode and learned MAC locking enabled,
not very much.
------------------------------------------------------------
From: Wendy Fong
------------------------------------------------------------
Sorry to tell you this, but wild users grabbing IP addresses at will and
disabling servers is a fact of life. The only thing that might help is a
Bay router. I am told that it shuts down the port being used when it
detects duplicate IPs. Cisco and 3Com will give random effects, and won't
take preventive action. I guess they figure you know what you are doing
and that the users are under control? Ha!
------------------------------------------------------------
From: Alan Angulo
------------------------------------------------------------
Have you considered using DHCP to assign ips? This way you will avoid
problems like the one you are having.
------------------------------------------------------------
--
Keith Piepho kap_at_uakron.edu
Technical Services (330) 972-6130
The University of Akron
Received on Tue Apr 20 1999 - 21:25:04 NZST