[783] in resnet
Re: Rerouting of ResNet traffic
daemon@ATHENA.MIT.EDU (Eric Rosenberry)
Thu Feb 7 00:57:26 2002
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <006f01c1af99$afbfe350$6701a8c0@ericrmobl>
Date: Wed, 6 Feb 2002 21:38:34 -0800
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Eric Rosenberry <eric@ROSENBERRY.ORG>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <NDBBIGEEGLOCOICPMEGIAEKJCHAA.randallw@hawaii.edu>
Are your clients getting assigned an ip address from a different subnet
than you normally use (i.e. 192.168.x.x)?
I am guessing that it might not be intentional. I first thought that
this user might be running RIP or something and that the other users
machines were somehow getting routes to use his machine as the gateway.
After thinking about that one for a minute I doubt it is the case.
A better guess would be that his machine is responding to arp requests
for the routers IP address for some reason. I have seen a 98 machine
before that was responding to ALL arp requests (and causing IP conflicts
with all 1024 machines in the subnet).
The following is useful information: (I am not sure if all the commands
are the same on 98, these are what I do on Windows NT, 2k, and XP)
Do an "ipconfig /all"
Do a ping to some IP address not on your subnet. (to get the routers MAC
address in the arp cache)
Do an "arp -a"
Do a "route print"
What is the offending users MAC address?
What is your routers interfaces MAC address?
-Eric
-----Original Message-----
From: Resnet Forum [mailto:RESNET-L@listserv.nd.edu] On Behalf Of
Randall Watanabe
Sent: Wednesday, February 06, 2002 7:26 PM
To: RESNET-L@listserv.nd.edu
Subject: Rerouting of ResNet traffic
Ran into a strange problem yesterday and I am appealing to this group
for
some help...
Long story short, basically one of the residents on our network appears
to
have had all of our traffic getting routed to him before passing along
to
our "real" router. We noticed this when tracerts from several ResNet
computers were getting routed to one of our DHCP assigned addresses
before
hitting the router. Occasionally, the tracert would show it passing
through
the real routers IP address twice before moving along.
When we disconnected the port we tracked the problem to, we lost all
connectivity for a short period then everything went back to normal.
I'm
thinking that somehow the resident had setup a router with the IP of our
real router, but my big question is if it was an intentional malicious
act
(perhaps to sniff packets) or if it could have conceivably been an
accident.
If anyone has had any kind of experiences like this or may know of how
it
happened, I'd really appreciate it. For the sake of brevity I omitted a
lot
of details but can provide them if they are relevant. Thanks!
Randall Watanabe
Resnet Computer Specialist
UH Student Housing Services
randallw@hawaii.edu
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________