Denial of Service- what could cause this?

[fenstrat]

We have been experiencing problems on our student network where 2 mac addresses (one wireless, one cat5) are telling the rest of the computers on the network that they have the IP address used by the other computers. Every computer on the network gets the following errors:

The wireless Mac shows up more frequently, but they are each present in all attacks. The attacks would last for only about 10 minutes at a time then the computer went offline, making it difficult to trace the mac to a switchport. I finally did trace it back and disabled the port. Does anyone know what kind of attack this is, what causes it, programs that can do this, and possible ways to avoid it in the future?

Thanks

Event Type: Error
Event Source: Tcpip
Event Category: None
Event ID: 4199
Date: 11/12/2004
Time: 3:40:42 PM
User: N/A
Computer: PUCK
Description:
The system detected an address conflict for IP address 172.25.10.10 with the system having network hardware address 00:04:23:5C:2E:70. Network operations on this system may be disrupted as a result.


0000: 00 00 00 00 03 00 50 00 ......P.
0008: 00 00 00 00 67 10 00 c0 ....g..À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

And :

Event Type: Error
Event Source: Tcpip
Event Category: None
Event ID: 4199
Date: 11/12/2004
Time: 3:38:21 PM
User: N/A
Computer: PUCK
Description:
The system detected an address conflict for IP address 172.25.10.10 with the system having network hardware address 00:02:3F:63:C4:43. Network operations on this system may be disrupted as a result.


0000: 00 00 00 00 03 00 50 00 ......P.
0008: 00 00 00 00 67 10 00 c0 ....g..À
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

 

[MichealC4]

Very interesting. I haven't seen that before. Do you have an IDS on your network? If not, I highly recommend you get one. Snort is a good one. I'll do some looking around. Do your switches have any logs that would be of help? Does your network have DHCP, or are static IP addresses assigned?

----------------------------
"Security is like an onion" - Unknown

 

[fenstrat]

We are currently not running snort, possibly in the future but we don't have the resources to manage it right now. We use NetReg DHCP but the client causing the problem did not register. The only thing I was using on the switch was the mac-address-table which doesn't last very long so a few minutes after he shut down his computer the evidence was gone.

 

[MichealC4]

http://www.networkpenetration.com/dhcp_flaws.html

That's the only thing I can find at the moment. I think once you can get snort or tcpdump up, and logging packets during the attack, that will help significantly in tracking this down.

----------------------------
"Security is like an onion" - Unknown

 

[casalicious]

Possible use of Ettercap? Defo get your tcpdump on the go and also use Ethereal to filter traffic specifically for the source etc.

 

[fenstrat]

Found the problem:

A student had a laptop with both a wireless and ethernet card and network bridging setup between them. The problem was happening when both cards were connected to the network. I have seen articles that many schools have seen the same problem and that enabling port fast and bdpu guard on the ports can help prevent this.

Thanks

 

[Decryptk33p3r]

It sounds to me like you have the same user doing wireless & connecting to the LAN wired, if this is the case then what you have now is a bridged loop in the network & that can storm your network to a crawl, just like a DOS attack.

 

[fenstrat]

Correct, I set up bdpu guard to err disable the port for 6 minutes in the future. Seems to be working good.

 

[Decryptk33p3r]

Sorry I was a little late. Glad you resolved the problem.