IP address conflicts

Tim Aslat tim at spyderweb.com.au
Mon Sep 27 21:40:42 PDT 2004

In the immortal words of "Ted Mittelstaedt" <tedm at toybox.placo.com>...
> And, let me guess, most switches purchased at different times,
> different models,
> different number of ports, etc.

Very much so.

> And all of them on a single network, not broken up into small subnets
> - that is the first mistake.

Again, this is a legacy network that I am trying (within budgetary
constraints) to make it a little more functional.

> Probably many of the predicessors didn't understand you can use cheap
> servers
> as routers.

I'm about the 4th or 5th successor to this network.  At least I've
managed to get rid of the last of the 10 base 2 stuff.

> What a nightmare.

You said it.

> Well, as these things go when you do finally catch one it's going to
> be the slowest and stupidest one of the lot.  When he gets expelled
> the rest of them are going to call an all-out war and get a lot more
> sophisticated a lot faster.

That's what I'm afraid of.

> It's not the number of switches that matter it's the number of active
> ports.  50 what, 8 port switches?  or 24 port switches?

Approximately 30 24 port switches, and a mix 'n' match of 8 - 48 port
units.  Being a legacy network, it's not what you would call

> Of course, there are some other ways of handling this too.  "Oppps,
> looks like another switch died, we are just having a rash of these
> failures lately!
> Must be bad power.  And amazing - it's the switch that the head of the
> Engineering department and his staff are using!  Guess they will just
> have to go without since we don't have the money for new switches" 
> It's amazing how money will appear out of thin air if certain oxen get
> gored.

I'm tempted to try it.  However, the bureaucracy in this place is
incredible.  They would rather cannibalise a smaller part of the network
than just buy a new router/switch/whatever.

> If you do go this route then screw the desktop switches, get yourself
> some decent slotted hubs.  You want a much higher port density than
> the crummy 24 in a typical rack mounted switch.  Besides that, the
> switch vendor is gonna want to use your school as an example of how to
> do things right. Remember,
> if your going to go begging then you need to beg for the best stuff
> they have.

Anything in particular that you would recommend?

> You need to replace every single switch.  When one of these bozos
> assumes a server IP number, he's going to most likely use a different
> MAC address. You need to be able to query the mac table in the switch
> to see what port that address is coming in from.

There are some parts of the network that are completely under my control
(staff areas and such) so I could probably get away without changing
those ones for the time being and get the managed switches for the
areas that it's more likely to come from.

> Later on, when you have expelled a few of them, they are going to cop
> wise and start using the SAME mac address of your server, either with
> the same IP number or a different IP number.  At that point, your
> going to need to use the filters provided in good switches so that the
> switches will only allow the MAC addresses of your servers to come in
> to the physical port that is plugged into those servers.  (or the
> physical port that is plugged into the uplink port)

Looks like I'm going to be caught between a rock and a hard place for a
while til I can swing the budget in my favour.  Maybe I can blame
someone else for it and get some cash shuffled back to IT where it

> If the logon server is being interfered with by the kiddies, then
> nobody can logon and get the settings.

Good point.

> And, until you get the decent switches online, as soon as the kiddies
> realize
> you are on to them, they are going to start coming all over themselves
> with excitement to play the "Let's see if I'm smarter than the admin"
> game.

I'll just have to be smarter than them, or faster.  That's why I'm
asking for help here.  At least I'm finally moving away from the NT
servers that were here, and replacing them with FreeBSD.  Only 2 more to
go and I'm MS Free, at least as far as the servers are concerned, which
should make my job a bit easier.

> It's like the original Star Wars movie.  They had to break the tractor
> beam at it's source, not at the central computer where someone could
> just lock it back on.

Very good point.

> You can maybe distribute the initial batch file with the static arp in
> it one time - that of course will let the kiddies know that
> something's up. They won't give you a second chance so you better have
> a whole collection of arp entries in that batch file.

True, however it's only 1% or less of the kids I have to watch out for,
the rest haven't got enough clue to be a real problem.

> Eventually your going to be forced into getting more intelligent
> switches. What your going to have to do is put 1 of them at each
> uplink point - such as at the entry point of each building, if that is
> how your laid out - and then put MAC filters into them.

None of this network is standardised, some buildings switches are in a
central location, others are in the building itself, some are even daisy
chained through different buildings.  It's a nightmare.

> When that is done at least you can contain it - if the kiddie is doing
> a MAC spoof then he's going to be isolated to the building that all
> the dumb hubs and switches are on that he is in and all the users in
> that building will be trashed - but at least the rest of the school
> won't be.

This might be a good stopgap measure in this case, definitely better
than setting up the arp tables manually.

> Right now you have it at the early stages.  The people your battling
> are probably so stupid they are using Windows boxes and just changing
> the IP, and don't know the difference between a MAC spoof and a horse
> hoof.

Thankfully, I think you are right.  I just want to be a step or three
ahead of these people.

> But once you realize this is a layer-2 battle, and start fighting them
> effectively on the MAC front, they are going to learn quick.  Your a
> lot more vulnerable than you realize.  There's quite a lot that a
> knowledgeable network cracker can do to tear apart a network held
> together with bandaids and bailing wire.  You need to start banging
> the drum now for an immediate cash infusion, because a year from now
> when the network is offline for long periods and people are desperate,
> you won't have any credibility unless you have been predicting doom
> for a long enough time that their brains remember you have been doing
> it.

Should I get a sandwich board made up with "The End of the World is
NIGH" written on it?   It might work, it's a private/catholic school.  
Perhaps predictions of Armageddon would be better...... I might even be
able to dig up a few horsemen :)

Thanks for the suggestions, I'm sure I can implement most of them fairly
quickly, the rest might have to wail for next year's budget.



Tim Aslat <tim at spyderweb.com.au>
Spyderweb Consulting
Phone: +61 0401088479

More information about the freebsd-questions mailing list