On Fri, Nov 10, 2000 at 01:17:21PM -0500, Greg Simpson wrote:
> One of my friends was just complaining to me about how his inetd was
> acting up.. '2.2.16 #97 Fri Jun 16 19:45:30 PDT 2000 i486 unknown'.
> (#97? I don't have any idea why.. :)
> Of course, when he took it offline and noticed that it was still returning
> pings, he realized that he was using the same ip address as another
> machine outside of his group. This reminded me that on other networks I
> have been on, I have found someone else using the same ip address.
> M$-windows of course pops up a friendly dialog box, indicating that the ip
> has been detected in use by someone else, and courteously disables that
> ethernet interface for you :) :)
M$ farts out prodigeous numbers of broadcast packets and expects
to seen prodigeous numbers of broadcast packets. It spots the fact that
someone else sends out a packet with your IP address in the src address.
(at least that's one way they detect it). Amusing random acts of terrorism
can result including some spectacular denial of service attacks (think
about it for a second).
> The question:
> linux does not seem to indicate if anyone else answers arp requests for
> its own ip's (correct me if i am wrong); how does one tell if the ip is in
> use [short of unplugging the box or querying someone else's arp tables :)
> :)]?
Detecting the arp replies would not work on a switched network.
You generally need to see another system (one with a MAC address you
don't own) claiming to be an IP address which you claim. On a switched
network, this generally must be a broadcast packet and you examine the
source IP and source MAC (consider the case where YOU have two network
cards on the same cable - this can be a non-trivial exercise with
unexpected surprises).
Keying off of arp replies or broadcast packet source addresses
opens up some nasty DoS attacks. I could just flood the network with
fake packets claiming to be different MAC addresses and IP addresses of
systems I want to shut down. Do it with Windows named datagrams (UDP port
137) and older windows systems just fall over very nicely and hit the floor.
It's tougher to do with newer Windows systems and there are much more fun
games you can play with the name caches instead.
> I would think a syslog entry would be most helpful to a lot of people on
> dhcp-run networks!
Dhcpd (at least the ISC one) attempts to ping the address before
assigning a lease. If it gets a ping response, the address is flagged
as "abandoned" in the leases file. Hijacked addresses are thus avoided
and not leased out. Then, when you find your leases file full of abandoned
entries, you get to track down the guilty parties and deliver a rubber hose
IP release datagram to them. Repeatedly. :-)
> -g
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@xxxxxxxxxxxx
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
|