I know this is a serious long shot, but here we go.
In the past week or so, for users connected to a particular switch in our network (there are four dumb switches all connected, and it only affects SOME, not all, users on the one switch) are getting DHCP addresses from a rogue DHCP server.
I have physically checked every cable plugged into the switch in question to make sure that none of them have a router or wifi point attached to it. I know the IP of the DHCP server, but I cannot ping it, and it does not have a web interface.
Does anyone have any suggestions on what I can do to locate it or shut it down? Unfortuantely all the switches are unmanaged, and as mentioned, there's no physical device (that I can find) plugged in to anything.
It's getting critical, because it's screwing up the PXE boot of a whole bunch of thin clients.
-
Try to nmap it using the -O to detect the operating system, may give you a better idea of what server it is? Also running a standard port scan might help figure out what it is
Farseeker : The only port open is 67 (or responding at least) :( I hadn't thought of nmap -O though! I'll give it a goFarseeker : Ahah! It was a Virtual Machine someone was running on their development machine. nmap had the info I needed in seconds. Brilliant!Satanicpuppy : Wow, how fricking annoying is that. Completely unfindable.Nick Kavadias : looking at the MAC address to figure out the vendor would also have been a good way of knowing it was a virtual machine. Glad you got to the bottom of it :DFrom Nick Kavadias -
Well, you can always try to ping the crap out of it and check the blinky lights on the routers. =P
Does traceroute show you anything?
Farseeker : Hey there's another idea I hadn't thought of. This is why I love ServerFault. Nothing in traceroute as it's all all on the one switched network.From Satanicpuppy -
The fact that you can't ping it isn't a problem.
(This procedure is mostly for managed switches, in the case of your dumb switches, it isn't as helpful, since you can't inspect the cam table... but anyway.)
- run ipconfig /all(or look at syslog), note the IP address listed for "DHCP Server". Generally this is the same as the default gateway.
- attempt to ping this ip address, ignore the result.
- run arp -a. The mac address listed for the IP is your rogue DHCP server.
So, in your case, you can't follow this up with locating the switchport and disabling it, but you could have at least looked up the mac address vendor and would have found that the vendor was something like vmware or virtualbox.
If you have a box lying around, you can install https://roguedetect.bountysource.com/ on it, which will notify you if a problem like this occurs in the future.
Farseeker : Interesting tool. We've got a VMWare ESXi blade centre so I can deploy it on there with little system cost, which would certainly catch this in future. Thanks. (p.s. that site's certificate is expired)From Justin -
Run Wireshark to get the MAC address of the server. It should at least tell you the manufacturer (MAC addresses are centrally allocated and each manufacturer is allocated a set of addresses).
From niXar -
I know this has already been solved but another means, when you really can't find the machine (knowing it's a VM doesn't tell you what host it's on) is to keep sending it DHCP requests and unplug each cable in turn till it shuts up. Sometimes you just have to get back to crude basics.
From John Gardeniers
0 comments:
Post a Comment