LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-05-2003, 12:28 AM   #1
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Rep: Reputation: 58
Non-existing IP addresses making connections?


I run a 'netstat -r' on one of our internal LAN gateways in the night (after several idle hours of our LAN), and it gave an unexpected result:
192.168.1.2 pollux UGHD 0 6 rl0
(the above line repeated with 12 different IP addresses in the 192.168.1.1/24 range)

I wonder how these IP addresses can make connections, since these IP addresses are valid, but unused on our LAN, i.e. they are not assigned to any machines!

We use static IP addresses, but only in the IP address range 192.168.0.1/24.
IP address range 192.168.1.1/24 belongs to a non-existing subnet routed through an idle internal gateway server, named pollux.
That subnet actually does not exist, as there is nothing connected to the second interface of pollux.
Pollux itself should not make any connections, either, since it was only built for test purposes, and it should be idle since its last reboot. (There are services like sendmail, samba, pop3, ssh installed on pollux for test purposes, but they are not used by anyone since even the existence of this server is not known to any users on our LAN.)

I do not think that pollux would be corrupted, since it is inside our LAN, it should be efficiently separated from the internet by our internet firewall, especially that it never makes connections to the internet.
Besides, pollux, through which the 192.168.1.1/24 subnet is routed, does not seem to know about these connections, or at least 'netstat -r' does not list them there.

Could you give me an idea what is happening there? How to trace down the source of these connections?

P.S.
I have just noticed that one user left his machine on for the night. It is a WinXP.
Can it make connections using IPs other than its own static IP?

Last edited by J_Szucs; 11-05-2003 at 01:04 AM.
 
Old 11-05-2003, 02:06 AM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
strange, but it does not sound like connections. It sounds like a routing table. Why it is incrementing the destination is a mistery.

The only thing that comes to mind is that a daemon such as gated or routed may be destroying the route due to inactivity and creating a new one.

If that's it maybe you can tag the route as passive.


Other than that I don't have a clue.

Last edited by DavidPhillips; 11-05-2003 at 02:09 AM.
 
Old 11-05-2003, 03:19 AM   #3
Thewyzewun
Member
 
Registered: Sep 2003
Location: London, UK
Distribution: Mandrake 9.1
Posts: 83

Rep: Reputation: 15
A second possibility is that the address is being spoofed, with a tool such as dsniff (assuming it is a switched LAN).
 
Old 11-05-2003, 03:24 AM   #4
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
netstat -r shows the routing table, not connections.
 
Old 11-05-2003, 03:28 AM   #5
Thewyzewun
Member
 
Registered: Sep 2003
Location: London, UK
Distribution: Mandrake 9.1
Posts: 83

Rep: Reputation: 15
Oh rite hehe - classic mistake of a native windows user.
 
Old 11-05-2003, 04:03 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Do you have anything like arpwatch running on the LAN gateway?

Samba on Pollux has to do the broadcast thing every 12 mins and it's quite possible to detect what it is offering on the unused interface if it is up.
Something like arpwatch would detect that and add it to it's cache.
type arp on the LAN gateway to see who it knows..

And if Pollux is up all the time, it would become the Master Browser by default...
 
Old 11-05-2003, 09:25 AM   #7
carstenson
Member
 
Registered: Oct 2003
Location: Austin, TX
Distribution: RH 7.3, RH 9.0, FC4, Arch
Posts: 36

Rep: Reputation: 15
You might want to check the routing table on pollux. Sounds like it is transmitting this (using rip, ospf, etc.) and your gateway is receiving it.
 
Old 11-05-2003, 09:38 AM   #8
CEdstrom
LQ Newbie
 
Registered: Sep 2003
Location: Wisconsin
Distribution: Slackware
Posts: 27

Rep: Reputation: 15
Scan your windoze machines for viruses. An incrementing ip scan is signature of recent viruses released over the past couple of months.

Otherwise, how is this machine connected to the internet? My cable provider uses 10.x.x.x for internal use and that conflicted with my network so I had to change to 192.168.x.x. Since installing a router those addresses are blocked.
 
Old 11-05-2003, 10:35 AM   #9
J_Szucs
Senior Member
 
Registered: Nov 2001
Location: Budapest, Hungary
Distribution: SuSE 6.4-11.3, Dsl linux, FreeBSD 4.3-6.2, Mandrake 8.2, Redhat, UHU, Debian Etch
Posts: 1,126

Original Poster
Rep: Reputation: 58
I checked the routing table of pollux (netstat -r):

default dmx UGSc 0 0 dc0
localhost localhost UH 0 0 lo0
192.168.1 link#2 UC 0 0 ed0 =>
192.168.226/29 link#1 UC 0 0 dc0 =>

This morning (8 hours ago) I restarted pollux, I do not know if this made any changes to its routing tables...
Anyway, the routes on castor (those mentioned in my first post) to the IP address range 192.168.1/24 remained untouched.

You may have noticed that pollux has no static routes to other servers (gateways) on our LAN, only to the default router. There are no static routes to pollux on other servers, too. It is because I did (do) not know how to add those routes 'on the fly' and I did not want to restart all servers just to add the routes.
Anyway, the default router has the static route to pollux, so all should be fine.
Strangely enough, the default router (and internet gateway) dmx does not have the separate routes to the IP addresses in the 192.168.1/24 subnet, either, it only has the static route to 192.168.1/32.

Now I think that you are right, and this thing may be due to samba, which does broadcasts either if a server is idle. (Both pollux and samba do the samba).

I have, however, an other question, not closely related to the original question.
I suspect that the servernet connecting all of our servers together, is not correctly configured, as one of the servers is configured to see a different netmask:
dmx 192.168.226.1/27 (this is the internet gateway and default router on our LAN)
castor 192.168.226.2/29
pollux 192.168.226.5/29
all other servers: 192.168.226.x/29
As a result, I think dmx uses a different broadcast address than the other servers on the servernet.
Does this result in any problems?

(The network was setup by someone else who was regarded as a network guru, and I - the noob - did not dare to touch it so far)

As for our network connection: it is an mdsl connection. We have a firewall which does NAT, and I also provided it with rules against IP spoofing (e.g. incoming and outgoing private network IPs are denied, together with the oip/onetmask in via iif).

Last edited by J_Szucs; 11-05-2003 at 02:25 PM.
 
Old 11-05-2003, 10:44 AM   #10
carstenson
Member
 
Registered: Oct 2003
Location: Austin, TX
Distribution: RH 7.3, RH 9.0, FC4, Arch
Posts: 36

Rep: Reputation: 15
You certainly want to be cautious about any changes on a network, especially if you didn't originally set it up.

I can't see any reason that there should be a different netmask. I don't want to question a "guru", but I would have kept the netmask at /24 just to make subnetting easier. There are of enough of the 192.168. addresses to handle this.

I would think that different broadcast addresses could certainly cause some strangeness like you are reporting. HTH.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
combine independent ADSL connections via/on an existing MAN kpachopoulos Linux - General 5 10-16-2005 07:31 PM
Making new partition and keeping existing data SDmac Slackware - Installation 3 05-20-2005 08:14 AM
Best practices on making an environmental variable to store email addresses for each adseligman Linux - General 1 12-27-2004 05:53 AM
programs making outbound connections six6 Debian 2 11-04-2004 12:04 AM
Dual boot "merge" from existing 98 & existing Linux atsmith Linux - Newbie 4 07-13-2003 04:46 PM


All times are GMT -5. The time now is 04:16 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration