|
Non-existing IP addresses making connections?
I run a 'netstat -r' on one of our internal LAN gateways in the night (after several idle hours of our LAN), and it gave an unexpected result:
192.168.1.2 pollux UGHD 0 6 rl0 (the above line repeated with 12 different IP addresses in the 192.168.1.1/24 range) I wonder how these IP addresses can make connections, since these IP addresses are valid, but unused on our LAN, i.e. they are not assigned to any machines! We use static IP addresses, but only in the IP address range 192.168.0.1/24. IP address range 192.168.1.1/24 belongs to a non-existing subnet routed through an idle internal gateway server, named pollux. That subnet actually does not exist, as there is nothing connected to the second interface of pollux. Pollux itself should not make any connections, either, since it was only built for test purposes, and it should be idle since its last reboot. (There are services like sendmail, samba, pop3, ssh installed on pollux for test purposes, but they are not used by anyone since even the existence of this server is not known to any users on our LAN.) I do not think that pollux would be corrupted, since it is inside our LAN, it should be efficiently separated from the internet by our internet firewall, especially that it never makes connections to the internet. Besides, pollux, through which the 192.168.1.1/24 subnet is routed, does not seem to know about these connections, or at least 'netstat -r' does not list them there. Could you give me an idea what is happening there? How to trace down the source of these connections? P.S. I have just noticed that one user left his machine on for the night. It is a WinXP. Can it make connections using IPs other than its own static IP? |
strange, but it does not sound like connections. It sounds like a routing table. Why it is incrementing the destination is a mistery.
The only thing that comes to mind is that a daemon such as gated or routed may be destroying the route due to inactivity and creating a new one. If that's it maybe you can tag the route as passive. Other than that I don't have a clue. |
A second possibility is that the address is being spoofed, with a tool such as dsniff (assuming it is a switched LAN).
|
netstat -r shows the routing table, not connections.
|
Oh rite hehe - classic mistake of a native windows user.
|
Do you have anything like arpwatch running on the LAN gateway?
Samba on Pollux has to do the broadcast thing every 12 mins and it's quite possible to detect what it is offering on the unused interface if it is up. Something like arpwatch would detect that and add it to it's cache. type arp on the LAN gateway to see who it knows.. And if Pollux is up all the time, it would become the Master Browser by default... |
You might want to check the routing table on pollux. Sounds like it is transmitting this (using rip, ospf, etc.) and your gateway is receiving it.
|
Scan your windoze machines for viruses. An incrementing ip scan is signature of recent viruses released over the past couple of months.
Otherwise, how is this machine connected to the internet? My cable provider uses 10.x.x.x for internal use and that conflicted with my network so I had to change to 192.168.x.x. Since installing a router those addresses are blocked. |
I checked the routing table of pollux (netstat -r):
default dmx UGSc 0 0 dc0 localhost localhost UH 0 0 lo0 192.168.1 link#2 UC 0 0 ed0 => 192.168.226/29 link#1 UC 0 0 dc0 => This morning (8 hours ago) I restarted pollux, I do not know if this made any changes to its routing tables... Anyway, the routes on castor (those mentioned in my first post) to the IP address range 192.168.1/24 remained untouched. You may have noticed that pollux has no static routes to other servers (gateways) on our LAN, only to the default router. There are no static routes to pollux on other servers, too. It is because I did (do) not know how to add those routes 'on the fly' and I did not want to restart all servers just to add the routes. Anyway, the default router has the static route to pollux, so all should be fine. Strangely enough, the default router (and internet gateway) dmx does not have the separate routes to the IP addresses in the 192.168.1/24 subnet, either, it only has the static route to 192.168.1/32. Now I think that you are right, and this thing may be due to samba, which does broadcasts either if a server is idle. (Both pollux and samba do the samba). I have, however, an other question, not closely related to the original question. I suspect that the servernet connecting all of our servers together, is not correctly configured, as one of the servers is configured to see a different netmask: dmx 192.168.226.1/27 (this is the internet gateway and default router on our LAN) castor 192.168.226.2/29 pollux 192.168.226.5/29 all other servers: 192.168.226.x/29 As a result, I think dmx uses a different broadcast address than the other servers on the servernet. Does this result in any problems? (The network was setup by someone else who was regarded as a network guru, and I - the noob - did not dare to touch it so far) As for our network connection: it is an mdsl connection. We have a firewall which does NAT, and I also provided it with rules against IP spoofing (e.g. incoming and outgoing private network IPs are denied, together with the oip/onetmask in via iif). |
You certainly want to be cautious about any changes on a network, especially if you didn't originally set it up.
I can't see any reason that there should be a different netmask. I don't want to question a "guru", but I would have kept the netmask at /24 just to make subnetting easier. There are of enough of the 192.168. addresses to handle this. I would think that different broadcast addresses could certainly cause some strangeness like you are reporting. HTH. |
| All times are GMT -5. The time now is 11:02 AM. |