[phenotype]

Hello all,

I run a small network for a arts location, around 30ish machines, mostly macs, iphones, pads, etc but also a few windows and linux machines here and there. I'm not a expert in network stuff by any means but have been doing this for a few years and never had any problems researching and finding a fix for things before. Now i seem to have a problem that i can't get my head around or find anything online about. Maybe someone can help?

I have one computer owned by a visiting artist, windows xp, which when it joins the wireless network blocks all the macs, laptops, iphones and ipads from joining the wireless network at all. Each time one of the macs try and get a dhcp lease it returns with a i.p conflict, which i am sure it is not because i can check the dhcp lease table and see that there are no conflicts. It does the same whether i use static or dhcp. But only for the macs! All the windows, android and ubuntu devices with wifi continue to work fine. When i disconnect the rogue laptop everything else comes back online straight away.

Totally weird huh? I'm not sure where to start...

Anyone with any thoughts about what this may be would be greatly appreciated.

Thanks : )

[Waragainstsleep]

This sounds like a cracking little mystery.

Does anything interesting happen if the offending PC connects via ethernet?
Tried deleting the network interface on WinXP and creating a new one?

[phenotype]

Hi, thanks for the reply.

Yes, mysterious indeed : )

It seems to be fine when plugged in through Ethernet, unfortunately the office he is in doesn't have a wired connection yet and i have run out of long cables, my first thought was to just hook this up for a easy fix but i went to the cupboard and the cupboard was bare!

I haven't tried deleting the network interface on the machine. I will try that next. I'm not so familiar with windows as i am with os x and linux, also his machine is in a language i don't speak, so lot's of fun tracking around with a second laptop trying to find the right options : )

I have a funny feeling I will need to put wireshark on and have a look at the packet data from the machine, only i need to build a temp test network so it doesn't interfere with everyone else working. Still, will try and create a new network interface first and see if that fixes it!

Thanks again

[BLAZE_MkIV]

I wouldn't be surprised if he was infected with something that's attempting to grab data from the wireless sessions.

[besson3c]

Perhaps that PC is starting it's own rogue DHCP server? I'd see if that PC is running anything on UDP port 67.

[phenotype]

@ BLAZE_MkIV

Yep, this was the thought i arrived at, some kind of zombie action ; ) I hope that I could tell this from the wireshark analysis but, typical artist, disappeared to the bar while i was in my office getting the stuff together to test it! Oh well, i will check it when he returns. Funny that it's only effecting the macs though right?

@ besson3c

Nope, that's happened before so was one of the first things i checked : )

If anyone has experience in identifying a compromised machine from wireshark analysis, or a good link to read what i should be looking for I would be very grateful.

Thanks

Pheno

[mduell]

What IP does the Windows machine claim to have?

What IP do the Macs have when they have a conflict?

[phenotype]

@ mduell

Well, the router is at 192.168.2.1 and the dchp is set to give address's between 192.168.2.100 - 254 He's not online now and i didn't write it down when i got here, just arrived at the office and everyone was in a panic mode so i went straight there before grabbing my tools, so as i remember, his was assigned a "normal" single i.p in the range. Then when i tried to put one of the laptops in the office on the network, by going into the network panel in sysprefs and hitting renew dchp, it came back with the i.p conflict. So i used a working windows machine in the office, connected with Ethernet, to log into the router and check the dchp tables, it only had the one recent machine under that i.p, but as inactive. So i think, that's weird, ok, i'll try and give it a manual address that i know is free and get the same result back, conflicting i.p. At which point everyone is tripping out because all the iphones, ipads and macbooks are doing the same thing. I ask if there is any new devices on the network, which leads me the the rogue machine from the visitor, check that to see if it's trying to issue any dhcp, nope, so i disconnect it, everything comes back up. Re connect it, everything goes down...

That's about as far as i got, sorry i can't be specific, will make logs when he gets back and i can look from my machine with the proper tools.

Thanks again : )

P

[phenotype]

A few further thoughts as people seem interested : )

Whilst shopping for food i tried to pull back all the little details i might have missed in my haste earlier. I'm sure you know what i mean, walking into a office problem and just switching into auto pilot : ) Anyway, i remember a few more details now. The first thing that was funny is my iphone was working to begin with. No one else's was, now this is weird but has happened before, as an artist / sysadmin i like to believe that it's because the kit genuinely cares for me and thinks i'm special : ) I'm willing to accept the possibility that there is a technical explanation for this but usually the problem resolves itself before i go looking for any answers!

So, my iphone is working and i pull up the fing app, nice network scanner but i haven't used it much so i don't know the features, just want to get a reading on whats there, people are talking ip conflicts and i'm already thinking rogue dchp server somewhere...

So, fing lists multiple devices, iphones and ipads as having too many of the same ip address? Which is already something i'm not sure how is possible. Maybe i got the fing thing wrong, so try and on off my wifi on the iphone and i'm locked out.

Next, i tried to use one of the macbooks to test, as i wrote in the above post. Only now i remember that eventually it did accept the manual address and i could ping the router from terminal but still no web.

All the time though, the non mac devices are able to log on and off the network without problems....

Weird.

So i'm off to bbq some meat in my garden and chat to some people more skilled than i am but thanks for the replies, i promise to check back and try to conclude my posts : )

(I don't often post on msg boards because i like to dig for answers and they are mostly already there ; )

Phenotype.

[reader50]

It sounds like the Win machine is grabbing all available DHCP addresses. Your iPhone stayed connected because it already had one in use. Once you cycled it, the Win machine grabbed that free address too.

I'd suggest logging into your router via ethernet, and check the wireless DHCP table. See if the one machine has taken all available addresses.

[BLAZE_MkIV]

There's a number of network level attacks using a rouge DHCP server.


[Note: there are dns poisoning attacks as well as dhcp ones]

[besson3c]

Phenotype: what was your methodology for assessing whether there was a rogue DHCP server on the network?

Blaze_MkIV: do you mean DHCP or DNS? I'm not sure how a DNS server can alter IP assignments.

[phenotype]

@ reader50

Yes. this is what i thought, with regards to the windows box grabbing up the i.p's but there was no sign of that on the router's dhcp lease table. Also, with my iphone, i came to the office the after the machine was on the network, although i supposed the router could have still had the i.p in it's state table from yesterday, i would have thought it had cleared that when the office people tried to reset the router (their only fixing method until i get there).


@ besson3c

Well, my experience with rogue dchp servers is mostly when someone brings in a old wifi box from home and tries to plug it into a switch somewhere, knocking everyone off. But when this happens it's pretty easy to spot because the box that supplied the address is not the same as my setup. This was stranger because it wasn't giving the macs any type of correct or incorrect address and they would revert back to a self assigned i.p after the i.p conflict dialog box. So if it was trying to be a dhcp server, it wasn't doing a very good job : )

To check i really just looked at the dchp lease page, which looked didn't seem to show that one mac address had any more than one i.p, with a bunch of the machines that i was trying to get on the network with one inactive entry in the table. This plus they were not getting a lease from any other device led me to believe it wasn't the problem. I have to admit that i don't know that much about the possibilities for this type of behavior from windows machines, so i may well have missed something there.

But then the really odd bit is that i had two people there with a windows 7 netbook and a ubuntu netbook, one of which had never been on our network before, and they both worked absolutely fine. Could turn of the wifi, turn it on get an address and then browse the web without problem. This really throws me...

So, next time the machine is back i'll put it on it's own vlan and run wireshark on the interface. I am interested to see what it's doing : )

Thanks all, have a good weekend!