From owner-freebsd-questions Fri Nov 12 12:28:46 1999 Delivered-To: freebsd-questions@freebsd.org Received: from rucus.ru.ac.za (rucus.ru.ac.za [146.231.29.2]) by hub.freebsd.org (Postfix) with SMTP id 8EEF914D47 for ; Fri, 12 Nov 1999 12:28:39 -0800 (PST) (envelope-from bvi@rucus.ru.ac.za) Received: (qmail 7989 invoked by uid 374); 12 Nov 1999 20:28:37 -0000 Date: Fri, 12 Nov 1999 22:28:37 +0200 From: Barry Irwin To: os2_daemon@altavista.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: FreeBSD security on TCP/IP question. Message-ID: <19991112222836.M57266@rucus.ru.ac.za> References: <9911120731257C.11943@weba4.iname.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <9911120731257C.11943@weba4.iname.net>; from os2_daemon@altavista.net on Fri, Nov 12, 1999 at 07:31:25AM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri 1999-11-12 (07:31), os2_daemon@altavista.net wrote: > Hello, I've just ran into trouble for mucking around with ifconfig and > conflicting IP addresses. I'm just an ordinary user without any deep > TCP/IP knowledge. > > It all started when curiously, I tried to put 172.16.1.1 which is an NT > server into ifconfig. Ifconfig said some error messages that the IP > address have been taken by another machine. Who cares ... The rest of the users trying to access this machine. > Next day, the sysadmin came to me and accusing me for trying to hijack the > system. He told me that apparently I crashed his NT by doing so. This > brought me a very big question. Was he just bluffing, or the NT seriously > cannot defend against this ? Quite right he should be miffed! >Could please anyone explain what had happened > in detail? I've heard of something called "IP spoofing", is this one of > them ? I also wonder what will happen to a FreeBSD box if some other > computer claim the same IP address. Thank You. Just finished dealing with this exact thing yesterday. We had our Freebsd Server mysteriously dissapearing off the network at odd times of the day, usually only for a couple of minutes, after which time it would reappear, but usually having shed its active network connections. Investigation of the logs on the BSD machine showed that some other Ethernet card on the subnet was grabbing our IP, and hence recieveing all our traffic. After much hunting around the department, and comparing MAC addresses concerned with the last few months of ARPwatch logs, it was determined that this was being caused byt a NT machine in the one postgrad Research area, which had been misconfigured. The result was the nt server kept dying at boot time, and we were effectively DoS'd. A temporary solution we came up with was to ping the broadcast address a couple of times every minute. Anyway moral of the story : having duplicate IP addresses breaks a hell of a lot of stuff, and makes people a little antisocial! Barry -- -------------------------------------------------------------------------- Barry Irwin IRC: balin@zanet (#linux) bvi@moria.org http://rucus.ru.ac.za/~bvi Whois BI414 - PMPN8EZ - http://moria.org -------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message