Hi Managers,
I am trying to investigate a strange problem that happened on our
LAN yesterday. While I have been looking into this I have un-covered
another error which may or may not be related.
Our network has 2 Tru64 server (one 4.1D, the other 5.1). The first is
a old DEC which is the primary DNS for our domain. The 2nd a slave.
Both run samba. All the clients run Win9* with static IPs. There is
also a NT box that is set as a PDC but we do not use MS domains.
When I got in on Monday all the clients were having trouble
connecting. I noticed that the NT box was crashed and thought this
was the cause as this would be the master broswer for the NetBios
clients. I rebooted the NT box but the problem persisted. Some
clients were reporting errors that stated duplicate IP addresses. A
quick look at the arp table on some machines showed multiple MAC
addresses having different IPs. I rebooted the 2 Tru64 servers and
noticed they had the same error as they came up"arp: local IP
address 194.*.*.* in use by hardware address 00-50-22-87-1D-8F".
This MAC address was being propagating itself across network, not all
but a lot of the clients had this address and hence the interface was
disabled.
In the end I powered down every thing that had an IP and brought
the network up. Everything seemed to be working normally and has
been since. I found the client that whose MAC address is 00-50-22-
87-1D-8F, it as configured correctly. The only other error I found was
in the daemon.log. Over the weekend and indeed before that "Nov 28
00:40:38 server named[252]: sysquery: no addrs found for NS
(H.ROOT-SERVERS.NET)
Nov 28 00:40:38 server named[252]: sysquery: no addrs found for
NS (I.ROOT-SERVERS.NET)" there are hundreds of DNS errors
although the hints files is in the correct place. I should point out we
are using an old (4.9.3) version of BIND and I will be updating it
soon.
I am not sure if the DNS is related to the MAC errors but the whole
thing seems suspicious. I was wondering if any one has seen
anything similar or if this looks like an attack. I can't confidently say
why this happened and so can't take any measures to ensure it
doesn't happen again. Any ideas would be appreciated.
Thanx.
Dp.
~~
Dermot Paikkos * dermot_at_sciencephoto.com
Network Administrator _at_ Science Photo Library
Phone: 0207 432 1100 * Fax: 0207 286 8668
Received on Tue Dec 03 2002 - 09:57:10 NZDT