We're a 2,700 student college. Since Christmas we've been battling
intermittent network outages, somewhat resembling DoS attacks. About the
time we thought we'd have the source isolated, the network would return to
normal.
We finally found what we believe is a potential source of problems. We
found four, count 'em FOUR separate computers on our network which have
multiple MAC addresses associated with their port on the switch they're
connected to. In fact, one student's computer had 3,905 MAC addresses
alone! The other three computers had fewer MAC's - like 600+ on one
system and 300+ on another. One lowly CPU had only 67 MAC's.
The digit '7' figures predominantly in the MAC addresses - which for the
most part don't have a valid Manufacturer portion (the first six
alpha-numerics) of the MAC.
The computers on our Residential (ResNet) part of our network must have a
"registered MAC" before they can get into a routable vLan. However, at
least one of the computers was on our CampusNet - with the faculty, staff
and about half the classrooms. We think that unit was the bain of our
sanity.
Has anyone experienced such a phenomena? Aside from poking into each
individual switch on TrafficServer, looking at the IP and/or MAC addresses
associated with a port (which is how we found the multi-MAC-personality
computers), is there any type of report which can be used to find such
IP-criminals?
With over 230 switches and wireless AP's, it takes a TON of time to hunt
and peck for them.
Never seen such a thing before, hope we can get this critter lasso'd.
Les Yaw
Luther College
Decorah, IA
Received on Tue Jan 17 16:36:09 2006
This archive was generated by hypermail 2.1.8 : 01/17/06 PST