We have an OP who hasn't fully described the problem in a coherent way and a bunch of people who are trying to help arguing about why each other's guesses aren't valid. I would suggest setting up ARPwatch on a computer and see how the reports look over a few days. We won't know shit until Hypoluxa shows up again, though. But unless they bought something like this, it won't magically show up. That is the only device I have ever seen that could do something like this. In reality, half the time it responded before the real device on the network, which made it a real expensive piece of crap. If there was a device, it should respond first and populate the requestor's ARP table, otherwise this device would do it. It did this by responding to all ARP requests 5 seconds after it saw them.
I cannot remember the name, but there was a product a few years ago that was supposed to be a captive portal for hotel wifi that would ensure that whatever the customer's local settings, it would work. I think this must be something broken or misconfigured at Layer 3, or the machine is hacked.īasically, everyone seems to be focused on layers 1 and 2, and I'm just having a hard time imagining how those layers would be generating spurious IP addresses. If it were garbled ARP replies, you'd think the IPs would be random crap, but he hasn't mentioned seeing IPs that look weird. Doing that, it would be invisible from the control panel, and from light-duty snoop tools.īasically, everyone seems to be focused on layers 1 and 2, and I'm just having a hard time imagining how those layers would be generating spurious IP addresses. Hell, it could be sending raw packets out the interface, in effect creating those phantom IPs itself, using a custom TCP/IP stack. But if that machine is the one that's actually hacked, it could be talking with the mothership, or scanning/attacking the local network. for one of those, I'd expect the wrong MAC for the good IP address, not a flood of spurious IPs with that MAC. And ARP entries should time out after, what, ten minutes on most machines? So that means that MAC has been ARPed as having those IP addresses very recently, so it's an ongoing network problem of some kind. From what the OP is saying, it's supposed to have just one, and he's seeing a bunch. It's okay to have multiple IPs on a MAC, but only if it's been deliberately configured that way. How would that cause multiple IPs for the same MAC, though?
0 kommentar(er)
