0
lease 172.16.0.174 { starts 2 2011/11/22 10:23:11; ends 3 2011/11/23 10:23:11; binding state active; next binding state free; hardware ethernet 6c:50:4d:0e:c8:c0; uid "\000cisco-6c50.4d0e.c8c0-Vl1"; client-hostname "Switch"; } cat /var/lib/dhcpd/dhcpd.leases | grep cisco -A 3 -B 6 | grep lease | wc 1190 3570 24990
Found some very strange entries in our dhcpd.leses file. All form the same mac address. It queries for all available ips. It's will get a new lease every second. It has now done the same thing 4 times on the network. As you can see from the cat entry that is 1190 entries all linked to the same mac address, all since 9:30am this morning.
I expect our network is being scanned. For available ips.
- What can I do to find out where this device is and what it is doing.
- Does any body know of some venerability scanners that would do this.
- Does any body know of a way to track this device.
- To see traffic coming to or from that device.
- A way to block that mac address on our network.
I cleaned out the lease file and restated the dhcpd server, with in 20 minutes we had another 120 entries.
Block/blacklist the MAC and see who complains? BOFH! ;) – HaydnWVN – 2011-11-22T12:04:37.220
@haydnwvn I am more worried that this is some malicious activity. I would like to do more then just close the door after it has opened. I want to stop the door from being opened. http://superuser.com/q/360238/67952
– nelaaro – 2011-11-22T12:11:29.080That is a Cisco vendor id, maybe a rogue switch? – charlesbridge – 2011-11-22T12:24:44.033
@nelaar wouldn't 'blacklisting' the MAC address accomplish that? – HaydnWVN – 2011-11-22T12:35:34.420
1@HaydnWVN, if someone is maliciously probing the network, they can just switch to another MAC address if that one is blacklisted. – a CVn – 2011-11-22T13:15:59.380
True, but you won't know for sure until you try it, if it's just a device causing it then you'll have 'fixed' the problem (although not actually 'solved' it) ;) – HaydnWVN – 2011-11-22T14:09:49.207