1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IP conflicts

Discussion in 'Networking' started by tzar, Sep 13, 2004.

Thread Status:
Not open for further replies.
  1. tzar

    tzar Thread Starter

    Joined:
    Mar 11, 2004
    Messages:
    47
    Here's an interesting networking question that will raise the eyebrows of most network enthusiasts.

    I have a LAN with a Windows NT Server 4.0 and a mixture of Win98, Win2K and Win XP clients. Also, I have a wireless Access Point for those with laptops. Over last weekend (I don't know how significant this is, but just thought I'd include it in) we had a power trip in the office. No one was around (weekend) so all machines went down, then came up again when power was restored.

    Then came Monday. All was well in the morning when SUDDENLY, one by one, all the PCs in the LAN got a "Windows System Error - The system has detected a conflict for IP address <the PC's IP address> with the system having the hardware address <someone's mac address>".
    Almost immediately, the whole LAN was down.

    Funnily, the MAC addresses shown in all the error msgs point to either of only two MAC addresses. This led me to think that these two MAC addresses are trying to act as DHCP Servers. But(!) I ran through my list of PCs and found that none of them matched the MAC addresses in the error msgs. This then led me to think that it could be the work of a virus spoofing MAC addresses. But a search on viruses found no such behaviour. Plus, my AV was well updated and scans are run every other day.

    Then I logged on into my Wireless Access Point (AP) and found under the "Wireless Station List" two MAC addresses, one of which is the one that always appears in the error msgs!
    I restarted the AP and the "dirty" MAC address was gone (don't know where it had gone to), only one "clean" one was left. Then I deleted every lease I had in the DHCP Manager then rebooted each PC one at a time, just to allow them to grab new IPs. No "IP conflict error message" appeared in any of the PCs this time.
    However, in the Event Viewer on the NT Server, there are a lot of entries saying "The DHCP service issued a NACK to the client <computer name> for the address <address>", and in the newly-created Dhcp lease list I get a lot of BAD_ADDRESSES.

    Questions:
    1) Why did I get "IP conflict" error msgs when the only Dhcp server that was issuing IPs was my Windows NT Server? Could there be another Dhcp server that I didn't know of?
    2) What could have been the role of the Wireless AP in all of this? Could the power trip somehow corrupted its configuration and made it a Dhcp server? (Oh, and I went inside the configurations of the AP and found nothing that would allow it to become a dhcp server)
    3) Where did the "bad" MAC address listed in the Wireless Station List in the AP disappeared to?
    4) What is causing the DHCP server to issue NACKs to the clients, and why the BAD_ADDRESSES?
    5) Any advise to prevent the whole situation from repeating itself?

    I appreciate any feedback anyone has to offer.
    Thank you.
     
  2. 5mi11er

    5mi11er

    Joined:
    Aug 11, 2004
    Messages:
    521
    Well, the first questions that pop into my mind are: Are you running WEP or WPA for the wireless network? If not, it's going to be wide open, and anyone near your location would have the ability to create another DHCP server, assign a duplicate address to a laptop etc. Even if you're using WEP, this type of activity COULD still happen if someone was determined to do so. Using WPA would make it nearly impossible for it to be an attack.

    Power glitches can wreak havoc on systems. It could easily scramble systems to not work correctly, but the chances of spontaneously creating a new DHCP server are pretty remote (this could be considered for the "understatement of the week" award).

    The bad addresses could be indications that other machines are already using those addresses. I can't think of another reason for those messages. It could be the DHCP database is scrambled. You could try deleting the entire scope, rebooting, then re-creating it.

    -Scott
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273531

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice