node stealing gatway ip. the only nodes that are affected are the only ones that have been rebooted.

anitahummer

Reputable
Apr 26, 2015
1
0
4,510
This may seem like a beginner question, and for that i apologize.

if a network is set up that has say 150 desktops and one of the desktops "borrows" / "steals" the gateway ip address, why would only the desktops that have been rebooted become affected by ip thief? the nodes that were rebooted could ping and reach other nodes within that vlan and address range, but could not reach the "world" or resolve dns. meanwhile the ones that had not been rebooted, that were in that same vlan and within that same range were fine.

I do know there are ways to prevent this from happening, but seems others dont want do make this a reality. it took me a bit to figure out what the issue was as i did not have access to certain nodes that would have helped me figure the issue out quicker. all i had was a few boxes that had been rebooted and were no longer able to reach the world. i booted one into linux recovery ran a tcpdump and some arpings thinking maybe someone had stolen some other nodes ip's, unfortunately that was not the case. and i didnt really think about the gateway ip being assigned to one of the nodes due to the amount of users that were not complaining. then i thought what if someone was deliberately stealing the gateway to try to receive traffic destined for certain ips within that range. that's when i though about the gateway ip being " borrowed ". the thief was found and the issue was resolved.

what would cause the ones not rebooted to not exhibit the same issue? i would think that once someone in the vlan assigned the gateway to their machine everyone would be affected. as this is the case when someone " borrows" / "steals" another already assigned ip address.
 

ARP caching. Ethernet finds destinations by MAC code, not by IP address. Once they have cached the MAC code for the router they will be able to communicate with it whatever IP address conflicts there may be.

Your real problem here is that users are allowed to assign IP addresses. This is a recipe for disaster.