Solved

My DHCP table has began receiving numerous entries that start with android-2222533a32d23.domain,  We don't have any androids in our environment.  How can I stop these entries?

Posted on 2014-10-01
34
284 Views
Last Modified: 2014-10-20
My DHCP table has began receiving numerous entries that start with android-2222533a32d23.domain,  We don't have any androids in our environment.  How can I stop these entries?  These entries are beginning to use up all of my DHCP.  addresses

Event Viewer has a Warning that reads Scope, 10.xx.xx.0, is 82 percent full with only 64 IP addresses remaining.
0
Comment
Question by:Nellie Epps
  • 18
  • 10
  • 4
  • +1
34 Comments
 
LVL 32

Expert Comment

by:it_saige
ID: 40355729
Check to see if you have an open/unsecured Wireless Access Point.

-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40355733
I have already checked and we don't.  That is why this is so puzzling.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40355744
Check your Wireless Access Point's; client's table (if it has one).  See if you find any entries in their for androids.

-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40355753
Our wireless router, uses 192.x.x.x addresses these are 10.x.x.x addresses.  The router doesn't have a client's table.
0
 
LVL 27

Expert Comment

by:davorin
ID: 40355763
It has happened many times that people buy devices by them-self and connect them into company network without any permission.
Try to scan for wireless networks with software like inssider.
Well, actually you can use just a laptop and check wireless networks that should not exist in your company.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40356041
Download a copy of Angry IP Scanner and scan both the 192 and 10 Class A blocks.  Check the device names against what is expected.

I think you'll find that davorin is right and somebody has installed a wireless device on your network without permission, and (knowing it's against company policy and a termination offense) hidden it so that you can't find it.

Angry IP Scanner
0
 

Author Comment

by:Nellie Epps
ID: 40356885
Okay.  I ran Angry IP Scanner.  Would 10.xx.xx.xxx             0.in-addr-arpa be the culprit?  I am not sure what to look for.
0
 

Author Comment

by:Nellie Epps
ID: 40356901
I found another that could be suspect 192.168.xx.xxx   Hostname   )^SU
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40356905
If you can post a screenshot it will be helpful as then we will be getting the information direct.  Anything ".in-addr.arpa" should not be showing up in the host name column; this is how IP addresses are backwards resolved.
0
 

Author Comment

by:Nellie Epps
ID: 40356929
Please see attached unusual results from Angry IP Scanner
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40356932
Sorry to say that the document does not appear to have attached properly.
0
 

Author Comment

by:Nellie Epps
ID: 40356939
Sorry I didn't click "upload file"
Angry-IP-Scanner-Results.docx
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40356956
Perhaps one of the other experts can comment on that.  (I still use Word 97 and there is no import for the later DOCX file format into Word 97.)  Or alternatively, if you can post the screenshot as a JPEG.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40356962
@DrKlahn - Here are the snippets she made.Capture.JPG-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40356965
I have now saved it as a Word 97 doc.  You should be able to open it now.
Angry-IP-Scanner-Results2.doc
0
 

Author Comment

by:Nellie Epps
ID: 40356994
As you by the attached the androids are basically taking over my DHCP table.  However, when I do a nslookup many of them are legitimate workstations or laptops.  The ones that I don't receive a response from, I delete them but then they begin to return almost immediately.
androids.doc
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 23

Accepted Solution

by:
Dr. Klahn earned 500 total points
ID: 40358870
Thanks, it_saige.

Nellie, it looks to me that you are providing free wireless to anybody in the area with an Android device.  It is interesting that only Android devices are showing up and nothing else.

Here are my speculations ...

Someone may have established an illegal VPN on their workstation and the 10-block traffic results from a VPN tunnel into your site, with a WAP at the other end of the VPN tunnel.  Check all workstations for VPN software and run ipconfig /all on each to see if there are any active tunnels.  Perhaps one of the other experts can speak to this issue.  It will be difficult to find if this results from a virus such as Caphaw; run the Microsoft Malicious Software Tool on all workstations.

Bring in in a laptop or a wireless network sniffer.  See if there is an open network in the area.  If there is, and you can connect to it, and the connecting device reports an IP address in the 10 block, and the laptop then shows up in your DHCP table, this confirms an unauthorized wireless access point on your network.

If the primary network is wireless, change the WPA key on the WAP and on all workstations.  Keep the new key a secret to yourself.  See if the problem goes away.

I have to say the device at 192.168.1.110 looks suspicious.  Normally a device seen by Angry IP Scanner comes back with a name of either (nothing at all), or a Windows name.  This looks like a deliberately chosen random name.  I'd chase that one down and find out what it is just on general principles.

The other device at 10.(can't read the rest) is definitely suspicious.  My guess is that this is the bootleg wireless router.  If it is on the other end of a VPN you won't be able to find it.  If it is on your premises, chasing it down may be a chore on a large network unless you have hardware that can identify what segment of the network it is on.  On a small network you can do a physical premises inspection.  If your primary network is wireless and not wired, you'll have to conduct a physical search of the entire premises to find out where the unauthorized device is.

Before going to those lengths, you might try this:  Make a site-wide announcement to all users that there is an unauthorized wireless router on the premises, and that when you find it, there will be consequences for whoever attached it to the network without permission.  Then wait two days and see if it disappears from the network.

By the way, I don't think we are going to find out anything to penetrate your network from the Angry IP Scanner screenshots, so there's no need to scribble out the IP addresses.  The device names in the scan results are partially readable through the scribbling, and even those do not suggest anything to me about your network or where you are located.  You can sure scribble all you want to, though, if it makes your boss feel better.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40360490
After sleeping on the problem, another thing that you might be able to try:

Assuming that your legitimate network is on 192.168.1, your legal DHCP server should not be handing out addresses on 10.0.0 at all.  That would imply a bootleg DHCP server on the network.  If this is the case:

Start up a browser and enter http://10.0.0.1 into the address bar.  That should take you to the web management pages for the bootleg router.  You may not be able to get in but there will be enough information there to deduce the manufacturer and possibly the model.
0
 

Author Comment

by:Nellie Epps
ID: 40365870
Will not display page.  See attached.
Page-Can-t-be-displayed.doc
0
 

Author Comment

by:Nellie Epps
ID: 40365885
So far everything that I have traced have turned out to be legitimate network device (like a server or workstations.  Via the switch I traced the IP address  then the Mac Address then the port.  Each cable from the port is attached to a legitimate network device.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40366789
The only thing I can think of at this point is that there is a device creating a VPN into your network and bridging the 10.0 network onto your 192.168 network.

You said that you traced the IP address and MAC address to the switch and then the port.  What is the device connected to that port?
0
 

Author Comment

by:Nellie Epps
ID: 40366836
A DC is connected to the 192.xx.xx.xx address.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40366853
Domain controller?
0
 

Author Comment

by:Nellie Epps
ID: 40366930
yes
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40366955
Log into the controller in question, bring up a command window, and issue ipconfig /all.  See if it is hosting anything other than the expected network adapter.

Also scan it thoroughly for viruses using at least two scanners, plus the most recent Microsoft Malicious Software Removal Tool

If this fails to turn up anything, I am about out of ideas except for this one:  There may be an infected system on your network spoofing a MAC address.  It will be a long and tedious journey with running multiple virus scanners on every system to prove or disprove that.
0
 

Author Comment

by:Nellie Epps
ID: 40368295
I ran the Microsoft Malicious Software Removal Tool.  Nothing was found.
0
 
LVL 23

Expert Comment

by:Dr. Klahn
ID: 40368791
I'm tapped out of ideas.  Hopefully one of the other experts will see your question and have an insight.
0
 

Author Comment

by:Nellie Epps
ID: 40368798
I really appreciate your trying to resolve the issue.
0
 

Author Comment

by:Nellie Epps
ID: 40377381
Both Experts were correct, however, IT_saige, answered first.  I am not sure how this should be handled.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40377501
I think you handled it adequately.  I may have answered first, but DrKlahn did more leg work than I did.  He is deserving of the greater point break.

-saige-
0
 

Author Comment

by:Nellie Epps
ID: 40377642
Sorry wasn't sure how this worked.  I will try to correct my mistake.
0
 

Author Comment

by:Nellie Epps
ID: 40377707
I have requested that full credit for the solution be given to davorin.
0
 

Author Closing Comment

by:Nellie Epps
ID: 40391902
Great job!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows 8.1 Netsh DHCP Server 2 76
Guest Network 6 105
SBS2011 DHCP Service keeps stopping 1 517
DHCP export each scope options 2 60
Ever wondered why you had to use DHCP options (dhcp opt 60, 66 or 67) in order to use PXE? Well, you don't!
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now