My DHCP table has began receiving numerous entries that start with android-2222533a32d23.domain, We don't have any androids in our environment. How can I stop these entries?

My DHCP table has began receiving numerous entries that start with android-2222533a32d23.domain,  We don't have any androids in our environment.  How can I stop these entries?  These entries are beginning to use up all of my DHCP.  addresses

Event Viewer has a Warning that reads Scope, 10.xx.xx.0, is 82 percent full with only 64 IP addresses remaining.
Nellie EppsIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

it_saigeDeveloperCommented:
Check to see if you have an open/unsecured Wireless Access Point.

-saige-
0
Nellie EppsIT ManagerAuthor Commented:
I have already checked and we don't.  That is why this is so puzzling.
0
it_saigeDeveloperCommented:
Check your Wireless Access Point's; client's table (if it has one).  See if you find any entries in their for androids.

-saige-
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Nellie EppsIT ManagerAuthor Commented:
Our wireless router, uses 192.x.x.x addresses these are 10.x.x.x addresses.  The router doesn't have a client's table.
0
davorinCommented:
It has happened many times that people buy devices by them-self and connect them into company network without any permission.
Try to scan for wireless networks with software like inssider.
Well, actually you can use just a laptop and check wireless networks that should not exist in your company.
0
Dr. KlahnPrincipal Software EngineerCommented:
Download a copy of Angry IP Scanner and scan both the 192 and 10 Class A blocks.  Check the device names against what is expected.

I think you'll find that davorin is right and somebody has installed a wireless device on your network without permission, and (knowing it's against company policy and a termination offense) hidden it so that you can't find it.

Angry IP Scanner
0
Nellie EppsIT ManagerAuthor Commented:
Okay.  I ran Angry IP Scanner.  Would 10.xx.xx.xxx             0.in-addr-arpa be the culprit?  I am not sure what to look for.
0
Nellie EppsIT ManagerAuthor Commented:
I found another that could be suspect 192.168.xx.xxx   Hostname   )^SU
0
Dr. KlahnPrincipal Software EngineerCommented:
If you can post a screenshot it will be helpful as then we will be getting the information direct.  Anything ".in-addr.arpa" should not be showing up in the host name column; this is how IP addresses are backwards resolved.
0
Nellie EppsIT ManagerAuthor Commented:
Please see attached unusual results from Angry IP Scanner
0
Dr. KlahnPrincipal Software EngineerCommented:
Sorry to say that the document does not appear to have attached properly.
0
Nellie EppsIT ManagerAuthor Commented:
Sorry I didn't click "upload file"
Angry-IP-Scanner-Results.docx
0
Dr. KlahnPrincipal Software EngineerCommented:
Perhaps one of the other experts can comment on that.  (I still use Word 97 and there is no import for the later DOCX file format into Word 97.)  Or alternatively, if you can post the screenshot as a JPEG.
0
it_saigeDeveloperCommented:
@DrKlahn - Here are the snippets she made.Capture.JPG-saige-
0
Nellie EppsIT ManagerAuthor Commented:
I have now saved it as a Word 97 doc.  You should be able to open it now.
Angry-IP-Scanner-Results2.doc
0
Nellie EppsIT ManagerAuthor Commented:
As you by the attached the androids are basically taking over my DHCP table.  However, when I do a nslookup many of them are legitimate workstations or laptops.  The ones that I don't receive a response from, I delete them but then they begin to return almost immediately.
androids.doc
0
Dr. KlahnPrincipal Software EngineerCommented:
Thanks, it_saige.

Nellie, it looks to me that you are providing free wireless to anybody in the area with an Android device.  It is interesting that only Android devices are showing up and nothing else.

Here are my speculations ...

Someone may have established an illegal VPN on their workstation and the 10-block traffic results from a VPN tunnel into your site, with a WAP at the other end of the VPN tunnel.  Check all workstations for VPN software and run ipconfig /all on each to see if there are any active tunnels.  Perhaps one of the other experts can speak to this issue.  It will be difficult to find if this results from a virus such as Caphaw; run the Microsoft Malicious Software Tool on all workstations.

Bring in in a laptop or a wireless network sniffer.  See if there is an open network in the area.  If there is, and you can connect to it, and the connecting device reports an IP address in the 10 block, and the laptop then shows up in your DHCP table, this confirms an unauthorized wireless access point on your network.

If the primary network is wireless, change the WPA key on the WAP and on all workstations.  Keep the new key a secret to yourself.  See if the problem goes away.

I have to say the device at 192.168.1.110 looks suspicious.  Normally a device seen by Angry IP Scanner comes back with a name of either (nothing at all), or a Windows name.  This looks like a deliberately chosen random name.  I'd chase that one down and find out what it is just on general principles.

The other device at 10.(can't read the rest) is definitely suspicious.  My guess is that this is the bootleg wireless router.  If it is on the other end of a VPN you won't be able to find it.  If it is on your premises, chasing it down may be a chore on a large network unless you have hardware that can identify what segment of the network it is on.  On a small network you can do a physical premises inspection.  If your primary network is wireless and not wired, you'll have to conduct a physical search of the entire premises to find out where the unauthorized device is.

Before going to those lengths, you might try this:  Make a site-wide announcement to all users that there is an unauthorized wireless router on the premises, and that when you find it, there will be consequences for whoever attached it to the network without permission.  Then wait two days and see if it disappears from the network.

By the way, I don't think we are going to find out anything to penetrate your network from the Angry IP Scanner screenshots, so there's no need to scribble out the IP addresses.  The device names in the scan results are partially readable through the scribbling, and even those do not suggest anything to me about your network or where you are located.  You can sure scribble all you want to, though, if it makes your boss feel better.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dr. KlahnPrincipal Software EngineerCommented:
After sleeping on the problem, another thing that you might be able to try:

Assuming that your legitimate network is on 192.168.1, your legal DHCP server should not be handing out addresses on 10.0.0 at all.  That would imply a bootleg DHCP server on the network.  If this is the case:

Start up a browser and enter http://10.0.0.1 into the address bar.  That should take you to the web management pages for the bootleg router.  You may not be able to get in but there will be enough information there to deduce the manufacturer and possibly the model.
0
Nellie EppsIT ManagerAuthor Commented:
Will not display page.  See attached.
Page-Can-t-be-displayed.doc
0
Nellie EppsIT ManagerAuthor Commented:
So far everything that I have traced have turned out to be legitimate network device (like a server or workstations.  Via the switch I traced the IP address  then the Mac Address then the port.  Each cable from the port is attached to a legitimate network device.
0
Dr. KlahnPrincipal Software EngineerCommented:
The only thing I can think of at this point is that there is a device creating a VPN into your network and bridging the 10.0 network onto your 192.168 network.

You said that you traced the IP address and MAC address to the switch and then the port.  What is the device connected to that port?
0
Nellie EppsIT ManagerAuthor Commented:
A DC is connected to the 192.xx.xx.xx address.
0
Dr. KlahnPrincipal Software EngineerCommented:
Domain controller?
0
Nellie EppsIT ManagerAuthor Commented:
yes
0
Dr. KlahnPrincipal Software EngineerCommented:
Log into the controller in question, bring up a command window, and issue ipconfig /all.  See if it is hosting anything other than the expected network adapter.

Also scan it thoroughly for viruses using at least two scanners, plus the most recent Microsoft Malicious Software Removal Tool

If this fails to turn up anything, I am about out of ideas except for this one:  There may be an infected system on your network spoofing a MAC address.  It will be a long and tedious journey with running multiple virus scanners on every system to prove or disprove that.
0
Nellie EppsIT ManagerAuthor Commented:
I ran the Microsoft Malicious Software Removal Tool.  Nothing was found.
0
Dr. KlahnPrincipal Software EngineerCommented:
I'm tapped out of ideas.  Hopefully one of the other experts will see your question and have an insight.
0
Nellie EppsIT ManagerAuthor Commented:
I really appreciate your trying to resolve the issue.
0
Nellie EppsIT ManagerAuthor Commented:
Both Experts were correct, however, IT_saige, answered first.  I am not sure how this should be handled.
0
it_saigeDeveloperCommented:
I think you handled it adequately.  I may have answered first, but DrKlahn did more leg work than I did.  He is deserving of the greater point break.

-saige-
0
Nellie EppsIT ManagerAuthor Commented:
Sorry wasn't sure how this worked.  I will try to correct my mistake.
0
Nellie EppsIT ManagerAuthor Commented:
I have requested that full credit for the solution be given to davorin.
0
Nellie EppsIT ManagerAuthor Commented:
Great job!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.