IP “floats” in the domain network (without Internet access). How to catch and remove him?

D

Dmitry Treiserov2019-03-12 06:59:14

Network administration

Dmitry Treiserov, 2019-03-12 06:59:14

Good day.
there is WinServ2012 AD DC. Raised DHCP. Installed kaspersky. The grid has an IP on which there is no access to the Internet, but there is access to the network (it is the only one). It is automatically assigned to anyone, and he does not care if the statics are registered even on the network card, even in the reservation, even in the pool, even all at once . It is assigned to any machine. Rebooting your computer or phone helps. Help with advice on where to catch this muck. I tried to shove it on Mikrotik into the firewall, but what's the point? There was an attempt to assign it through reservation to the left MAC address, it did not save. and reserving all wheelbarrows did not help either. I think that this is some kind of equipment "shitting" the question is, how much is this one IP? Basically, I don't know what to do. HELP!!!

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

D

Dmitry, 2019-03-12
@hempy80

The switch(es) must be configured with DHCP snooping. If there is such an opportunity. If this is not possible, find the culprit and flog him in public.

K

Keffer, 2019-03-12
@Keffer

In a grid one more left dhcp most likely was got.

S

Sergey, 2019-03-12
@edinorog

Mikrotik does not know how to catch and ban left dhcp servers. You punch a poppy of the left server. You look at the manufacturer of the piece of iron and find it visually

D

Dmitry Treiserov, 2019-03-12
@Tracerov

I expect the appearance of a mountain of IP addresses) and I will see how Sergei @edinorog suggested, I
did not wait for my mountain of IP.
logged into the DHCP Server on the m-tick, set Alert, he immediately cut off several MAC addresses, blocked them for 31 days. I went into the m-tic log and saw that the first poppy gave DHCP to the 1.1 subnet, the second one in my subnet. Here it is a miracle with a great address. went into wireshark (still a little rummage in it but try to learn everything) scanned/filtered/read/found
Dynamic Host Configuration Protocol (Offer)
...
Your (client) IP address: 192.168.(mountain IP address)
...
closed it in the firewall away from everyone. I don't want to run around looking all over the place. he will announce himself)
13.03.19 morning.
today I was assigned to this mountain IP. in general shark does not see this DHTsP server and generally this IP.
Google says that this is a Chinese IP in general. there is no ping on it. well, not surprisingly. but the network robs most likely because of dns. THE BIGGEST ODDITY my computer didn't turn off at night! and worth the reservation. How it gets through I don't know.
03/14/19
I'm still struggling with the problem.
I don’t even know where to start. I came in the morning and didn’t turn off the computer for the night. the same IP was assigned again.
I don’t remember where I stopped yesterday)
today and yesterday I remember exactly 113.0.168.1 did not respond to any.
for a long time, everything was kolupal, as a result, I restarted the network, my IP was assigned for reservation.
113.0.168.1 is not pinged, but the tracer gives out at the 12-14th step, in my opinion.
and then I got lucky as a ping appeared on this IP, I immediately checked the arp table there it was not there yet, so I got into the shark and let's ping it. I noticed in the package that the poppy of this IP is the same as on my Mikrotik. I don’t know, maybe my cuckoo has already gone, but as I understand it, they have the same poppy addresses. And after some time, the same anomaly appeared in the ARP table. how they touch I have no idea. I know that this IP replaces my broadcast. I'll try to show everything right now.