D
D
Dmitry2020-02-29 09:20:03
System administration
Dmitry, 2020-02-29 09:20:03

Unknown device clogs DHCP channel, how to find it?

Good day!

The situation is such that once every three months an apocalypse occurs on our corporate network, an unknown device starts pouring connections through WI-FI and in the logs the poppy of the device looks like this: 0.0.0.0.0, pours to such a level that all IP addresses are busy and Colleagues have no choice but to wait until the ip is released and then if it does not take it again. UniFi is used and one point distributes guest and working WI-FI with different passes at 2.5Ghz and 5Ghz. After cleaning and changing the password, the problem goes away for a while. Maybe there are some thoughts?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
R
Ruslan Fedoseev, 2020-02-29
@martin74ua

take the wifi to a separate segment to begin with? change authorization to radius?

A
Alexander, 2020-02-29
@NeiroNx

A white list of MAC addresses must be done. Plus L2 switches to be able to show a list of poppy addresses on the port.
You put a whitelist, make up a register of connected equipment. You calculate the malware - and draw up an act of interference in the corporate network. And the head of the information security service on the table.
It is necessary to approach in terms of "Information security" - perhaps it happened more than once a month, but at the time of a major transaction, filing applications for a tender and other important events of the company. The failure of the network was caused intentionally, since spam DHCP requests are not possible in standard software. Perhaps somewhere in your network there is a "bookmark" that is activated by intruders and lays down your network. It is necessary to study when this happened what the employees did.
Perhaps the guest Wi-Fi was hacked due to its incomplete isolation from the main network.

X
xjam, 2020-02-29
@xjam

Yes, the wireless network must be separated from the wired network, there are no options. And so, try to either block the mac, or tie it to a specific ip. You can also reduce the lease time for the IP address.

3
3a4yI7aTiY, 2020-02-29
@3a4yI7aTiY

Reanda time 02:00:00
In DHCP add arp for leases checkbox,
Guest Wi-Fi in a separate vlan

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question