fa_ip_helperI was installing the new Flow Analytics beta on a customer’s machine the other day and we started to see odd results.

For those of you who do not know about the  Flow Analytics module for Scrutinizer, it’s a behavioral analysis engine that listens to the network traffic that you are already collecting with Scrutinizer.  It’s searching for patterns or “chatter” that resembles negative network behavior.

Initially everything was working fine, but within a short period of time, we started to see SYN violations. We opened up the SYN Violations alarms message from Flow Analytics and clicked on the “Possible Worm Attack” link. Clicking on this link provided us with all the raw data that showed signs of  SYN Violations.

To our surprise, we were seeing the IP address 169.254.18.31, which is the dummy address that Microsoft assigns to you if it can’t grab one from DHCP. I had never seen this reported before, and in reality we shouldn’t even see that IP address, because the machine should not have access to the network.

A bit concerned, I decided to search for the 169.254.18.31 address across all of the routers. I figured that this might give me a clue as to what was happening or at least tell me who this IP address was talking to.  The result only showed one router.  Now I was starting to get excited! I clicked the destination router and could see all of the conversations. BANG! We found the smoking gun.

This unique behavior was due to the IP HELPER function of his router.  He explained to me how this function helps orphaned IP’s find their way to the internet, and in the end making sure that everyone has some sort of network connection.

“Ahhh, that makes sense. People are unplugging their laptops, but WI-FI is still active. The WI-FI is not getting an IP, so IP HELPER steps in,” he said.

We were both impressed.  With one central application and a little detective work, we were able to resolve this issue quickly. Mystery solved!

The following is a clip from an article published by CISCO regarding the IP HELPER function:

“Here is brief information about ip-helper address. If your DHCP server is located remotely, your local DHCP client might not get IP address due to broadcasting traffic is blocked by router.

By default, routers drop all broadcast packets sent through them. Because DHCP clients use BOOTP packets, which are broadcasted to all hosts (255.255.255.255), they will be dropped by router. The “ip helper-address” command enables the router to forward these BOOTP broadcast packets to a specific host, as specified by the address following the “ip helper-address” command. Note that this command must be placed on the router’s interface that is receiving the broadcast packets from the hosts, which is Ethernet(FastEthernet or GigabitEthernet Interface) of the router.”

Jim D author pic

James Dougherty

I have worn many hats in my professional life. Support engineer, developer, network admin and manager are all points on my resume, but the one common thread with all of these jobs is that I enjoy working with people; that is what I do here at Plixer. I make sure that everyone understands our product and can get the most out of it. It's just simple 'no bull' support!

Let me know if you have any questions, I would be happy to help.

- Jimmy D

Related

Leave a Reply