I was installing the new Flow Analytics beta on a customer’s machine the other day and we started to see odd results.
For those of you who do not know about the Flow Analytics module for Scrutinizer, it’s a behavioral analysis engine that listens to the network traffic that you are already collecting with Scrutinizer. It’s searching for patterns or “chatter” that resembles negative network behavior.
Initially everything was working fine, but within a short period of time, we started to see SYN violations. We opened up the SYN Violations alarms message from Flow Analytics and clicked on the “Possible Worm Attack” link. Clicking on this link provided us with all the raw data that showed signs of SYN Violations.
To our surprise, we were seeing the IP address 169.254.18.31, which is the dummy address that Microsoft assigns to you if it can’t grab one from DHCP. I had never seen this reported before, and in reality we shouldn’t even see that IP address, because the machine should not have access to the network.
A bit concerned, I decided to search for the 169.254.18.31 address across all of the routers. I figured that this might give me a clue as to what was happening or at least tell me who this IP address was talking to. The result only showed one router. Now I was starting to get excited! I clicked the destination router and could see all of the conversations. BANG! We found the smoking gun.
This unique behavior was due to the IP HELPER function of his router. He explained to me how this function helps orphaned IP’s find their way to the internet, and in the end making sure that everyone has some sort of network connection.
“Ahhh, that makes sense. People are unplugging their laptops, but WI-FI is still active. The WI-FI is not getting an IP, so IP HELPER steps in,” he said.
We were both impressed. With one central application and a little detective work, we were able to resolve this issue quickly. Mystery solved!
The following is a clip from an article published by CISCO regarding the IP HELPER function:
“Here is brief information about ip-helper address. If your DHCP server is located remotely, your local DHCP client might not get IP address due to broadcasting traffic is blocked by router.
By default, routers drop all broadcast packets sent through them. Because DHCP clients use BOOTP packets, which are broadcasted to all hosts (255.255.255.255), they will be dropped by router. The “ip helper-address” command enables the router to forward these BOOTP broadcast packets to a specific host, as specified by the address following the “ip helper-address” command. Note that this command must be placed on the router’s interface that is receiving the broadcast packets from the hosts, which is Ethernet(FastEthernet or GigabitEthernet Interface) of the router.”