Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Loss of network connectivity.

  1. #11
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    So you can ping the billing and surfing pc's and they can ping others on the network but not access the Internet?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  2. #12
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    When you say you can ping the website are you talking about external webpages?

    If so, what I am to understand is only the billing PC's (which have DHCP reserved IP Addresses) cant access the Internet but can view the Intranet with no problems?

    Have there been any new GPO's released? Is there any screwy stipulations setup on the DHCP server? Reservations that are odd or anything? Any new updates, patches in the environment that would lead to these issues?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  3. #13
    Okay now this problem isn't reserved to billing machines.. I just got a call informing me that machines used by the customer are also affected..

    There have been no new gpo's except one change that I've included for wsus.. In last one week all machines have been patched up to current levels.. Currently 70 %. Machines are at 100 % patch level others are following quickly because I've put deadlines on all patches.. Except this no change in the domain is done.. Dhcp servers haven't been touched, there is no ip conflict detected too.. We use sep on our machines and I've seen machines with sep installed and updated showing a green dot indicating machine is protected but the machine in reality is infected.. I've even checked these machines for infection or rootkit but ive found nothing.. We are loosing more machines by the hour now and it's really scary now.. Sigh..

    Thank you very much to everyone who has replied..
    Last edited by ByTeWrangler; April 8th, 2009 at 08:20 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  4. #14
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    At this point (and I'm still not sure I understand the problem) I would say you are in a DoS situation and most likely it's a bad switch or router.

    Check the ARP tables of an affected machine and then the arp table on the first switch it's attached to.

    Do you have SNMP Traps set on all your routers and switches? Do any mac filtering?

    I've seen switches just dump and rebuild the spanning tree for no apparent reason every few seconds never completely rebuilding.

    Really I would focus (again if I understand your situation) on layer 2 and 3.

    Hope this helps
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  5. #15
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Just a quick thought Are all the PC's affected at 100% patch level and non of the PC's affected at 70%.

    Or vice-versa?

    When did you put the deadline on all patches? Before this mess started or after?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  6. #16
    Affected machines also include completely patched machines.

    Check the ARP tables of an affected machine and then the arp table on the first switch it's attached to.
    I have checked ARP table of few machines but of these (about 8) only one had malicious entry pointing to another infected machine in the same VLAN. Other have only one entry pointing to local gateway (switch)


    Do you have SNMP Traps set on all your routers and switches? Do any mac filtering?
    Nopes

    I've seen switches just dump and rebuild the spanning tree for no apparent reason every few seconds never completely rebuilding.
    Umm I didn’t see any of the switches do that except one that sent lot of ARP traffic then just stopped.



    Really I would focus (again if I understand your situation) on layer 2 and 3.
    I am focusing on an intrusion because these branches are spread all across the country. Every branch has 2 switches ( overall 250+ branches and about 20 of them are having this issue). I really don’t think so many switches at the same time would start acting crazy, especially without ANY change being implemented.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  7. #17
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    This is a long shot but there isnt some form of replication happening between all these affected machines are there? I have seen this happen when DFS or something similar was activated and someone accidentally dropped a 1gb file into the shared folder...

    Have you had a chance to pull anything new from any of your logs since your original posts?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  8. #18
    No no.. no replication at all.. None of the machine communicate to each other for anything..

    I've not found anything new post begining of this activity.. If you want me to run a sniffer again or collect some data please let me know

    Thank you.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  9. #19
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    Hello Bytewrangler,
    Havent been around in a while but another thing you can check that is if you haven't already is do a traceroute towards your web server with both a machine that works and a machine which doesn't. this will allow you to check if they follow the same path. Another thing i didn't see it mentioned but you dont have a wins server on your network do you? I have seen some strange problems coming from WINS but it would be unlikely to affect your network switches.
    I would also check the web servers to see if there is a firewall or filtering on that side if you can.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  10. #20
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    What has me confused is you stated that when you change the IP addresses of the machines (still within the same VLAN) but outside the DHCP reservation the issues go away?

    Do the issues stay away or do they replicate again after X amount of time?

    If they don't is there any change you somehow have any ACL's that got setup on your switches or elsewhere that could be affecting them?
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 09:33 AM
  2. Secure your wireless network
    By DeadAddict in forum The Security Tutorials Forum
    Replies: 10
    Last Post: July 21st, 2008, 12:16 AM
  3. Windows 2000 Tips
    By Nokia in forum Tips and Tricks
    Replies: 0
    Last Post: June 12th, 2004, 05:13 PM
  4. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  5. mini-tutorial on network topologies
    By cwk9 in forum Other Tutorials Forum
    Replies: 6
    Last Post: June 3rd, 2002, 06:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •