Getting firewall hits from a APIPA IP address on my lan - how to locate the culprit?
-
Hello,
I've been seeing a lot of messages like these lately:
It looks like a machine somewhere on my LAN didn't get assigned an IP address by DHCP and is constantly hitting my router's DNS.
My question is: how can I get that machine's MAC ID? It would help narrow which type of device needs attention. I.e. knowing if it's a Raspberry Pi or a cable box or a Dell laptop would help me zero in on the device.
Thanks!
-
@Wasabi6962
Sniff the traffic on the LAN with full level output, filtering for the IP in question. -
@Wasabi6962 yeah sniff will show you its mac.
Seems like really bad software to me... Lets say ok you hard coded the IP of your dns.. That is great, but why would the client even think it could talk to this dns server from a apipa address? And even if it did, what good would it do?
-
Get the mac address.
Search the switch forwarding table to figure out the port the mac lives on. Profit -
Thanks for the tips... it looks like it was a combination of things on an old Windows 10 Dell laptop that I had left running unattended for a couple weeks. Somehow something had crashed so hard I had to force a power cycle. I think the crash was triggered by a Windows update - when I restarted it went through the usual "please wait while we finish updating your machine because we don't know how to actually install software properly" reboot cycle.
The clue was that something was trying to contact Teamviewer and I remembered I had that installed on that machine from an old job. More recently I installed Tailscale as an overlay network, and apparently it defaults to an APIPA address when it's not connected.
21:10:02.592148 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)
21:10:03.596669 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)
21:10:05.610651 IP 169.254.71.22.61774 > 192.168.0.1.53: 7277+ A? master3.teamviewer.com. (40)Thanks again!