Occasionally someone asks me if I have advice about how to deal with people stealing IP addresses. If someone steals the IP address of another machine, that machine becomes disabled.

Phase 1: Detection The first problem is detecting such a problem. Most operating systems will print out some kind of warning. However, if they don't, or if those warnings go to a log that you aren't looking at there is another way to detect this situation: Machines will work for 300 seconds, then stop working for 300 seconds, repeat. Why? Because ARP caches expire entries in 300 seconds. If someone has stolen the IP address of the router, you'll find that all machines work on and off for 300 seconds. You can amaze you users by asking if things work/don't work for 300 seconds (5 minutes) at a time. If they say "yes", immediately look for this problem. They'll think you are a wizard.

Phase 2: Customer education The second part is to convince your customers (the users of the network) to stop stealing IP addresses. Ralph Laura first wrote this email, which I have revised and sent out myself. We sent this email out when we had this problem once. It went a long way towards fixing the problem. We haven't had to repeat the letter in the same network (so far!). I really like how the letter is structured.

Feel free to re-use the letter.

--tal

P.S. Remember: you can't solve social problems using technology!


Subject: Network theft problem
To: (appropriate users)
From: (someone in management)

This is a quick note to enlist your support on a serious issue that
involves all of us.

We are seeing an increasing rate of theft on our network.  At least
once a week the computer support team is diverted for an hour or two to
track a case of network theft.

In all cases we have identified the person who perpetrated the theft,
and shockingly enough, in each case it has been one of our colleagues
within our division!  What is even more shocking is that once
confronted the researcher often shows no remorse and has little concern
for the impact their actions have had on other users.

What am I talking about?

It has become a common practice for people to steal an IP address
without registering it.  They install a PC, workstation or printer and
simply use an address they 'think' is not used.  Later on, when we are
allocating addressed for a new device we discover a conflicting IP
address already in use on the network.

This creates hours of wasted time each week for computing support and
impacts users due to systems being down.  We have had cases recently
where people have used addresses already in use by file servers,
printers, other user's PCs and the like.  When that happens the file
server, printer, or etc. becomes unusable by everyone.  When this
happens to a router, the entire network is zapped!

This is the same effect as if someone walked up to another users PC
when noone was around and pulled the network connection out of the back
of it.  The user is impacted.  The computing staff loses hours tracking
the culprit and REAL work is not done.

Please obtain an IP address from the computing team BEFORE installing
any new device on the network.  Use DHCP whenever possible.  If you
worry that the DHCP server isn't reliable, bring those concerns to us,
don't take matters into your own hands.  Your co-workers will thank
you.

Thanks,
(signed by manager)