Occasionally someone asks me if I have advice about how to deal with people stealing IP addresses. If someone steals the IP address of another machine, that machine becomes disabled.
Phase 1: Detection The first problem is detecting such a problem. Most operating systems will print out some kind of warning. However, if they don't, or if those warnings go to a log that you aren't looking at there is another way to detect this situation: Machines will work for 300 seconds, then stop working for 300 seconds, repeat. Why? Because ARP caches expire entries in 300 seconds. If someone has stolen the IP address of the router, you'll find that all machines work on and off for 300 seconds. You can amaze you users by asking if things work/don't work for 300 seconds (5 minutes) at a time. If they say "yes", immediately look for this problem. They'll think you are a wizard.
Phase 2: Customer education The second part is to convince your customers (the users of the network) to stop stealing IP addresses. Ralph Laura first wrote this email, which I have revised and sent out myself. We sent this email out when we had this problem once. It went a long way towards fixing the problem. We haven't had to repeat the letter in the same network (so far!). I really like how the letter is structured.
Feel free to re-use the letter.
P.S. Remember: you can't solve social problems using technology!
Subject: Network theft problem To: (appropriate users) From: (someone in management) This is a quick note to enlist your support on a serious issue that involves all of us. We are seeing an increasing rate of theft on our network. At least once a week the computer support team is diverted for an hour or two to track a case of network theft. In all cases we have identified the person who perpetrated the theft, and shockingly enough, in each case it has been one of our colleagues within our division! What is even more shocking is that once confronted the researcher often shows no remorse and has little concern for the impact their actions have had on other users. What am I talking about? It has become a common practice for people to steal an IP address without registering it. They install a PC, workstation or printer and simply use an address they 'think' is not used. Later on, when we are allocating addressed for a new device we discover a conflicting IP address already in use on the network. This creates hours of wasted time each week for computing support and impacts users due to systems being down. We have had cases recently where people have used addresses already in use by file servers, printers, other user's PCs and the like. When that happens the file server, printer, or etc. becomes unusable by everyone. When this happens to a router, the entire network is zapped! This is the same effect as if someone walked up to another users PC when noone was around and pulled the network connection out of the back of it. The user is impacted. The computing staff loses hours tracking the culprit and REAL work is not done. Please obtain an IP address from the computing team BEFORE installing any new device on the network. Use DHCP whenever possible. If you worry that the DHCP server isn't reliable, bring those concerns to us, don't take matters into your own hands. Your co-workers will thank you. Thanks, (signed by manager)