[unisog] Mac OS X 10.6 workstation stole the IP address of another device, Apple Time Capsules too

Irwin Tillman irwin at princeton.edu
Fri Sep 11 21:29:31 GMT 2009


During the past week at Princeton I've seen one Mac OS X 10.6 workstation
and three Apple Time Capsules steal IP addresses leased to other devices.
The victims have all been Macintosh workstations.

As I suspect this is a new problem associated in some way with the release of Mac OS X 10.6,
I thought I'd post the details for you.  If you monitor your network closely enough
to reconcile actual IP address usage (e.g, based on IP ARP cache data) against IP address assignments
(perhaps based on DHCP server logs), you may see this too.

I've reported the Mac OS X 10.6 workstation incident to Apple as a bug, because in that case
we were fortunate to have a system.log file from the "thief".
I've mentioned to them the Apple Time Capsule incidents too, although have not been able
to file bug reports for them as I lack relevant log information from the Time Capsules at this time.

Irwin Tillman
OIT Network Systems / Princeton University

--

Technical Details:

(IP addresses, MAC addresses, and computer names have been anonymized.)

The "thief" is a Mac OS X 10.6 workstation.
The "thief" has Ethernet hardware address 00:11:11:11:11:11 and Wireless hardware address 00:22:22:22:22:22.
On September 10 it was connected via its wireless interface to our wireless network.
The wireless access point via which it connected operates as a bridge.
The thief's wireless interface used DHCP to obtain a lease on IP address 192.168.2.1.

The "victim" is a Mac worktation, operating system version unknown.
The "victim" has Ethernet hardware address 00:01:02:03:04:05 and Wireless hardware address 00:01:02:03:04:06.
On September 10 it was connected via its wireless interface to our wireless network.
The wireless access point via which it connected operates as a bridge.
It was not the same wireless access point used by the thief.
The thief's wireless interface used DHCP to obtain a lease on IP address 192.168.5.1.

Both the thief and victim's wireless interfaces were on the same IP network.

Although the thief used its assigned IP address 192.168.2.1,
during approximately 1820-1910 September 10, it *also* stole 
IP address 192.168.5.1.  (Times are approximate to within ten minutes.)

We were aware of the incident because every ten minutes we take a snapshot of the IP ARP cache from 
the IP router.  After the day is over, we compare that to that day's log from the DHCP servers.
This showed is that the thief was using an IP address that had not been assigned to it by the DHCP servers.

Our logs show that the thief had not previously been assigned (e.g. via DHCP)
the IP address it stole.

I note that the thief's system.log file
makes a number of references to stolen IP address 192.168.5.1;
whatever the thief thought he was doing with that IP address, he certainly knew about it:

Sep 10 14:52:15 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:17 jdoes-MacBook-Pro mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:17 jdoes-MacBook-Pro mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:52:18 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:19 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:19 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:52:20 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:22 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:23 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:52:27 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:31 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:52:35 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:52:48 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:52:51 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:53:20 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:53:23 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 14:54:24 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 14:54:27 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 15:08:04 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 15:08:07 jdoes-MacBook-Pro mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 15:08:08 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 18:11:21 jdoes-MacBook-Pro mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 18:11:23 jdoes-MacBook-Pro mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 18:32:40 dynamic-oit-vapornet-e-1 mDNSResponder[29]: Waking host at en1 192.168.5.1 H-MAC 00:01:02:03:04:05 I-MAC 00:01:02:03:04:06 for   21 mycomputer._ssh._tcp.local. SRV 0 0 22 mycomputer.local.
Sep 10 19:49:57 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:49:58 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:49:59 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:50:01 jdoes-MacBook-Pro mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:50:01 jdoes-MacBook-Pro mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 19:50:02 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:50:05 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 19:50:08 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:50:13 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 19:50:16 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:50:30 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 19:50:33 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:51:02 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 19:51:05 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.
Sep 10 19:51:46 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendResponses: No active interface to send: 10    4 mycomputer.local. Addr 192.168.5.1
Sep 10 19:52:09 dynamic-oit-vapornet-e-1 mDNSResponder[29]: SendARP: No interface with InterfaceID 101024E00 found   15 1.5.168.192.in-addr.arpa. PTR mycomputer.local.



I note that among the messages above is even one (at Sep 10 18:32:40) that specifically cites the Ethernet and Wireless hardware
addresses of the victim:

Sep 10 18:32:40 dynamic-oit-vapornet-e-1 mDNSResponder[29]: Waking host at en1 192.168.5.1 H-MAC 00:01:02:03:04:05 I-MAC 00:01:02:03:04:06 for   21 mycomputer._ssh._tcp.local. SRV 0 0 22 mycomputer.local.

The "Waking host" text makes me wonder if the thief's Mac OS X 10.6 workstation was acting as a Bonjour Sleep Proxy Server.
Apple's currently published documentation indicates that Mac OS X 10.6 workstations are not among the
devices capable of acting as Bonjour Sleep Proxy Servers at this time, so if the Mac OS X 10.6  was acting
as a Bonjour Sleep Proxy Server, it would be unexpected.  If this Mac OS X 10.6 workstation
was indeed acting as a Bonjour Sleep Proxy Server, then did it steal the victim's IP address due to 
a bug in the Bonjour Sleep Proxy Server implementation, or is this the intended behavior of a
Bonjour Sleep Proxy Server?  

(I note that during the past week I've also seen three Apple Time Capsules steal IP addresses in similar
ways to this.  In those cases, I have no logs or other information about the Time Capsules.  But I wonder
if the cause is the Bonjour Sleep Proxy Server running in the Time Capsule, now triggered by the presence
of Mac OS X 10.6 clients on the network.)



More information about the unisog mailing list