Seeing ISP node hostnames on local LAN

VuduBalls · Jul 18, 2018

When I use Advanced IP Scanner from any workstation on the LAN, we're seeing some devices populated with hostnames in the format of 'X-X-X-X-static.midco.net', where the 'X-X-X-X' represents the IP address of the device. The devices that are populated are indeed all devices that are actually on the LAN, the IP that they're getting matches the MAC address that's listed in the IP scan, it's just the hostname that's completely inaccurate. Screenshot of scan results: https://ibb.co/mrwgod

Midco is their ISP and when I conduct a traceroute to their public IP I see that the last few hops are all represented by that same format of hostname, the 'X-X-X-X-static.midco.net', however the IP address represented by the 'X-X-X-X' in this case is much more similar to their public IP address scheme whereas the entries shown in the Advanced IP Scanner are all reflecting their LAN scheme.

My first thought was that somehow there had to be a link between their LAN and WAN that wasn't being blocked by the firewall, and somehow Midco's core/distribution devices were accepting DHCP from their LAN. However that doesn't add up when I consider that IP addresses listed with those wild hostnames are actually connected on their LAN and even the MAC addresses listed for them are accurate to those devices.

Weirdest thing I've ever seen. They're chomping at the bit for an answer, please help!

failboat · Jul 18, 2018

nest a router and see if they go away.

Did you port scan or are you looking at connections? It's normal to use your ISP for DNS. So there might be many connections open for that.
You can see their devices on your DHCP lease?

VuduBalls · Jul 18, 2018

failboat :

How do I nest a router? And what would that mean?

I conducted a port scan from one of the desktop workstations on their LAN. And no, I'm not seeing their devices in the router's DHCP lease table, all appears normal there, those hostnames are only reflected in the IP scanner results.

VuduBalls · Jul 18, 2018

I was hesitant to do it, but here's an uploaded image of the results of the scan:

https://ibb.co/mrwgod

The only thing I've editted out of the image are the MAC addresses (paranoia).

failboat · Jul 18, 2018

If they gave you a modem/router that you think they are compromising then nest them by going LAN->WAN and then move everything you have down to the LAN of the second router.

VuduBalls · Jul 18, 2018

failboat :

That's the way we have it now actually, such that our Cisco RV320 firewall is positioned between their modem and everything that's on the LAN. So I know this doesn't make much sense, the firewall should absolutely be preventing those hostnames from coming through if that's the case. They have their Internet coming into their modem from their ISP, and from there to a small unmanaged network switch, that then feeds their VOIP system and the Cisco RV320's WAN interface, and every one of their network devices are getting a connection from the RV320's LAN interfaces.

failboat · Jul 18, 2018

The names next to the ip are from dns host resolution. those are private ips so im not sure why anything shows there. the scanner might be hitting the isp dns to fill that field. i bet it's something you guys have but aren't sure what it is. try running a service scan and maybe that will help you find the hosts or start checking each hosts ip from the host.

the .1 or .254 is probably your gateway.

Run the scan with the modem not plugged into your router and all the outside dns host resolution names will drop off probably unless they got stored locally somewhere.

Search

Seeing ISP node hostnames on local LAN

VuduBalls

Reputable

failboat

failboat

Splendid

VuduBalls

Reputable

VuduBalls

Reputable

failboat

Splendid

VuduBalls

Reputable

failboat

Splendid

TRENDING THREADS

Latest posts

Moderators online

Share this page