Back to All Scenarios
PASSEDnetwork / ipam_conflict_detection
IPAM Conflict Detection — Mass IP Duplication
A rogue DHCP server on the network begins handing out IP addresses that conflict with statically assigned servers and network equipment, causing widespread connectivity issues as ARP tables become poisoned.
Pattern
UNKNOWN
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | UNKNOWN | UNKNOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 29 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Rogue DHCP server (consumer router plugged in by employee) on VLAN 10. Handing out IPs in 10.10.10.0/24 range. 15 static IP conflicts with servers and switches. DHCP snooping not enabled. ARP tables corrupted across VLAN.
Injected Error Messages (3)
IPAM mass IP conflict detected — Infoblox IPAM reporting 15 IP address conflicts on 10.10.10.0/24, rogue DHCP server detected at MAC 00:1A:2B:3C:4D:5E handing out addresses in static allocation range, IPAM conflict resolution: 15 devices with duplicate IPs, rogue DHCP lease pool overlapping with 10.10.10.10-10.10.10.200 (production static range), DHCP snooping not enabled on VLAN 10
ARP table corruption on VLAN 10 gateway — core router showing oscillating ARP entries for 15 IPs, MAC address flapping between legitimate server NICs and rogue DHCP client devices, ARP cache instability causing intermittent routing failures, VLAN 10 gateway forwarding traffic to wrong MAC addresses for conflicting IPs, rogue DHCP server poisoning ARP resolution for critical servers
application server intermittently unreachable — IP 10.10.10.50 in conflict with rogue DHCP client, legitimate server ARP entry being overwritten by rogue client MAC every 30-60 seconds, 50% packet loss to application server as traffic alternates between correct and incorrect MAC, application connections resetting randomly, rogue DHCP assigned 10.10.10.50 to employee laptop conflicting with production app server
Neural Engine Root Cause Analysis
A rogue DHCP server with MAC address 00:1A:2B:3C:4D:5E has been deployed on VLAN 10 and is issuing IP addresses from the static allocation range (10.10.10.10-10.10.10.200), creating 15 IP conflicts on the 10.10.10.0/24 network. The absence of DHCP snooping on VLAN 10 allowed this unauthorized DHCP server to operate unchecked, causing mass IP conflicts that are impacting the Infoblox IPAM system's ability to manage IP address assignments. The 12 correlated incidents likely represent downstream services affected by these IP conflicts.
Remediation Plan
1. Immediately identify and physically disconnect or disable the rogue DHCP server at MAC 00:1A:2B:3C:4D:5E. 2. Enable DHCP snooping on VLAN 10 and configure trusted ports for legitimate DHCP servers. 3. Clear the rogue DHCP leases from affected clients by forcing DHCP release/renew cycles. 4. Resolve the 15 IP conflicts in Infoblox IPAM by reassigning conflicted addresses to their proper static allocations. 5. Verify IPAM system connectivity and functionality. 6. Monitor for additional rogue DHCP activity and implement port security measures.
Tested: 2026-03-30Monitors: 3 | Incidents: 3Test ID: cmnckbvgt08bpobqea6h5h667