RE: Rogue IP Address

From: Jimmy Sansi (jsansi_at_ritzfoodservice.com)
Date: 05/03/03

  • Next message: Chris Berry: "Re: scratchcard" 
    Date: Fri, 2 May 2003 15:29:19 -0700
To: "'Alaric Darconville'" <alaric@cowboy.net>, <security-basics@securityfocus.com>

    I am actually suprised that any switch worth its salt doesn't
    have a port to MAC address table at a minimum. From there its
    a simple case of getting the hosts MAC and looking it up in the
    table.

    But I have to agree considering the circumstances that most
    likely whomever has the linux box isn't going to say something
    if they are disconected.

    -Jimmy

    -----Original Message-----
    From: Alaric Darconville [mailto:alaric@cowboy.net]
    Sent: Friday, May 02, 2003 3:21 PM
    To: security-basics@securityfocus.com
    Subject: Re: Rogue IP Address

    I have seen a few responses to this stating to block that IP address at
    the router, or to reassign that address to another machine, in the hopes
    that someone will holler about his network not working. But someone
    intentionally using an IP address different from what they were assigned
    is probably not going to turn himself in like that. It would be akin to
    driving a stolen police car to the city garage and having the engine
    looked at.

    It might be as simple as someone mis-entering the IP when
    setting up the system, but if it's a Linux machine then it's probably not
    doing the same things the user's ordinary workstation would be doing,
    therefore, he'd have to leave that machine running. On the other hand, he
    may have a dual-boot configuration on his machine, in which case, the IP
    he's usually assigned won't always show up on the network
    (disappearing when he reboots to go to his Linux setup). Perhaps the IP
    he's using is some sort of accidental transposition of characters (171
    instead of 117, for example.) But if no IP's dropped off the face of the
    earth when the new one started showing up, it's definitely "IP
    theft." He's not going to call tech support, he'll just switch to another
    stolen IP. For the most part, you're going to ahve to assume that he
    knows what he is doing is wrong. Forget trying to get him to call when
    that machine can't connect.

    Looking for extra machines in the area may help track it down. Pinging it
    to get the MAC address from the Arp cache will identify the machine a bit
    further. Trying to telnet to standard ports (25, 110, 23, etc) may reveal
    banners to help identify it. Maybe you'll be lucky and the sendmail
    banner displays "220 masterofpuppets ESMTP Sendmail 8.11.5" etc.... Look
    for the huge Metallica fan in the building :)

    Alaric Darconville

    Andy (dondon@pacbell.net) wrote:
    >Someone on our network assigned an IP address to their own system without
    >my knowledge. Using LANguard network scanner, the best I can tell is
    >that it's a Linux box. The port-to-IP mapping table on our Asante switch
    >doesn't see to work correctly.
    >
    >Any suggestions on tracing down that system that is associated with the
    >IP is appreciated!

    Andy

    ---------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry's most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL
    INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
    utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-security-basics
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry's most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-security-basics
    ----------------------------------------------------------------------------

  • Next message: Chris Berry: "Re: scratchcard"

    Relevant Pages

    • [NEWS] Malicious DHCP Allows Root Compromise of Mac OS X
      ... Get your security news from a reliable source. ... A series of seemingly innocuous default settings can cause an affected Mac ... Anyone who can gain access to your network can gain administrator ... Carrel was more than fair to Apple Computer and its users. ...
      (Securiteam)
    • RE: How to find a changing IP on ethernet network
      ... called "port security". ... tell it how many MAC ... to issue an SMTP trap to your Network Management ...
      (Security-Basics)
    • Re: M$ fixes 26 Security Holes
      ... Show us a Mac running Tiger that has been compromised and one we can ... It's what the Internet is based on, Windows is mainly just an "office ... Actually Mac's security has always come from much the same place as ... Except no matter how important the site, or network, OSX cannot be ...
      (comp.sys.mac.advocacy)
    • RE: MAC address
      ... Subject: MAC address ... Better Management for Network Security ... Ensure robust IP security through policy-based management ...
      (Security-Basics)
    • Re: rogue IP address
      ... MAC address on the OS they run and have them email you back. ... I do not know your switch, or your network layout, but generic method ... > most recognized corporate security certification track, ... INCLUSIVE curriculum utilizes lectures, ...
      (Security-Basics)