Re: Identifying a computer

From: Ranjeet Shetye (ranjeet.shetye2_at_zultys.com)
Date: 12/03/03

  • Next message: David Gillett: "RE: Identifying a computer" 
    To: Cheetah <cheetahx@online.no>
Date: Wed, 03 Dec 2003 14:26:16 -0800

    On Wed, 2003-12-03 at 07:38, Cheetah wrote:
    > Hello.
    >
    > I am helping the sysadmin on my local LAN to manage the network, etc.
    > We have limited internet-bandwidth, and therefore it is necessary to make
    > sure no-one
    > is taking to much of the bandwidth, as others will not be able to use the
    > internet connection.
    >
    > For the last 2 days, a new IP has appeared, and it is constantly using a lot
    > of bandwidth.
    > We have a linux-server running DHCP, DNS and the internet-connection. I have
    > checked the
    > dhcpd.leases file, but the IP isn't there. I have also tried to ping and
    > scan this IP, but the computer
    > is running a strong firewall, shows no open ports and doesn't even respond
    > to pings.
    >
    > Is there any way I can get some information out of this computer without
    > running around
    > and asking everyone what their IP is?
    >
    > Tore
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------

    Stop thinking at the IP level and start thinking at the MAC level. Cos
    the MAC address is the only thing that is attached to the machine. IPs
    can come and go, but MACs are forever.

    So, do an "arp -n -a" and locate the mac address for the IP you want to
    block.

    then run

    iptables -I INPUT -p all -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP

    This will block the mac address so that even if they try another IP, it
    wont work. They'll have to change their physical NIC (or if they are
    savvy, their might change their mac address temporarily
    http://www.alobbs.com/macchanger - BEWARE: "macchanger eth0" will
    increment eth0 mac address). But you are assured that they have to do
    atleast as much work as you have to - and this should make them go away.

    If you want to block only TCP traffic, and let their pings work.

    iptables -I INPUT -p tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP

    This will make them scratch their head and wonder what is going on!! :D
    But this does mean that they might still flood ping your server itself.
    Best is to play it safe and use -p all.

    this will only stop the comp from using your gateway to reach the
    Internet.

    Next step is to stop it from using your internal network.
    You need to figure that out on your own.

    Final step is to track down the IP and nail the server.

    Crackers think they can get away with stuff like this because of the
    deluge of packets and bits and bytes. The way to tackle this issue is to
    break the problem down into manageable pieces, literally. Use a
    (managed) switch to breakup your network into smaller segments:

    * If you already have managed switches deployed in your network, you
    should look thru their mac tables to see which direction the source mac
    address is coming from.

    * If you dont have managed switches, now's the time to go get one. Use
    it to keep on homing in on the source cable. Eventually you WILL get the
    source cable - I can assure you of that.

    When you find the machine and the person involved, I would confiscate
    the machine and fire the person involved. Unless, of course, you end up
    at a wireless access point, which would indicate voluntary or
    involuntary negligence on part of the person who installed it.
    Remove/secure the WAP in that case and have an interview with the person
    who installed it. 

    -- 
Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: David Gillett: "RE: Identifying a computer"

    Relevant Pages

    • TidBITS#794/29-Aug-05
      ... This week's issue brings a potpourri of Mac news, ... Mark Anbinder looks briefly at Google Talk, ... Adding Tiger's AirPort Preferred Network List ...
      (comp.sys.mac.digest)
    • Re: Damned MBP to Winblows wireless networking issue
      ... Leave the XP firewall off while you're ... Mac, and vice versa? ... Network Neighborhood browser? ...  Then check that the PC can ping the router. ...
      (uk.comp.sys.mac)
    • Re: VPN from Mac to Windows 2000 Server
      ... needed to enable a Mac to VPN to a w2k server and browse the file shares? ... network any advice would almost be shooting in the dark. ... Be sure to ping a few ways to see what will work for you. ...
      (microsoft.public.win2000.macintosh)
    • Apples new software may steal the show
      ... Steve Jobs, Apple Computer's co-founder and performer in chief, rarely shows any reluctance to sell -- or even over-sell -- his company's accomplishments. ... Jobs spent only about five minutes talking about what I see as the big news of the day: Apple's first software for using a home network through a television screen rather than a computer monitor. ... Apple's Mac OS X, the software running all its Macintosh computers, also has built-in features for easily connecting Macs in a network. ...
      (comp.sys.mac.advocacy)
    • Re: About War Driving ..
      ... However, MAC filtering does not qualify as defense in depth, ... because the attacker can spoof a valid IP address. ... broadcasting the SSID doesn't hide a network, but just makes it show up ... machines in your building that you can control and check the MAC ...
      (Security-Basics)