Re: Identifying a computer

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

On Wed, 2003-12-03 at 07:38, Cheetah wrote:
> Hello.
>
> I am helping the sysadmin on my local LAN to manage the network, etc.
> We have limited internet-bandwidth, and therefore it is necessary to make
> sure no-one
> is taking to much of the bandwidth, as others will not be able to use the
> internet connection.
>
> For the last 2 days, a new IP has appeared, and it is constantly using a lot
> of bandwidth.
> We have a linux-server running DHCP, DNS and the internet-connection. I have
> checked the
> dhcpd.leases file, but the IP isn't there. I have also tried to ping and
> scan this IP, but the computer
> is running a strong firewall, shows no open ports and doesn't even respond
> to pings.
>
> Is there any way I can get some information out of this computer without
> running around
> and asking everyone what their IP is?
>
> Tore
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

Stop thinking at the IP level and start thinking at the MAC level. Cos
the MAC address is the only thing that is attached to the machine. IPs
can come and go, but MACs are forever.

So, do an "arp -n -a" and locate the mac address for the IP you want to
block.

then run

iptables -I INPUT -p all -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP

This will block the mac address so that even if they try another IP, it
wont work. They'll have to change their physical NIC (or if they are
savvy, their might change their mac address temporarily
http://www.alobbs.com/macchanger - BEWARE: "macchanger eth0" will
increment eth0 mac address). But you are assured that they have to do
atleast as much work as you have to - and this should make them go away.


If you want to block only TCP traffic, and let their pings work.

iptables -I INPUT -p tcp -m mac --mac-source aa:bb:cc:dd:ee:ff -j DROP

This will make them scratch their head and wonder what is going on!! :D
But this does mean that they might still flood ping your server itself.
Best is to play it safe and use -p all.

this will only stop the comp from using your gateway to reach the
Internet.

Next step is to stop it from using your internal network.
You need to figure that out on your own.

Final step is to track down the IP and nail the server.

Crackers think they can get away with stuff like this because of the
deluge of packets and bits and bytes. The way to tackle this issue is to
break the problem down into manageable pieces, literally. Use a
(managed) switch to breakup your network into smaller segments:

* If you already have managed switches deployed in your network, you
should look thru their mac tables to see which direction the source mac
address is coming from.

* If you dont have managed switches, now's the time to go get one. Use
it to keep on homing in on the source cable. Eventually you WILL get the
source cable - I can assure you of that.

When you find the machine and the person involved, I would confiscate
the machine and fire the person involved. Unless, of course, you end up
at a wireless access point, which would indicate voluntary or
involuntary negligence on part of the person who installed it.
Remove/secure the WAP in that case and have an interview with the person
who installed it.

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.



---------------------------------------------------------------------------
----------------------------------------------------------------------------