Security Basics mailing list archives
Re: Identifying a computer
From: Peter Wohlers <pedro () whack org>
Date: Fri, 19 Dec 2003 08:58:35 -0800
Get the mac address from the arp table on the router.Go to the switch and then check the cam table for the switchport that is hearing that mac-address, and you will your machine (by either tracing the cable or your fastidious wiring documentation).
Alternately, you could just do traffic-shaping on the router to limit certain ip addresses, lans, or protocols to a certain bandwidth. You can make this guy think a v.90 modem is smokin' fast.
--Peter David Glosser wrote:
Since we've been hit with the latest worms too many times from users bringing in their laptop or consultants, we are giving everybody a reserved DHCP address based on their MAC address. Then we will either limit the non-reserved address pool down to a minimum and monitor it, or eliminate it alltogether. We may also run arpd and or null route the rest of the ip addresses which aren't in use on our local segment. (Of course, a smart enough user can always give themselves a static ip address from someone who isn't in the office that day...) Can you run iptraf or ntop or ngrep, determine their traffic patterns, and block outbound ports and *destination* ip address in addition to source based on Mac? Does HR have a policy against users utilizing bandwidth for non-work purposes? (You may also wish to let HR know what is going on, and perhaps they can broadcast an email reminding everybody of their acceptable-use policy. That may be enugh to scare the user off....... Good luck, and please let us know how you resolved your problem...----- Original Message ----- From: "Cheetah" <cheetahx () online no>To: <security-basics () securityfocus com> Sent: Wednesday, December 03, 2003 3:38 PM Subject: Identifying a computerHello. I am helping the sysadmin on my local LAN to manage the network, etc. We have limited internet-bandwidth, and therefore it is necessary tomakesure no-one is taking to much of the bandwidth, as others will not be able to usetheinternet connection. For the last 2 days, a new IP has appeared, and it is constantly using alotof bandwidth. We have a linux-server running DHCP, DNS and the internet-connection. Ihavechecked the dhcpd.leases file, but the IP isn't there. I have also tried to ping and scan this IP, but the computer is running a strong firewall, shows no open ports and doesn't evenrespondto pings. Is there any way I can get some information out of this computer without running around and asking everyone what their IP is? Tore-------------------------------------------------------------------------- - -------------------------------------------------------------------------- -- ------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Identifying a computer, (continued)
- Re: Identifying a computer Ranjeet Shetye (Dec 03)
- Re: Identifying a computer ~Kevin DavisĀ³ (Dec 04)
- Re: Identifying a computer Ranjeet Shetye (Dec 05)
- RE: Identifying a computer David Gillett (Dec 03)
- Re: Identifying a computer Tim Willard (Dec 03)
- RE: Identifying a computer Jason Balicki (Dec 04)
- Re: Identifying a computer Meritt James (Dec 05)
- RE: Identifying a computer Duston Sickler (Dec 04)
- Re: Identifying a computer Andy Cuff [Talisker] (Dec 04)
- Re: Identifying a computer David Glosser (Dec 19)
- Re: Identifying a computer Peter Wohlers (Dec 19)
- Re: Epithet Jimi Thompson (Dec 08)
- Re: Epithet Meritt James (Dec 08)
- Re: Epithet Jimi Thompson (Dec 11)