Re: Identifying a computer

[Peter Wohlers <pedro () whack org>]

Get the mac address from the arp table on the router.

Go to the switch and then check the cam table for the switchport that is 
hearing that mac-address, and you will your machine (by either tracing 
the cable or your fastidious wiring documentation).

Alternately, you could just do traffic-shaping on the router to limit 
certain ip addresses, lans, or protocols to a certain bandwidth. You can 
make this guy think a v.90 modem is smokin' fast.

--Peter


David Glosser wrote:
> Since we've been hit with the latest worms too many times from users
> bringing in their laptop or consultants,  we are giving everybody a reserved
> DHCP address based on their MAC address.  Then we will either limit the
> non-reserved address pool down to a minimum and monitor it, or eliminate it
> alltogether. We may also run arpd and or null route the rest of the ip
> addresses which aren't in use on our local segment.  (Of course, a smart
> enough user can always give themselves a static ip address from someone who
> isn't in the office that day...)
>
> Can you run iptraf or ntop or ngrep, determine their traffic patterns, and
> block outbound ports and *destination* ip address in addition to source
> based on Mac?
>
> Does HR have a policy against users utilizing bandwidth for non-work
> purposes?  (You may also wish to let HR know what is going on, and perhaps
> they can broadcast an email reminding everybody of their acceptable-use
> policy. That may be enugh to scare the user off.......
>
> Good luck, and please let us know how you resolved your problem...
>
>
>
> > ----- Original Message ----- 
> > From: "Cheetah" <cheetahx () online no>
> > To: <security-basics () securityfocus com>
> > Sent: Wednesday, December 03, 2003 3:38 PM
> > Subject: Identifying a computer
> >
> >
> >
> > > Hello.
> > >
> > > I am helping the sysadmin on my local LAN to manage the network, etc.
> > > We have limited internet-bandwidth, and therefore it is necessary to
>
> make
>
> > > sure no-one
> > > is taking to much of the bandwidth, as others will not be able to use
>
> the
>
> > > internet connection.
> > >
> > > For the last 2 days, a new IP has appeared, and it is constantly using a
> >
> > lot
> >
> > > of bandwidth.
> > > We have a linux-server running DHCP, DNS and the internet-connection. I
> >
> > have
> >
> > > checked the
> > > dhcpd.leases file, but the IP isn't there. I have also tried to ping and
> > > scan this IP, but the computer
> > > is running a strong firewall, shows no open ports and doesn't even
>
> respond
>
> > > to pings.
> > >
> > > Is there any way I can get some information out of this computer without
> > > running around
> > > and asking everyone what their IP is?
> > >
> > > Tore
> >
> > --------------------------------------------------------------------------
> > -
> >
> > --------------------------------------------------------------------------
> > --
> >
> >
> > --------------------------------------------------------------------------
>
> -
>
> > --------------------------------------------------------------------------
>
> --
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------