Home page logo

basics logo Security Basics mailing list archives

Re: Identifying a computer
From: "David Glosser" <david_glosser-at-yahoo.com () securityfocus com>
Date: Thu, 18 Dec 2003 21:25:18 -0500

Since we've been hit with the latest worms too many times from users
bringing in their laptop or consultants,  we are giving everybody a reserved
DHCP address based on their MAC address.  Then we will either limit the
non-reserved address pool down to a minimum and monitor it, or eliminate it
alltogether. We may also run arpd and or null route the rest of the ip
addresses which aren't in use on our local segment.  (Of course, a smart
enough user can always give themselves a static ip address from someone who
isn't in the office that day...)

Can you run iptraf or ntop or ngrep, determine their traffic patterns, and
block outbound ports and *destination* ip address in addition to source
based on Mac?

Does HR have a policy against users utilizing bandwidth for non-work
purposes?  (You may also wish to let HR know what is going on, and perhaps
they can broadcast an email reminding everybody of their acceptable-use
policy. That may be enugh to scare the user off.......

Good luck, and please let us know how you resolved your problem...

----- Original Message ----- 
From: "Cheetah" <cheetahx () online no>
To: <security-basics () securityfocus com>
Sent: Wednesday, December 03, 2003 3:38 PM
Subject: Identifying a computer


I am helping the sysadmin on my local LAN to manage the network, etc.
We have limited internet-bandwidth, and therefore it is necessary to
sure no-one
is taking to much of the bandwidth, as others will not be able to use
internet connection.

For the last 2 days, a new IP has appeared, and it is constantly using a
of bandwidth.
We have a linux-server running DHCP, DNS and the internet-connection. I
checked the
dhcpd.leases file, but the IP isn't there. I have also tried to ping and
scan this IP, but the computer
is running a strong firewall, shows no open ports and doesn't even
to pings.

Is there any way I can get some information out of this computer without
running around
and asking everyone what their IP is?






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]