Home page logo
/

basics logo Security Basics mailing list archives

Re: Identifying a computer
From: Peter Wohlers <pedro () whack org>
Date: Fri, 19 Dec 2003 08:58:35 -0800


Get the mac address from the arp table on the router.

Go to the switch and then check the cam table for the switchport that is hearing that mac-address, and you will your machine (by either tracing the cable or your fastidious wiring documentation).

Alternately, you could just do traffic-shaping on the router to limit certain ip addresses, lans, or protocols to a certain bandwidth. You can make this guy think a v.90 modem is smokin' fast.

--Peter


David Glosser wrote:
Since we've been hit with the latest worms too many times from users
bringing in their laptop or consultants,  we are giving everybody a reserved
DHCP address based on their MAC address.  Then we will either limit the
non-reserved address pool down to a minimum and monitor it, or eliminate it
alltogether. We may also run arpd and or null route the rest of the ip
addresses which aren't in use on our local segment.  (Of course, a smart
enough user can always give themselves a static ip address from someone who
isn't in the office that day...)

Can you run iptraf or ntop or ngrep, determine their traffic patterns, and
block outbound ports and *destination* ip address in addition to source
based on Mac?

Does HR have a policy against users utilizing bandwidth for non-work
purposes?  (You may also wish to let HR know what is going on, and perhaps
they can broadcast an email reminding everybody of their acceptable-use
policy. That may be enugh to scare the user off.......

Good luck, and please let us know how you resolved your problem...



----- Original Message ----- From: "Cheetah" <cheetahx () online no>
To: <security-basics () securityfocus com>
Sent: Wednesday, December 03, 2003 3:38 PM
Subject: Identifying a computer



Hello.

I am helping the sysadmin on my local LAN to manage the network, etc.
We have limited internet-bandwidth, and therefore it is necessary to

make

sure no-one
is taking to much of the bandwidth, as others will not be able to use

the

internet connection.

For the last 2 days, a new IP has appeared, and it is constantly using a

lot

of bandwidth.
We have a linux-server running DHCP, DNS and the internet-connection. I

have

checked the
dhcpd.leases file, but the IP isn't there. I have also tried to ping and
scan this IP, but the computer
is running a strong firewall, shows no open ports and doesn't even

respond

to pings.

Is there any way I can get some information out of this computer without
running around
and asking everyone what their IP is?

Tore




--------------------------------------------------------------------------
-

--------------------------------------------------------------------------
--


--------------------------------------------------------------------------

-

--------------------------------------------------------------------------

--


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault