Home page logo
/

basics logo Security Basics mailing list archives

RE: rogue IP address
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 1 May 2003 11:57:11 -0700

  Port-to-IP is nice to have on switches, but not all switches
do it or do it well.
  What they *must* do well, in order to function as switches,
is port-to-MAC address.  So if you ping the target and then
check your local ARP cache ("arp -a" on Windows), you should 
find a MAC address that you can then track in the switch.

Notes:
1.  If they're behind a router or other such device, that's 
where the MAC will lead you -- you may have to repeat the 
search on the other side of the device.

2.  Yeah, the MAC address can be spoofed.  This would generally
cause traffic to go to them that *shouldn't*, rather than throw
your tracking off the scent -- it doesn't matter if you find them
via their "real" MAC address, or one they're impersonating.
Although the latter *would* tend to indicate malicious intent.

3.  There are some weirdnesses with AOL clients that could cause
strange addresses to show up apparently coming from mobile 
machines (i.e., laptops).  Pretty unlikely if Linux is running
on the box, though.

David Gillett


-----Original Message-----
From: dondon () pacbell net [mailto:dondon () pacbell net]
Sent: April 30, 2003 15:40
To: security-basics () securityfocus com
Subject: rogue IP address




Someone on our network assigned an IP address to their own 
system without  my knowledge.  Using LANguard network 
scanner, the best I can tell is that  it's a Linux box.  The 
port-to-IP mapping table on our Asante switch  doesn't see to 
work correctly.  Any suggestions on tracing down that system 
that is associated with the IP  is appreciated!  Andy

--------------------------------------------------------------
-------------
FastTrain has your solution for a great CISSP Boot Camp. The 
industry's most 
recognized corporate security certification track, provides a 
comprehensive 
prospectus based upon the core principle concepts of 
security. This ALL INCLUSIVE curriculum utilizes lectures, 
case studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter 
for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault