Security Basics mailing list archives
RE: rogue IP address
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 1 May 2003 11:57:11 -0700
Port-to-IP is nice to have on switches, but not all switches
do it or do it well.
What they *must* do well, in order to function as switches,
is port-to-MAC address. So if you ping the target and then
check your local ARP cache ("arp -a" on Windows), you should
find a MAC address that you can then track in the switch.
Notes:
1. If they're behind a router or other such device, that's
where the MAC will lead you -- you may have to repeat the
search on the other side of the device.
2. Yeah, the MAC address can be spoofed. This would generally
cause traffic to go to them that *shouldn't*, rather than throw
your tracking off the scent -- it doesn't matter if you find them
via their "real" MAC address, or one they're impersonating.
Although the latter *would* tend to indicate malicious intent.
3. There are some weirdnesses with AOL clients that could cause
strange addresses to show up apparently coming from mobile
machines (i.e., laptops). Pretty unlikely if Linux is running
on the box, though.
David Gillett
-----Original Message----- From: dondon () pacbell net [mailto:dondon () pacbell net] Sent: April 30, 2003 15:40 To: security-basics () securityfocus com Subject: rogue IP address Someone on our network assigned an IP address to their own system without my knowledge. Using LANguard network scanner, the best I can tell is that it's a Linux box. The port-to-IP mapping table on our Asante switch doesn't see to work correctly. Any suggestions on tracing down that system that is associated with the IP is appreciated! Andy -------------------------------------------------------------- ------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- rogue IP address dondon (May 01)
- Re: rogue IP address Dave (May 02)
- Re: rogue IP address Duston Sickler (May 02)
- Re: rogue IP address Jeff Harris (May 05)
- Re: rogue IP address Jason Burroughs (May 07)
- Re: rogue IP address Duston Sickler (May 02)
- Re: rogue IP address Richard Caley (May 02)
- RE: rogue IP address Burton M. Strauss III (May 02)
- RE: rogue IP address Jose Guevarra (May 02)
- Re: rogue IP address Dave (May 02)
- RE: rogue IP address David Gillett (May 02)
- RE: rogue IP address Anthony (May 05)
- <Possible follow-ups>
- RE: rogue IP address Wilcox, Stephen (May 02)
- Re: rogue IP address Chris Berry (May 02)
- RE: rogue IP address Jose Guevarra (May 02)
- Re: rogue IP address Benjamin A. Okopnik (May 05)
- Re: Rogue IP Address Alaric Darconville (May 02)
- RE: Rogue IP Address Jimmy Sansi (May 05)
- RE: Rogue IP Address Jose Guevarra (May 05)
- RE: rogue IP address Fields, James (May 05)
- RE: rogue IP address Chris Berry (May 05)
(Thread continues...)
- Re: rogue IP address Dave (May 02)