Security Basics mailing list archives

Re: rogue IP address

From: "Erik !" <viking0069 () hotmail com>
Date: Tue, 06 May 2003 00:00:19 +0000

Yea, if you have the MAC address you're money.

IF you have this, then you can start tracking down what type of NIC yourrogue IP is bound to ... and by deduction MAYBE even the box's hardware.

We used this trick once for a dup IP issue we had on a tier-one ISP's classB network.


Here's how you do it:

1. Use this link to correlate the MAC address with a manufacturer:

http://www.coffer.com/mac_find/

The first three sets of numbers in the MAC address represent the vendorcode. At this site, do your search e.g. 00c095


MAC Address
  prefix         Vendor
  00C095       Zynx Network Appliance box

2. Now match the type of NICs you use to the type of boxes you put them in(this works best if your company hardware is running the rogue IP address).

Zynx is the brand of NICs we used in our Nokia firewalls. So in this case Iknew that issue was limited to a select number of firewall boxes and weeventually fixed the dup IP issue.

You don't always get a cut and dry answer, but it does provide an extra stepyou can use to troubleshoot.

The alternative may be to have your network guys trace the MAC address to a*working* switch port. We know how long of a turnaround time that can be ;)


Of course, you need the MAC address here 8)

Erik

|On Thursday 01 May 2003 00:40, dondon () pacbell net wrote:
|> Someone on our network assigned an IP address to their own system without

|> my knowledge. Using LANguard network scanner, the best I can tell isthat

|> it's a Linux box.  The port-to-IP mapping table on our Asante switch
|> doesn't see to work correctly.
|>

|> Any suggestions on tracing down that system that is associated with theIP

|> is appreciated!
|>
|> Andy


_________________________________________________________________

Protect your PC - get McAfee.com VirusScan Onlinehttp://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963



---------------------------------------------------------------------------

FastTrain has your solution for a great CISSP Boot Camp. The industry's mostrecognized corporate security certification track, provides a comprehensiveprospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilizationof pertinent security tools. For a limited time you can enter for a chanceto win one of the latest technological innovations, the SEGWAY HT.Log onto http://www.securityfocus.com/FastTrain-security-basics----------------------------------------------------------------------------

Current thread:

RE: rogue IP address, (continued)
- RE: rogue IP address Anthony (May 05)
- RE: rogue IP address Wilcox, Stephen (May 02)
- Re: rogue IP address Chris Berry (May 02)
  - RE: rogue IP address Jose Guevarra (May 02)
  - Re: rogue IP address Benjamin A. Okopnik (May 05)
- Re: Rogue IP Address Alaric Darconville (May 02)
  - RE: Rogue IP Address Jimmy Sansi (May 05)
  - RE: Rogue IP Address Jose Guevarra (May 05)
- RE: rogue IP address Fields, James (May 05)
- RE: rogue IP address Chris Berry (May 05)
- Re: rogue IP address Erik ! (May 06)
  - RE: rogue IP address Burton M. Strauss III (May 07)
- RE: rogue IP address Trevor Cushen (May 07)