Snatching IP on LAN, how to DoS/block such machines?

[Niklas <maxxess () gmail com>]

Consider the following scenario:

Your are running a decent network (say a couple of c-net) with a non
anonymous DHCP. It is not possible to have smart switches to each
endpoint. In the last stage the clients are connected to dumb
switches.

Everything is fine until a user shutdown a (DHCP:ed) computer and use
its IP on the private portable that the user just connected to the
same outlet, or on an outlet on the same subnet (user hardcodes IP and
may be located.. anywhere where this subnet is available)

This is noticed pretty quickly since such a computer is bound to show
up in internal systems (inventory can't log on, software can't be
deployed, viruses are reported from this IP, snort finds interesting
traffic etc etc)

The network admin then blocks the users MAC at routerlevel. The user
can have an IP (hardcoded), but won't be able to do external traffic
at all beyond default gateway, this is pretty useless to the hijacking
user.

User then modifies his MAC to match a valid PC's MAC. User is
instantly DHCP:ed/allowed at router level. User still ends up in logs,
but since user has firewall enabled admin can do nothing on the net
against the local machine (at least not automatically) aside from
start blocking valid MACs.


How do you "shut down" such hijackers? Blocking MAC at router level is
not an option since the real machine might be turned on later
(unblocking, as well as blocking, involves net admin, thoose changes
doesn't happen in real time, probably week time :))

The intrusion itself is sooner or later detected by systems
automatically, in most cases almost instantly since we are talking
about P2P-users. There is a possibilty to script stuff on the subnet 
when this happens, but how to proceed?

I'm thinking something like TFN in the good old days (for a short
period of time, until hijacker gives up), or a smart ARP-poisoning. In
other words, how do I DoS "my own" clients? I don't mind bringing a
switch on it knees since this type of incident always occurs after
office hours. I have full control of all of the clients on the subnet
except the hijackers', but no access to the router.

Any suggestions are most welcome -- if your answer considers the above
"It is not possible to have smart switches to each endpoint" :)

/n
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/