Some of the LAN Inventory programs allow you to obtain MAC addresses.
Additionally, you can configure some switches and routers to accept only
certain IP addresses on certain segments, thus taking the scope of the
investigation down as each segment may have its own netmask and workgroup,
and therefore the spoofing computer would also need to exist on the same
segment as the machine it wants to spoof. Couple that with mac address
security, and limit only those MAC addresses on the segment, and without
administrative assistance, it would become much more difficult to spoof
for Denial of Service. Unless a machine was on the same segment as the
machine its attacking, most attempts would be thwarted.
Administrative time would be added each time you moved a machine or
replaced a NIC card, but how much time is spent/wasted tracking down such
a user? Also, if you don't have the infrastructure in place with the
required hardware, the scope of your task would be a bit greater.
----------------------------------------------------------------------
Chris Davies Hi-Cap Internet/Intranet Office: 202-541-9000
Allied Telecom Group FAX: 202-541-9050 24x7 Direct: 202-541-9006
----------------------------------------------------------------------
On Tue, 24 Dec 1996, Nick Keenan wrote:
> >While we are on the subject of IP conflicts, is there a way for a sysadmin
> >to track down a rogue user who happens to plug into the LAN and "steal" an
> >IP address which is already in use (thus disrupting the legal machine's use
> >of IP)?
> >
> This question comes up fairly often. There are two schools of though:
>
> 1. Go to the chokepoints of your network (hubs, routers, etc.) and disable
> access for that address. Wait to see who hollers. While this method may
> often work, it has some pretty obvious drawbacks.
>
> 2. Use some OS-dependant method of asking the machine with the purloined IP
> address who it is. The problem here is that you have to know or guess what
> kind of OS the machine has, and then know how to identify a machine of that
> type.
>
> A basic outline might be: Try to telnet into the machine. If it accepts a
> telnet, there is a good chance it will tell you a little bit about itself.
> If it does not accept a telnet, odds are it is a Windows-based computer
> (odds may vary in your organization).
>
> If it's windows-based, you can do this from another windows-based computer:
> tracert <ipaddress>
> -will tell you the NetBIOS name
> NET SEND <NetBIOS name> "Please call me"
> -sends a message to the person
>
> If he doesn't call you, you can set up a batch file that floods him with
> messages and makes the machine unusable.
>
>
>
References:
|
|
