Oh forgot to mention this is a univeristy, open around the clock, with thousands of users with physical access to whatever.
But I thank you kindly, Marc No Mad. You really helped out on the subject. :p Addon: I don't have access to the DHCP, or any other central services. So we're back the "how do i DoS my clients" on my subnet, based on ip/MAC? No 802.1x available here .... probably won't be in 2005.... /n On 7/20/05, Madison, Marc <[EMAIL PROTECTED]> wrote: > Physical security..... ;) > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Niklas > Sent: Wednesday, July 20, 2005 2:25 PM > To: FD-mailing > Subject: [Full-disclosure] Snatching IP on LAN, how to DoS/block such > machines? > > Consider the following scenario: > > Your are running a decent network (say a couple of c-net) with a non > anonymous DHCP. It is not possible to have smart switches to each > endpoint. In the last stage the clients are connected to dumb switches. > > Everything is fine until a user shutdown a (DHCP:ed) computer and use > its IP on the private portable that the user just connected to the same > outlet, or on an outlet on the same subnet (user hardcodes IP and may be > located.. anywhere where this subnet is available) > > This is noticed pretty quickly since such a computer is bound to show up > in internal systems (inventory can't log on, software can't be deployed, > viruses are reported from this IP, snort finds interesting traffic etc > etc) > > The network admin then blocks the users MAC at routerlevel. The user can > have an IP (hardcoded), but won't be able to do external traffic at all > beyond default gateway, this is pretty useless to the hijacking user. > > User then modifies his MAC to match a valid PC's MAC. User is instantly > DHCP:ed/allowed at router level. User still ends up in logs, but since > user has firewall enabled admin can do nothing on the net against the > local machine (at least not automatically) aside from start blocking > valid MACs. > > > How do you "shut down" such hijackers? Blocking MAC at router level is > not an option since the real machine might be turned on later > (unblocking, as well as blocking, involves net admin, thoose changes > doesn't happen in real time, probably week time :)) > > The intrusion itself is sooner or later detected by systems > automatically, in most cases almost instantly since we are talking about > P2P-users. There is a possibilty to script stuff on the subnet when this > happens, but how to proceed? > > I'm thinking something like TFN in the good old days (for a short period > of time, until hijacker gives up), or a smart ARP-poisoning. In other > words, how do I DoS "my own" clients? I don't mind bringing a switch on > it knees since this type of incident always occurs after office hours. I > have full control of all of the clients on the subnet except the > hijackers', but no access to the router. > > Any suggestions are most welcome -- if your answer considers the above > "It is not possible to have smart switches to each endpoint" :) > > /n > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
