RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bart Silverstrim Sent: Saturday, October 02, 2004 12:37 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: IP address conflicts On Oct 2, 2004, at 2:27 PM, Ted Mittelstaedt wrote: The problem is that if the attacker has a modicum of intelligence they will have done this to someone elses' system. Yet you say this is taking place in colleges... :-) ROTFL This is a college. For example, someone in a dorm room just surfing the web gets up to take a piss. As soon as they walk out the door and go down the hall, some joker down the hall runs into their room and in a few seconds changes the IP number of their PC to that of the mailserver then runs out. Bullshit like this happens all the time. Funny how just yesterday there was some slash story about users not being careful with security. My systems this wouldn't be effective. Screen saver is hot cornered and password protected. In the school office, control-alt-del-k. When I was in college, there was this thing where your friends would steal your mattress...mattress police. They would hide it somewhere on campus. Never happened to my roommate and I, because we carried our keys with us and locked the bedroom when we weren't there (or in the living room connected to the hallway); no reason to leave the door open if we weren't there, and our community belongings were already outside of that room for the other roommates and friends to use. Yup. This is self-defense in any college setting, there's too many juveniles around. We try to have a policy where I work where if your account is used to do something against the rules, like browse porn, you must have given that person your account password or you left your account logged in and walked away. There's no way to prove who the body was sitting at that console, so it is assumed to be you. You get in trouble for it. We try to have a policy where I work of what you call common courtesy. That is, the stuff on someone's desk is their property and if you have to touch it, you don't damage it. Every once in a while we run across someone who don't understand this, they get away with this for a while but sooner or later we reach out and fire them. Apparently, they all go to work at your place. You allowed it, you were irresponsible, and you're going to get hassled for it until you learn to take responsibility for your belongings (including your identity) within reason. It is not unreasonable to expect people to not give their passwords out and to log off of a console when they're done using it. I think the double negatives there are a bit too much for most people. It is unreasonable to expect people to have to act like they are in kindergarden when they are in the middle of a network room that has a sum total of 20 people who can access it, all of whom are paid more than 50K a year. Naturally, if your working with a system in an insecure area, you follow secure procedures. For example if your at a customer site you assume that their machine is infected with a key logger, and don't touch anything at the mothership that isn't password-aged regularly. Same goes if your traveling and using something like an Internet kiosk. But people should not have to be looking over their shoulders where they live, eat, sleep. This is a college, not a kindergarden. Your logic is of the variety of well, the security scanners at the airports didn't do what they were supposed to be doing, so we deserved to have the WTC collapsed. In other words, it only appears on the surface to be reasonable, and that is because the problems don't involve people dying. But it is fatally flawed. If the world really operated like you seem to think, it would be anarchy. Your reactions are your policies and your rules; if they work for you, that's all and good. If students continue to play stupid and allow things like this to happen to their computers, then so be it. Or you can nail them a couple times and have them wise up for it. Much, much better to nail up the actual criminals not the victims. The only solution is to use managed switches with a modicum of intelligence to where you can build a MAC filter that disallows packets that originate from the end users that have the same MAC as the mailserver, (to block spoofers) and that allows you to dump the internal MAC table. This is a good infrastructure to the network change and it would also solve the problem. I thought he was having money troubles and needed a quick solution to try solving the problem, while this solution would be done in the future once funds are released and time can be allocated to switch things over. It sounded like his network was somewhat in shambles at the moment. He is having money troubles. However, just because he
Re: IP address conflicts
Well, you could move all of the servers onto a separate network to any of the individual client machines (and make sure that the server network isn't accessible from any of the network ports your clients have access to, clearly). That way, even if one of your pet idiots decides to 'borrow' a server IP address, the network routing means that all they are going to do is hurt themselves. Think of this for a second. Right now he has maybe 4-5 different servers that people are putting the IP numbers on. Once you move all those servers onto a separate subnet, now all the little twits have to do is put the IP number of the gateway router onto their systems, then the entire subnet that ALL the servers are on becomes inaccessible. if you have 20 buildings, you must create 20 subnets as minimun. try to isolate the public ports (any one can conect) like computers labs rooms from the used by people that work in the school (administratives offices) also, try to isolate floors or rooms so you can arrive to this room and review the pc that are connected (the subnet may be of 32 or 64 hosts) put an special area (on his own subnet) by building to allow students to connect his cumputers. request help from the labs administrators and the workers of the school to watch for person that get pc or laptop inside labs (maybe must search inside bags) and if the problem happen, at least you know some faces. maps ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP address conflicts
On Oct 3, 2004, at 2:11 AM, Ted Mittelstaedt wrote: locking your dorm room Yup. This is self-defense in any college setting, there's too many juveniles around. Well, that's the point of college today...real life without the real life consequences :-) It's training for taking responsibility, though. We try to have a policy where I work where if your account is used to do something against the rules, like browse porn, you must have given that person your account password or you left your account logged in and walked away. There's no way to prove who the body was sitting at that console, so it is assumed to be you. You get in trouble for it. We try to have a policy where I work of what you call common courtesy. That is, the stuff on someone's desk is their property and if you have to touch it, you don't damage it. You'd think this is a simple rule. Good luck. Every once in a while we run across someone who don't understand this, they get away with this for a while but sooner or later we reach out and fire them. Apparently, they all go to work at your place. I work in public education. I think the double negatives there are a bit too much for most people. It is unreasonable to expect people to have to act like they are in kindergarden when they are in the middle of a network room that has a sum total of 20 people who can access it, all of whom are paid more than 50K a year. You'd THINK so. Listen, chances are that you can, in rural areas, get away with never locking your door. Nothing happens...no one marches in and robs you. What are the chances an average thief notices your doors aren't locked? Or that someone comes in and assaults you? Yet you still get the person on the news saying we never had to lock our doors before...I guess it's just getting too dangerous a world to not do that anymore... I'd rather go through that extra five second hassle and *take my keys with me* and *lock the friggin' door*. Just so I can say I wasn't an idiot for inviting the problem in the first place. Maybe it would never happen. Maybe nothing will, and chances are that if someone really wanted to break into my house they're going to find a way. But I don't want them to have it so easy as to just walk through the bloody door. Want my data? Steal the CPU. You'll need to get the hard drive out. It's always in a state where either I'm at the console or it's asking for a password. Besides, it helps me remember my passwords to be using them all the time :-) You just never know when someone will want to pull a little prank that you won't have patience or time for. But people should not have to be looking over their shoulders where they live, eat, sleep. This is a college, not a kindergarden. True, and all security is a tradeoff. People should realize that the five seconds it takes to lock and unlock a console is not a huge detriment to their schedule, and that taking reasonable precautions against theft and vandalism will save them time down the road that one time that someone decides to do something to them for giggles. Yes, it's a college. And like humans everywhere else, they act like giant kids. Hell, they use college as an EXCUSE to act like idiots. You know...all that PRESSURE they're under. The tests. The essays. The reports. The heavy drinking. They have to vent SOMEHOW. Besides, how high does a Dell monitor bounce from the third floor dorm window?? Your logic is of the variety of well, the security scanners at the airports didn't do what they were supposed to be doing, so we deserved to have the WTC collapsed. In other words, it only appears on the surface to be reasonable, and that is because the problems don't involve people dying. But it is fatally flawed. If the world really operated like you seem to think, it would be anarchy. What, that people will be people and it's better to take the five seconds to take reasonable precautions is out of line? I see it as taking responsibility for my belongings (and in college, those of my roommate's as well). My roommate and I got into a habit of carrying our keys...it kept us from being locked out of our cars, it kept our belongings from disappearing from our college apartment. Nothing would probably have happened if we didn't do this, but it was insurance. I don't *expect* my house to burn down, but I am insured for it. Your parallel doesn't quite cut it. Smuggling things onboard a plane that is contraband is a little different than playing pranks and using your computer in an unauthorized manner. It crosses many lines. I am taking responsibility for my data when I take a few seconds to lock the console. To search someone for every possible danger they may pose to a plane not only crosses into crossing personal space and privacy, but is impossible against someone who is *determined* to cause a problem. Maybe I'm not quite seeing what you are arguing in the comparison...how the conclusion
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bart Silverstrim Sent: Sunday, October 03, 2004 12:55 PM To: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: Re: IP address conflicts On Oct 3, 2004, at 2:11 AM, Ted Mittelstaedt wrote: locking your dorm room Yup. This is self-defense in any college setting, there's too many juveniles around. Well, that's the point of college today...real life without the real life consequences :-) It's training for taking responsibility, though. We try to have a policy where I work where if your account is used to do something against the rules, like browse porn, you must have given that person your account password or you left your account logged in and walked away. There's no way to prove who the body was sitting at that console, so it is assumed to be you. You get in trouble for it. We try to have a policy where I work of what you call common courtesy. That is, the stuff on someone's desk is their property and if you have to touch it, you don't damage it. You'd think this is a simple rule. Good luck. Every once in a while we run across someone who don't understand this, they get away with this for a while but sooner or later we reach out and fire them. Apparently, they all go to work at your place. I work in public education. I think the double negatives there are a bit too much for most people. It is unreasonable to expect people to have to act like they are in kindergarden when they are in the middle of a network room that has a sum total of 20 people who can access it, all of whom are paid more than 50K a year. You'd THINK so. Listen, chances are that you can, in rural areas, get away with never locking your door. Nothing happens...no one marches in and robs you. What are the chances an average thief notices your doors aren't locked? Or that someone comes in and assaults you? Yet you still get the person on the news saying we never had to lock our doors before...I guess it's just getting too dangerous a world to not do that anymore... Not a correct analogy. To be correct, you would have to say that I built a tight fence around me and my 20 rural neighbors, all of us have a key to get through this fence, and none of us lock the doors of our homes that are -inside- this fence. I'd rather go through that extra five second hassle and *take my keys with me* and *lock the friggin' door*. You just never know when someone will want to pull a little prank that you won't have patience or time for. I would actually rather have the prank happen - you know why? Because if it does, then one of that 20 needs to be fired, simply because they cannot be trusted. It is worth it to me to suffer some inconvenience/dataloss/whatever to discover that one of that 20 is a prankster so we can fire them. People entrust their precious data with us. If we cannot even trust amongst ourselves we certainly don't deserve the trust of our customers. But people should not have to be looking over their shoulders where they live, eat, sleep. This is a college, not a kindergarden. True, and all security is a tradeoff. People should realize that the five seconds it takes to lock and unlock a console is not a huge detriment to their schedule, and that taking reasonable precautions against theft and vandalism will save them time down the road that one time that someone decides to do something to them for giggles. Where I work there's no tolerance for even that one time You simply do not damage other people's data, whether they be co-workers or customers or the general public. If someone in our group cannot even control themselves with their co-workers data, imagine what they are doing with customer data! Yes, it's a college. And like humans everywhere else, they act like giant kids. Hell, they use college as an EXCUSE to act like idiots. You know...all that PRESSURE they're under. The tests. The essays. The reports. The heavy drinking. They have to vent SOMEHOW. Besides, how high does a Dell monitor bounce from the third floor dorm window?? Well, college dorms are a different environment than a corporate datacenter. I certainly expect this, after living in a dorm myself. If I was in the OP's position I would ASSUME that students in the dorms would be pulling this kind of stunt with regularity. BUT, I would EXPECT that they WOULD NOT do it. And I would tell them so. And when inevitably some of them figured I was some dumbfuck squarehead and pulled their tricks anyway, I would see to it that they got expelled, and I would let the rest of them know that this is the consequence of choosing to pull a trick like this. I would not, however, punish innocent victims, even if they walked off and left their systems logged in. This is counterproductive and just unites the troublemakers and their victims against you. I know perfectly well
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Bart Silverstrim Sent: Monday, September 27, 2004 5:03 AM To: Tim Aslat Cc: [EMAIL PROTECTED] Subject: Re: IP address conflicts On Sep 27, 2004, at 12:49 AM, Tim Aslat wrote: In the immortal words of Ted Mittelstaedt [EMAIL PROTECTED]... Once again, I must assume that these notebooks legitimately owned by students and staff are NOT owned by the people that are changing the IP numbers. I actually think it's more than 1 culprit, and I couldn't be 100% certain whether they are using their own notebooks or school machines until I catch them in the act. Do what spammers do...set up all the school machines to act as zombies and when you detect the asshats pulling their little trick, flood them with connection requests to poof them off the network :-) If you have a situation where you KNOW who is doing it, and they are getting away with this, with the full knowledge of the Dean and others in the college, then you may as well just start looking for another job. If I was in your shoes I would. Nobody is actually getting away with it, it's just frustrating not knowing who. Doesn't arpwatch look for the mac changes on the network, which could help you track down the MAC which is pulling the address when it shouldn't? I see messages from arpwatch from some of our servers when DHCP leases change. Will at least help you narrow down the suspects...If you get a MAC address, you can run a detailed NMap against them to try identifying platform information as well as get the make/model of their network card from the MAC. That MAC, unless they're spoofing it, will give you evidence to use against them. There's also Nessus you can use on the system once you narrow it down...see what if any vulnerabilities there may be. Not that *I* advocate doing something like this. I'd *never* advocate breaking into another machine just because it was causing problems on your network. Once you have their MAC, you could also watch and see what address that MAC is magically changed to when the attack stops...then redirect their traffic using some ARP redirection (etherpeek? dsniff?) to redirect their requests through a local BSD machine acting as a gateway (forwarding packets). Sniff the traffic for awhile until a username comes through when looking for POP mail or some other text-based requests, then you know who it is (or at least who's at that machine). It's your school's network, and usually there's policies in place saying that a user does not have guaranteed privacy to information going over school or university networks (or business networks, for that matter), especially if the hardware is school owned (and you don't really have a way of telling this with this attack, unless you have a list of MACs owned by the school and know for a fact that the user isn't spoofing the MAC). Just some ideas I'd consider. The problem is that if the attacker has a modicum of intelligence they will have done this to someone elses' system. This is a college. For example, someone in a dorm room just surfing the web gets up to take a piss. As soon as they walk out the door and go down the hall, some joker down the hall runs into their room and in a few seconds changes the IP number of their PC to that of the mailserver then runs out. Bullshit like this happens all the time. The only solution is to use managed switches with a modicum of intelligence to where you can build a MAC filter that disallows packets that originate from the end users that have the same MAC as the mailserver, (to block spoofers) and that allows you to dump the internal MAC table. That way when someone pulls their fun your going to see their MAC in your routers, and you can then look at the switches and see exactly what port is being used. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP address conflicts
On Oct 2, 2004, at 2:27 PM, Ted Mittelstaedt wrote: The problem is that if the attacker has a modicum of intelligence they will have done this to someone elses' system. Yet you say this is taking place in colleges... :-) This is a college. For example, someone in a dorm room just surfing the web gets up to take a piss. As soon as they walk out the door and go down the hall, some joker down the hall runs into their room and in a few seconds changes the IP number of their PC to that of the mailserver then runs out. Bullshit like this happens all the time. Funny how just yesterday there was some slash story about users not being careful with security. My systems this wouldn't be effective. Screen saver is hot cornered and password protected. In the school office, control-alt-del-k. When I was in college, there was this thing where your friends would steal your mattress...mattress police. They would hide it somewhere on campus. Never happened to my roommate and I, because we carried our keys with us and locked the bedroom when we weren't there (or in the living room connected to the hallway); no reason to leave the door open if we weren't there, and our community belongings were already outside of that room for the other roommates and friends to use. We try to have a policy where I work where if your account is used to do something against the rules, like browse porn, you must have given that person your account password or you left your account logged in and walked away. There's no way to prove who the body was sitting at that console, so it is assumed to be you. You get in trouble for it. You allowed it, you were irresponsible, and you're going to get hassled for it until you learn to take responsibility for your belongings (including your identity) within reason. It is not unreasonable to expect people to not give their passwords out and to log off of a console when they're done using it. Your reactions are your policies and your rules; if they work for you, that's all and good. If students continue to play stupid and allow things like this to happen to their computers, then so be it. Or you can nail them a couple times and have them wise up for it. Honest! I didn't put kiddie porn on that computer...my...my roommate did it! Or a computer virus did it! OH!!! Nevermind then... The only solution is to use managed switches with a modicum of intelligence to where you can build a MAC filter that disallows packets that originate from the end users that have the same MAC as the mailserver, (to block spoofers) and that allows you to dump the internal MAC table. This is a good infrastructure to the network change and it would also solve the problem. I thought he was having money troubles and needed a quick solution to try solving the problem, while this solution would be done in the future once funds are released and time can be allocated to switch things over. It sounded like his network was somewhat in shambles at the moment. That way when someone pulls their fun your going to see their MAC in your routers, and you can then look at the switches and see exactly what port is being used. Any way to have it send a 50,000 volt spike through that port? -Bart ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP address conflicts
On Sep 27, 2004, at 12:49 AM, Tim Aslat wrote: In the immortal words of Ted Mittelstaedt [EMAIL PROTECTED]... Once again, I must assume that these notebooks legitimately owned by students and staff are NOT owned by the people that are changing the IP numbers. I actually think it's more than 1 culprit, and I couldn't be 100% certain whether they are using their own notebooks or school machines until I catch them in the act. Do what spammers do...set up all the school machines to act as zombies and when you detect the asshats pulling their little trick, flood them with connection requests to poof them off the network :-) If you have a situation where you KNOW who is doing it, and they are getting away with this, with the full knowledge of the Dean and others in the college, then you may as well just start looking for another job. If I was in your shoes I would. Nobody is actually getting away with it, it's just frustrating not knowing who. Doesn't arpwatch look for the mac changes on the network, which could help you track down the MAC which is pulling the address when it shouldn't? I see messages from arpwatch from some of our servers when DHCP leases change. Will at least help you narrow down the suspects...If you get a MAC address, you can run a detailed NMap against them to try identifying platform information as well as get the make/model of their network card from the MAC. That MAC, unless they're spoofing it, will give you evidence to use against them. There's also Nessus you can use on the system once you narrow it down...see what if any vulnerabilities there may be. Not that *I* advocate doing something like this. I'd *never* advocate breaking into another machine just because it was causing problems on your network. Once you have their MAC, you could also watch and see what address that MAC is magically changed to when the attack stops...then redirect their traffic using some ARP redirection (etherpeek? dsniff?) to redirect their requests through a local BSD machine acting as a gateway (forwarding packets). Sniff the traffic for awhile until a username comes through when looking for POP mail or some other text-based requests, then you know who it is (or at least who's at that machine). It's your school's network, and usually there's policies in place saying that a user does not have guaranteed privacy to information going over school or university networks (or business networks, for that matter), especially if the hardware is school owned (and you don't really have a way of telling this with this attack, unless you have a list of MACs owned by the school and know for a fact that the user isn't spoofing the MAC). Just some ideas I'd consider. More than likely. Unfortunately this is a legacy network held together with band-aids and fencing wire. I'm gradually making changes to the infrastructure, but it all costs money and in this case, it definitely won't happen overnight, but it is happening. Thanks for the suggestions. Can you contact your upstream provider for a couple static IPs or a static IP that you could use to subnet and NAT your servers for the public off the regular student network? That way the idiots in your own network shouldn't be *able* to affect your web servers, mail servers, etc... Of course, they could continue screwing with your internal servers, but at least this would reduce the damage they inflict. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP address conflicts
On Mon, Sep 27, 2004 at 08:20:42PM -0700, Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Seaman Sent: Monday, September 27, 2004 2:22 AM To: Tim Aslat Cc: [EMAIL PROTECTED] Subject: Re: IP address conflicts On Mon, Sep 27, 2004 at 08:51:47AM +0930, Tim Aslat wrote: I have an annoying situation in a school I do casual work in their IT department. There are a number of individuals within the system who think it's funny to allocate an IP address on a workstation identical to the network's proxy/web/mail servers. What I'd like to know is, would there be any way of preventing this short of spending quite a lot of money on managed switches an the like? Well, you could move all of the servers onto a separate network to any of the individual client machines (and make sure that the server network isn't accessible from any of the network ports your clients have access to, clearly). That way, even if one of your pet idiots decides to 'borrow' a server IP address, the network routing means that all they are going to do is hurt themselves. You must want to HELP the little shits then. Please do not ascribe such motives to me in such an insulting manner. You have a point, but you need to learn how to be less inflammatory in making it. Think of this for a second. Right now he has maybe 4-5 different servers that people are putting the IP numbers on. Once you move all those servers onto a separate subnet, now all the little twits have to do is put the IP number of the gateway router onto their systems, then the entire subnet that ALL the servers are on becomes inaccessible. Yes, you are quite right. I missed that. However the OP is stuck between a rock and a hard place. He (or his school) is saying they can't afford the correct equipment to really solve the problem. As it is, he's getting the flak when things aren't working right (what else is new?) On consideration, it strikes me that the thing to realise is that this has gone beyond a technical argument. This is now also a political argument and a financial argument. His bosses do not either see the justification for investing in equipment to make the network proof against such attacks, neither do they have the incentive to come down like a ton of bricks on the malefactors. It's counter-intuitive I know, and goes against all of the best instincts of any good systems administrator, but the OPs arguments would be strengthened if the problem was or /appeared to be/ *worse* than it is currently. Machiavellianly, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgpTo4YvEZ96M.pgp Description: PGP signature
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of russell Sent: Monday, September 27, 2004 9:52 PM To: Ted Mittelstaedt Cc: bsdfsse; [EMAIL PROTECTED] Subject: Re: IP address conflicts On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote: or use a tool like arpwatch that is specifically designed to let you know when MAC/IP relationships change on your network. You don't even need to do that - any router on the network is going to log the MAC address because they will see the arp change, as will the other servers. yeah, of course they'll see the change. but what will they do about it? update their internal ARP table and that's about it, unless they're smart enough (and correctly configured) to do more. arpwatch is simple to install and will notify you straight away when things happen that might need your attention. My guess is that the phone calls from the people that suddenly cannot get mail are as effective as arpwatch would be in this situation. Even if arpwatch notifies him the instant it happens he's still going to be screwed without a managed switch the offender is coming from. Don't get me wrong I'm not advocating against putting more monitoring on the network. It is just with this situation no amount of monitoring is going to compensate for a bunch of dumb, unmanaged hubs all tied together. There's a danger of putting too much energy into software when what is going to help most is more powerful hardware. It's actually amazing that he's not already melted down under a host of broadcast storms and such already. From the description it sounds like the Ethernet rules have been broken many times here already. you log the MAC addresses of all the fixed workstations in the school, then when one of them starts doing the wrong thing you know *exactly* where to go to nab the culprit. How, exactly? Do you think that he has a list of all MAC addresses on the network and who is using them? the educational institutions I've worked in tend to be pretty anal about having a database of what computers they own and where they're located - something to do with stopping people from walking off with their assets. if your vendor is good they'll provide the machine MAC address along with the serial number and amount of installed RAM. if not then there's some walking to do. spend half a day and document the fixed machines on the network. He's already said they have over 2K nodes on the network many of which are student-owned laptops. You could take a month on something like this and still not have all of them. Not to mention that in a few seconds the owner of the offending system can easily spoof the mac address to a fake one, or more likely, that of another, innocent, machine on the network. Getting the MAC address is not the problem. Finding it on what is essentially a completely flat network is. You need managed switches for this so you can see what port the offending MAC address is on. now you're assuming that there's documentation as to what ports come out at what wall points, and that there's not still a lab full of dead-ass old machines sitting on 10Base2. He already said most of his hubs are non-managed. To do any kind of tracking down to the port level means these hubs are going to have to be replaced with managed switches. When that happens you would definitely document the wiring if you haven't already. And as far as thinnet goes, I wouldn't pay a lot of attention to that because large thinnet segments go down so much already a few more problems won't even be noticed. Any of his thinnet chains are going to have to terminate in a switch eventually, you just make sure that the port they terminate in is in a managed switch. If it's not one of the fixed workstations then you've got a bit more work to find the kiddie, but it's nothing insurmountable. Unless of course the kiddies are using made up MAC addresses like BADBEEF, DEADBEEF, CO1DCOED, and such. I'm assuming here, having worked in uni computer labs and seen this sort of crud being done, that what's happening is someone is changing the network settings on a PC... I don't recall seeing a text field next to the enter your IP address box that says enter your MAC address... That is because it is not in that location. The MAC address is setup by the nic device driver, not by the OS. Most Windows nic device drivers have a field where a user-defined MAC address can be entered. For example, on a convenient system here, Win2K on a Taiwanese motherboard based on the VIA chipset, under the Administrator user you go: Start-Settings-Network Dialup COnnections-right click Local Area Connection- Properties-then click the Configure button underneath the VIA Rhine II Fast Ethernet Adapter-click the Advanced tab-click Network Address and change the radio button from Not Present to Value, then type in the new MAC address
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tim Aslat Sent: Monday, September 27, 2004 9:39 PM To: [EMAIL PROTECTED] Subject: Re: IP address conflicts It's not the number of switches that matter it's the number of active ports. 50 what, 8 port switches? or 24 port switches? Approximately 30 24 port switches, and a mix 'n' match of 8 - 48 port units. Being a legacy network, it's not what you would call standardised. So, about $10K, time, and a lot of judicious purchasing would get you all used switches that would be managed, same manufacturer. That's if you buy them yourself off Ebay. If you get a network vendor like Network Hardware Resale to put together a package like this your talking maybe $15-$20K Of course, there are some other ways of handling this too. Oppps, looks like another switch died, we are just having a rash of these failures lately! Must be bad power. And amazing - it's the switch that the head of the Engineering department and his staff are using! Guess they will just have to go without since we don't have the money for new switches It's amazing how money will appear out of thin air if certain oxen get gored. I'm tempted to try it. However, the bureaucracy in this place is incredible. They would rather cannibalise a smaller part of the network than just buy a new router/switch/whatever. oops, the switch you are suggesting I cannibalise uses the EtherToken system, totally incompatible, would have to buy all new adapters for all the PC's I've played that game too. What you have to keep in mind is that the people running things that think they know how stuff works, they really don't know how it works. If you dig in your heels, as long as you don't pull the broken switch routine too often, they will back down. When dealing with a bureaucracy I have found the most effective method is the vise treatment. Bureaucracies work to preserve themselves. Problems are viewed as threats that can disrupt the stability of the bureaucracy. If you have a couple heart-to-heart talks with the top kingpins of the administration (who are quite often fighting the bureaucracy themselves) completely off record of course, and then make things -very-bad- for the people at the bottom by simply doing nothing and allowing the bandaids to fall apart, the bureaucracy will find itself under pressure from the top and pressure from the bottom, and like a stuck turd being freed, money will come spewing out as the bureaucracy fights to keep itself preserved. An axiom you should remember is that no bureaucracy ever spends money unless it is afraid for it's life - and then in a panic it always spends far too much money on whatever solutions present themselves at the time. This is why you read stories about the competent network admin being fired because people were complaining about niggling problems, even though the admin was doing everything under budget, and an incompetent admin being hired to replace him who knows nothing whatsoever about anything, spends money like water, and rapidly creates so many bigger problems that the users forget all about the niggling ones that caused them to complain in the first place. (then the incompetent admin brings in an outside consulting firm and after getting it firmly established, quits his post and goes to work for the consulting firm, bleeding the organization dry.) But as a competent network admin, it is easy enough to figure all this out and do exactly what the incompetent admin does - and what that is, is make people scared that unless they spend a lot of money that they will not be able to keep their cushy jobs. If you do go this route then screw the desktop switches, get yourself some decent slotted hubs. You want a much higher port density than the crummy 24 in a typical rack mounted switch. Besides that, the switch vendor is gonna want to use your school as an example of how to do things right. Remember, if your going to go begging then you need to beg for the best stuff they have. Anything in particular that you would recommend? Cisco is the obvious choice here to go beg from. First they are a rich company. Second they are still trying to break out of the we're only a router manufacturer image and they want people to believe that they actually know how to produce switches. heh. The top of the line in the business of course is the 3com Switch 7700 series, but good luck prying them free. 3com is tops, they know they are tops, everyone thinks they are tops, and everyone wants their stuff. They don't need to give away things to get market share. But, you can always try. Enterasys is also another good one to go begging to, particularly because they are still trying to create a name for themselves. As you may know they are a spawn of Cabletron. Cabletron had some very good switching products, and that technology has transferred over to Enterasys
RE: IP address conflicts
-Original Message- From: Matthew Seaman [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 12:52 AM To: Ted Mittelstaedt Cc: Tim Aslat; [EMAIL PROTECTED] Subject: Re: IP address conflicts Please do not ascribe such motives to me in such an insulting manner. You have a point, but you need to learn how to be less inflammatory in making it. Alright, alright, I'm sorry now quit taking it personally. My advice is worth exactly what you paid for it. How much was that, again? Yes, you are quite right. I missed that. However the OP is stuck between a rock and a hard place. He (or his school) is saying they can't afford the correct equipment to really solve the problem. We, from my viewpoint, HE is saying that his school doesen't have the money. I didn't read anywhere that he was actually told flat out that they didn't have the money. fine line there. My suspicions are that his school has done an excellent job of giving him the IMPRESSION that they have no money, so don't bother asking for any. It is an impression that schools carefully cultivate. I'm so broke, we are so broke, wahhh wahhh wahhh. poor us. Schools cultivate this because it gets more alumni donations. But, if you look under the covers, schools always seem to have plenty of money to renovate buildings, and as a student, every time you turn around there's someone from the school with their hand out asking for another fee to be paid. For the last 20 years (since I left college) I've heard the same crying and pissing every fall from them. But they haven't dried up and blown away and always seem to have plenty of new programs going on. So, pardon me if it gets old after a while. Now, the elementary and secondary schools, that's an entirely different matter. On consideration, it strikes me that the thing to realise is that this has gone beyond a technical argument. This is now also a political argument and a financial argument. I would say discussion not argument here. And your absolutely correct. His bosses do not either see the justification for investing in equipment to make the network proof against such attacks, neither do they have the incentive to come down like a ton of bricks on the malefactors. It's counter-intuitive I know, and goes against all of the best instincts of any good systems administrator, but the OPs arguments would be strengthened if the problem was or /appeared to be/ *worse* than it is currently. Of course. But, the only people that do that are grotty old nasty systems administrators that have a resume that stretches into next week, and command 6 figure salaries. The people that run schools are scared to death of those people and run away from them as fast as they can, because they know that those folks can topple the system. Systems aren't toppled by young, green, wet behind the ears system admins that work for peanuts and are enormously grateful to their employers for getting the chance to gain work experience, little realizing that their employers couldn't give a fig how grateful they are, and only hire them because they work cheap. Every once in a while you get that rare combination of a young, green wet behind the ears system admin that works for peanuts and also knows that peanut jobs are a dime a dozen, and knows his employer is taking advantage of him, and is clever enough to make it -seem- like he isn't doing anything to topple the system - yet somehow the system seems to topple by itself. Amazing, how that happens. Heh Heh Heh. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP address conflicts
Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Seaman Sent: Monday, September 27, 2004 2:22 AM To: Tim Aslat Cc: [EMAIL PROTECTED] Subject: Re: IP address conflicts On Mon, Sep 27, 2004 at 08:51:47AM +0930, Tim Aslat wrote: I have an annoying situation in a school I do casual work in their IT department. There are a number of individuals within the system who think it's funny to allocate an IP address on a workstation identical to the network's proxy/web/mail servers. What I'd like to know is, would there be any way of preventing this short of spending quite a lot of money on managed switches an the like? Well, you could move all of the servers onto a separate network to any of the individual client machines (and make sure that the server network isn't accessible from any of the network ports your clients have access to, clearly). That way, even if one of your pet idiots decides to 'borrow' a server IP address, the network routing means that all they are going to do is hurt themselves. You must want to HELP the little shits then. Think of this for a second. Right now he has maybe 4-5 different servers that people are putting the IP numbers on. Once you move all those servers onto a separate subnet, now all the little twits have to do is put the IP number of the gateway router onto their systems, then the entire subnet that ALL the servers are on becomes inaccessible. It's nice to hear of kids understanding enough of their IT systems to do this sort of thing, and this is what they'll do if they can. But why can the pupils alter their network settings at all? Assuming they have Windows machines, the registries can be tweaked to deny access to network settings and other things that creative minds can play games with. This can be done through their network logins. Peter. -- the circle squared network systems and software http://www.circlesquared.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IP address conflicts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For what it's worth, aside from some reconfiguration that could be a little time consuming, I would suggest putting the servers on a different subnet that everything else. If all the computers that are not servers are supposed to be configured for DHCP, insert a FreeBSD box that filters out any addresses outside that subnet. i.e. Server IP addresses are all 192.168.1.0 thru 192.168.1.50. Set your DHCP server to only assign IP addresses above 192.168.1.75 and up or so. I'm too lazy to do the math right now, but use the appropriate subnet mask and filter all the other stuff out. Aside from those students disrupting some of the other users on the network, they can't spoof the servers anymore. Just my $.02. - - Eric F Crist Secure Computing Networks -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iEYEARECAAYFAkFZaTAACgkQRAAY9knOW+qSsACghfRW0BGQg5Rq9tShVcTbcxzY C1IAn3FEjWy1BS4ROedTsC3MKIJehoOm =8XMh -END PGP SIGNATURE- ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP address conflicts
-Original Message- From: Eric Crist [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 6:38 AM To: Ted Mittelstaedt Cc: russell; bsdfsse; [EMAIL PROTECTED] Subject: Re: IP address conflicts -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 For what it's worth, aside from some reconfiguration that could be a little time consuming, I would suggest putting the servers on a different subnet that everything else. If all the computers that are not servers are supposed to be configured for DHCP, insert a FreeBSD box that filters out any addresses outside that subnet. i.e. Server IP addresses are all 192.168.1.0 thru 192.168.1.50. Set your DHCP server to only assign IP addresses above 192.168.1.75 and up or so. I'm too lazy to do the math right now, but use the appropriate subnet mask and filter all the other stuff out. Aside from those students disrupting some of the other users on the network, they can't spoof the servers anymore. No, they just spoof the IP address of the router that the servers are behind, and accomplish exactly the same goal. It actually makes it easier because instead of multiple servers and multiple IP numbers the attackers need to spoof, they only now need spoof 1 IP number - that of the router the servers are behind. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP address conflicts
-Original Message- From: Peter Risdon [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 28, 2004 3:42 AM To: Ted Mittelstaedt Cc: Matthew Seaman; Tim Aslat; [EMAIL PROTECTED] Subject: Re: IP address conflicts It's nice to hear of kids understanding enough of their IT systems to do this sort of thing, and this is what they'll do if they can. But why can the pupils alter their network settings at all? Because they own the machines? Assuming they have Windows machines, the registries can be tweaked to deny access to network settings and other things that creative minds can play games with. This can be done through their network logins. Which they can easily bypass by just not running the login script. The OP said that some of the systems on the network are student-owned laptops and student-owned desktops that students are bringing in from home to plug into the school network. Even if the admin successfully manages to lock out the administrative settings on the laptops, a nuke and repave will take care of that. And there's serious questions about having the authority to do this anyway. The school does not own these systems nor does it have the manpower to administrate all of them, even if every student was happy to turn over administrative control. Sure, you could say that the student has to give up administrative control over his Windows box before getting access to the school servers - but the people that are causing the trouble don't need access to the servers to do this kind of disruption in the first place. All they need is physical acess to a network port and they are in business. They don't even need an IP number assigned to their systems. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew Seaman Sent: Monday, September 27, 2004 2:22 AM To: Tim Aslat Cc: [EMAIL PROTECTED] Subject: Re: IP address conflicts On Mon, Sep 27, 2004 at 08:51:47AM +0930, Tim Aslat wrote: I have an annoying situation in a school I do casual work in their IT department. There are a number of individuals within the system who think it's funny to allocate an IP address on a workstation identical to the network's proxy/web/mail servers. What I'd like to know is, would there be any way of preventing this short of spending quite a lot of money on managed switches an the like? Well, you could move all of the servers onto a separate network to any of the individual client machines (and make sure that the server network isn't accessible from any of the network ports your clients have access to, clearly). That way, even if one of your pet idiots decides to 'borrow' a server IP address, the network routing means that all they are going to do is hurt themselves. You must want to HELP the little shits then. Think of this for a second. Right now he has maybe 4-5 different servers that people are putting the IP numbers on. Once you move all those servers onto a separate subnet, now all the little twits have to do is put the IP number of the gateway router onto their systems, then the entire subnet that ALL the servers are on becomes inaccessible. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of russell Sent: Sunday, September 26, 2004 10:36 PM To: bsdfsse Cc: [EMAIL PROTECTED] Subject: Re: IP address conflicts or use a tool like arpwatch that is specifically designed to let you know when MAC/IP relationships change on your network. You don't even need to do that - any router on the network is going to log the MAC address because they will see the arp change, as will the other servers. you log the MAC addresses of all the fixed workstations in the school, then when one of them starts doing the wrong thing you know *exactly* where to go to nab the culprit. How, exactly? Do you think that he has a list of all MAC addresses on the network and who is using them? Getting the MAC address is not the problem. Finding it on what is essentially a completely flat network is. You need managed switches for this so you can see what port the offending MAC address is on. If it's not one of the fixed workstations then you've got a bit more work to find the kiddie, but it's nothing insurmountable. Unless of course the kiddies are using made up MAC addresses like BADBEEF, DEADBEEF, CO1DCOED, and such. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IP address conflicts
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tim Aslat Sent: Sunday, September 26, 2004 9:50 PM I agree, and this is what we are trying to do. However a school with 20+ buildings, and 1000+ network points and a considerable number of switches makes it a little more difficult. And, let me guess, most switches purchased at different times, different models, different number of ports, etc. And all of them on a single network, not broken up into small subnets - that is the first mistake. Probably many of the predicessors didn't understand you can use cheap servers as routers. What a nightmare. I actually think it's more than 1 culprit, and I couldn't be 100% certain whether they are using their own notebooks or school machines until I catch them in the act. Well, as these things go when you do finally catch one it's going to be the slowest and stupidest one of the lot. When he gets expelled the rest of them are going to call an all-out war and get a lot more sophisticated a lot faster. Please bear in mind that I have over 50 switches kicking around in various parts of the school, and only 4 of them are managed. This could be a very expensive exercise. It's not the number of switches that matter it's the number of active ports. 50 what, 8 port switches? or 24 port switches? Of course, there are some other ways of handling this too. Oppps, looks like another switch died, we are just having a rash of these failures lately! Must be bad power. And amazing - it's the switch that the head of the Engineering department and his staff are using! Guess they will just have to go without since we don't have the money for new switches It's amazing how money will appear out of thin air if certain oxen get gored. Also, if you are a bona-fied school, contact some of the switch vendors, they may make a deal with you under the table. This isn't a bad idea. Might be well worth looking into, especially with the number we are going to need. If you do go this route then screw the desktop switches, get yourself some decent slotted hubs. You want a much higher port density than the crummy 24 in a typical rack mounted switch. Besides that, the switch vendor is gonna want to use your school as an example of how to do things right. Remember, if your going to go begging then you need to beg for the best stuff they have. I appreciate the sentiment :) however if a quick hack can cover my butt until I get budget clearance to get real switches in place, then I'm all for it. Like you, I don't like quick hacks, but it they do the job until I can put something better in place, it's better than nothing. One question though. Would it be enough to get some half decent switches just on the servers, or would I need to replace every single switch in the network? You need to replace every single switch. When one of these bozos assumes a server IP number, he's going to most likely use a different MAC address. You need to be able to query the mac table in the switch to see what port that address is coming in from. Later on, when you have expelled a few of them, they are going to cop wise and start using the SAME mac address of your server, either with the same IP number or a different IP number. At that point, your going to need to use the filters provided in good switches so that the switches will only allow the MAC addresses of your servers to come in to the physical port that is plugged into those servers. (or the physical port that is plugged into the uplink port) What you merely do is go around to ALL of the machines on the network that need to get to the proxy/web/mailservers and put in static ARP entries for the MAC addresses of the legitimate servers. Then when your little friends try their trick, nobody is going to notice it, except of course for the machine that they make their modification to. This sounds like more trouble than it's worth, but maybe there's a way I can distribute the settings somehow at logon. If the logon server is being interfered with by the kiddies, then nobody can logon and get the settings. And, until you get the decent switches online, as soon as the kiddies realize you are on to them, they are going to start coming all over themselves with excitement to play the Let's see if I'm smarter than the admin game. It's like the original Star Wars movie. They had to break the tractor beam at it's source, not at the central computer where someone could just lock it back on. You can maybe distribute the initial batch file with the static arp in it one time - that of course will let the kiddies know that something's up. They won't give you a second chance so you better have a whole collection of arp entries in that batch file. Eventually your going to be forced into getting more intelligent switches. What your going to have to do is put 1 of them at each uplink point - such as at the
Re: IP address conflicts
In the immortal words of Ted Mittelstaedt [EMAIL PROTECTED]... And, let me guess, most switches purchased at different times, different models, different number of ports, etc. Very much so. And all of them on a single network, not broken up into small subnets - that is the first mistake. Again, this is a legacy network that I am trying (within budgetary constraints) to make it a little more functional. Probably many of the predicessors didn't understand you can use cheap servers as routers. I'm about the 4th or 5th successor to this network. At least I've managed to get rid of the last of the 10 base 2 stuff. What a nightmare. You said it. Well, as these things go when you do finally catch one it's going to be the slowest and stupidest one of the lot. When he gets expelled the rest of them are going to call an all-out war and get a lot more sophisticated a lot faster. That's what I'm afraid of. It's not the number of switches that matter it's the number of active ports. 50 what, 8 port switches? or 24 port switches? Approximately 30 24 port switches, and a mix 'n' match of 8 - 48 port units. Being a legacy network, it's not what you would call standardised. Of course, there are some other ways of handling this too. Oppps, looks like another switch died, we are just having a rash of these failures lately! Must be bad power. And amazing - it's the switch that the head of the Engineering department and his staff are using! Guess they will just have to go without since we don't have the money for new switches It's amazing how money will appear out of thin air if certain oxen get gored. I'm tempted to try it. However, the bureaucracy in this place is incredible. They would rather cannibalise a smaller part of the network than just buy a new router/switch/whatever. If you do go this route then screw the desktop switches, get yourself some decent slotted hubs. You want a much higher port density than the crummy 24 in a typical rack mounted switch. Besides that, the switch vendor is gonna want to use your school as an example of how to do things right. Remember, if your going to go begging then you need to beg for the best stuff they have. Anything in particular that you would recommend? You need to replace every single switch. When one of these bozos assumes a server IP number, he's going to most likely use a different MAC address. You need to be able to query the mac table in the switch to see what port that address is coming in from. There are some parts of the network that are completely under my control (staff areas and such) so I could probably get away without changing those ones for the time being and get the managed switches for the areas that it's more likely to come from. Later on, when you have expelled a few of them, they are going to cop wise and start using the SAME mac address of your server, either with the same IP number or a different IP number. At that point, your going to need to use the filters provided in good switches so that the switches will only allow the MAC addresses of your servers to come in to the physical port that is plugged into those servers. (or the physical port that is plugged into the uplink port) Looks like I'm going to be caught between a rock and a hard place for a while til I can swing the budget in my favour. Maybe I can blame someone else for it and get some cash shuffled back to IT where it belongs If the logon server is being interfered with by the kiddies, then nobody can logon and get the settings. Good point. And, until you get the decent switches online, as soon as the kiddies realize you are on to them, they are going to start coming all over themselves with excitement to play the Let's see if I'm smarter than the admin game. I'll just have to be smarter than them, or faster. That's why I'm asking for help here. At least I'm finally moving away from the NT servers that were here, and replacing them with FreeBSD. Only 2 more to go and I'm MS Free, at least as far as the servers are concerned, which should make my job a bit easier. It's like the original Star Wars movie. They had to break the tractor beam at it's source, not at the central computer where someone could just lock it back on. Very good point. You can maybe distribute the initial batch file with the static arp in it one time - that of course will let the kiddies know that something's up. They won't give you a second chance so you better have a whole collection of arp entries in that batch file. True, however it's only 1% or less of the kids I have to watch out for, the rest haven't got enough clue to be a real problem. Eventually your going to be forced into getting more intelligent switches. What your going to have to do is put 1 of them at each uplink point - such as at the entry point of each building, if that is how your laid out - and then put MAC filters into them. None of this
Re: IP address conflicts
On 28/09/2004, at 1:25 PM, Ted Mittelstaedt wrote: or use a tool like arpwatch that is specifically designed to let you know when MAC/IP relationships change on your network. You don't even need to do that - any router on the network is going to log the MAC address because they will see the arp change, as will the other servers. yeah, of course they'll see the change. but what will they do about it? update their internal ARP table and that's about it, unless they're smart enough (and correctly configured) to do more. arpwatch is simple to install and will notify you straight away when things happen that might need your attention. you log the MAC addresses of all the fixed workstations in the school, then when one of them starts doing the wrong thing you know *exactly* where to go to nab the culprit. How, exactly? Do you think that he has a list of all MAC addresses on the network and who is using them? the educational institutions I've worked in tend to be pretty anal about having a database of what computers they own and where they're located - something to do with stopping people from walking off with their assets. if your vendor is good they'll provide the machine MAC address along with the serial number and amount of installed RAM. if not then there's some walking to do. spend half a day and document the fixed machines on the network. Getting the MAC address is not the problem. Finding it on what is essentially a completely flat network is. You need managed switches for this so you can see what port the offending MAC address is on. now you're assuming that there's documentation as to what ports come out at what wall points, and that there's not still a lab full of dead-ass old machines sitting on 10Base2. If it's not one of the fixed workstations then you've got a bit more work to find the kiddie, but it's nothing insurmountable. Unless of course the kiddies are using made up MAC addresses like BADBEEF, DEADBEEF, CO1DCOED, and such. I'm assuming here, having worked in uni computer labs and seen this sort of crud being done, that what's happening is someone is changing the network settings on a PC... I don't recall seeing a text field next to the enter your IP address box that says enter your MAC address... ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
