Unauthorized IP usage - Routers

This is a discussion on Unauthorized IP usage - Routers ; Hi all, we have a rather serious problem in our network (about >1000 PCs), each one having one static IP. I am not administering this network myself, and have no control over the routers/switches. Unfortunately, there are many 'malicious' users ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Unauthorized IP usage

  1. Unauthorized IP usage

    Hi all,
    we have a rather serious problem in our network (about >1000 PCs), each one
    having one static IP. I am not administering this network myself, and have
    no control over the routers/switches. Unfortunately, there are many
    'malicious' users who use arbitrary IPs for their machines (even IPs
    belonging to other users). So far, we have been dealing with this by
    disabling the respective switch ports, but I think this is not the best
    solution possible.

    For example, I am a malicious user. I plug-in my laptop, and then start
    putting static IPs on it, until I find one that actually works....

    Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
    not sure how they could help in our case. For example, the use of an ACL
    could prohibit a 'new' laptop to connect, but would not prevent a laptop
    which is allowed to connect to use any static IP possible. Not to mention
    that MAC can be easily forged by software means.

    Any help would be greatly appreciated.



  2. Re: Unauthorized IP usage



    > Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
    > not sure how they could help in our case. For example, the use of an ACL
    > could prohibit a 'new' laptop to connect, but would not prevent a laptop
    > which is allowed to connect to use any static IP possible. Not to mention
    > that MAC can be easily forged by software means.




    You are right. The problem of forging MAC address is difficult to deal
    with ... how about assigning fixed IPs to mac addresses through dhcpd
    with DDNS support on hosts? The reverse lookup should also be assigned
    to BIND's named zone file or hosts file.

    # dhcpd.conf

    ddns-update-style ad-doc;

    host your_pc {
    hardware ethernet 00:0f:77:hh:kk:99;
    fixed-address 10.0.0.4;
    }

    Then assigning the IP addresses in the Access Control Lists in
    iptables, rest all (new connections) will be denied. Even if someone
    tries to forge the MAC address, (s)he has to manipulate a whole lot
    range.

    Looking forward for new solutions from others.



    --
    Raqueeb Hassan
    Bangladesh


  3. Re: Unauthorized IP usage

    grpprod wrote:
    > Hi all,
    > we have a rather serious problem in our network (about >1000 PCs), each one
    > having one static IP. I am not administering this network myself, and have
    > no control over the routers/switches. Unfortunately, there are many
    > 'malicious' users who use arbitrary IPs for their machines (even IPs
    > belonging to other users). So far, we have been dealing with this by
    > disabling the respective switch ports, but I think this is not the best
    > solution possible.
    >
    > For example, I am a malicious user. I plug-in my laptop, and then start
    > putting static IPs on it, until I find one that actually works....
    >
    > Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
    > not sure how they could help in our case. For example, the use of an ACL
    > could prohibit a 'new' laptop to connect, but would not prevent a laptop
    > which is allowed to connect to use any static IP possible. Not to mention
    > that MAC can be easily forged by software means.
    >
    > Any help would be greatly appreciated.
    >


    Your network administrator has to take action!

    robert

  4. Re: Unauthorized IP usage

    > You are right. The problem of forging MAC address is difficult to deal
    > with ... how about assigning fixed IPs to mac addresses through dhcpd
    > with DDNS support on hosts? The reverse lookup should also be assigned
    > to BIND's named zone file or hosts file.
    >
    > # dhcpd.conf
    >
    > ddns-update-style ad-doc;
    >
    > host your_pc {
    > hardware ethernet 00:0f:77:hh:kk:99;
    > fixed-address 10.0.0.4;
    > }
    >
    > Then assigning the IP addresses in the Access Control Lists in
    > iptables, rest all (new connections) will be denied. Even if someone
    > tries to forge the MAC address, (s)he has to manipulate a whole lot
    > range.


    Thanks for the reply. The thing is, our main problem is static IPs. I
    haven't deployed a DHCP server before, and I am not sure how it behaves. For
    example, what if someone uses a static IP which is assigned dynamically to
    another machine on the SAME subnet? Would the conflict still occur?



  5. Re: Unauthorized IP usage

    On Tue, 11 Jul 2006 16:09:17 +0300, grpprod wrote:

    >> You are right. The problem of forging MAC address is difficult to deal
    >> with ... how about assigning fixed IPs to mac addresses through dhcpd
    >> with DDNS support on hosts? The reverse lookup should also be assigned
    >> to BIND's named zone file or hosts file.
    >>
    >> # dhcpd.conf
    >>
    >> ddns-update-style ad-doc;
    >>
    >> host your_pc {
    >> hardware ethernet 00:0f:77:hh:kk:99;
    >> fixed-address 10.0.0.4;
    >> }
    >>
    >> Then assigning the IP addresses in the Access Control Lists in
    >> iptables, rest all (new connections) will be denied. Even if someone
    >> tries to forge the MAC address, (s)he has to manipulate a whole lot
    >> range.

    >
    > Thanks for the reply. The thing is, our main problem is static IPs. I
    > haven't deployed a DHCP server before, and I am not sure how it behaves. For
    > example, what if someone uses a static IP which is assigned dynamically to
    > another machine on the SAME subnet? Would the conflict still occur?


    I had a script once that was tied in to samba. (Assuming all your users
    are Win-based.)

    Basically, anyone connecting to the network had to log in to the master
    server, which also worked as the DHCP and DNS server, and firewall/router
    to the DMZ. All IPs were blocked from accessing any services on the
    network.

    All known MAC addresses were given IP addresses from specific pools.

    When an IP was assinged, *and* that user logged via samba, then the master
    router would add a rule to the iptables that would allow that *user* at
    that IP his/her access rights based on which pool he was in. This way we
    could allow some users access to specific network resources.

    All unknown MACs were assinged to the 'guest' pool, and were given minimal
    rights (in our case, were allowed to browse the net, but no access to
    local resources.)

    Since each pool was its own subnet, you can exploit Windows' inability to
    cross-browse across subnets to prevent unauthorized users from even seeing
    machines on other subnets. The only thing they can see is other
    unauthorized users. (makes it easy for the admin to track them down, too.)

    --Yan

    --
    o__
    ,>/'_ o__
    (_)\(_) ,>/'_ o__
    Yan Seiner, PE (_)\(_) ,>/'_ o__
    Certified Personal Trainer (_)\(_) ,>/'_ o__
    Licensed Professional Engineer (_)\(_) ,>/'_
    Who says engineers have to be pencil necked geeks? (_)\(_)


  6. Re: Unauthorized IP usage

    "grpprod" wrote in message
    news:e8vvtd$c5u$1@volcano1.grnet.gr

    > we have a rather serious problem in our network (about >1000 PCs),
    > each one having one static IP.

    ....
    > Unfortunately,
    > there are many 'malicious' users who use arbitrary IPs for their
    > machines (even IPs belonging to other users).

    ....
    > For example, I am a malicious user. I plug-in my laptop, and then
    > start putting static IPs on it, until I find one that actually
    > works....
    >
    > Can someone suggest a workaround?


    Ask your employer to fire you.

  7. Re: Unauthorized IP usage

    On Tue, 11 Jul 2006 13:52:29 +0300, grpprod wrote:

    > Hi all,
    > we have a rather serious problem in our network (about >1000 PCs), each one
    > having one static IP. I am not administering this network myself, and have
    > no control over the routers/switches. Unfortunately, there are many
    > 'malicious' users who use arbitrary IPs for their machines (even IPs
    > belonging to other users). So far, we have been dealing with this by
    > disabling the respective switch ports, but I think this is not the best
    > solution possible.
    >
    > For example, I am a malicious user. I plug-in my laptop, and then start
    > putting static IPs on it, until I find one that actually works....
    >
    > Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
    > not sure how they could help in our case. For example, the use of an ACL
    > could prohibit a 'new' laptop to connect, but would not prevent a laptop
    > which is allowed to connect to use any static IP possible. Not to mention
    > that MAC can be easily forged by software means.
    >
    > Any help would be greatly appreciated.


    Whoever administers your network needs to consult with management to
    develop a network architecture and IT policy. Maybe whoever
    administers/manages this network needs some basic refresher training. You
    don't need a "workaround", you need a better understanding and
    implementation of your IT environment.

    I can't believe a network with >1000 nodes is being managed so poorly that
    users are looking for "workarounds". Is your question a serious one? If it
    is, maybe you should hire an IT consultant to fix your mess.

  8. Re: Unauthorized IP usage

    "grpprod" said:
    >we have a rather serious problem in our network (about >1000 PCs), each one
    >having one static IP. I am not administering this network myself, and have
    >no control over the routers/switches. Unfortunately, there are many
    >'malicious' users who use arbitrary IPs for their machines (even IPs
    >belonging to other users). So far, we have been dealing with this by
    >disabling the respective switch ports, but I think this is not the best
    >solution possible.


    Ok, what is the reason these users use other than the assigned IP address
    in the first place? Are there f.ex. connectivity filters that only let
    some select users access the Internet?

    Or is it just that "something doesn't work, and it starts working when I
    take another address"?

    Start with finding answers to the above, and the solution to the problem
    will follow.

    If the case is the former (bypassing access control restrictions, to access
    external or internal services without appropriate authorization), there
    is a severe need for disciplinary action.

    If the case is the latter, then you'll have to start working _with_ those
    you consider malicious, to narrow down what the actual problem is, and
    fix the problem, instead of just annoying your users.

    Of course, it could be a combination of the two: having to "steal" an address
    to access a site the user should be able to access in the first place, but
    having so slow bureaucracy set in place, that it is less effort to
    circumvent security than it is to gain access via the proper process.
    In this case it is the process that needs fixing - and to some extent
    the system security as well. Access control by policy (and weak
    technical access control) is seldom sufficient, and can easily cause chaos
    as people start circumventing the fake security.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)

  9. Re: Unauthorized IP usage

    > Thanks for the reply. The thing is, our main problem is static IPs. I
    > haven't deployed a DHCP server before, and I am not sure how it behaves. For
    > example, what if someone uses a static IP which is assigned dynamically to
    > another machine on the SAME subnet? Would the conflict still occur?




    Well, this dhcpd (IP bound with MAC) will behave like your static ip
    environment. This will assign IP addresses to your machines looking up
    the corresponding MAC addresses in dhcpd.conf. So, there won't be any
    IP conflict.

    Just have a look to this sample dhcpd.conf, populate the whole range.

    subnet 192.168.0.0 netmask 255.255.0.0 {
    range 192.168.1.1 192.168.100.100;
    }
    # D0-18 == enterprise == me
    group {
    filename="pxelinux.0";
    option domain-name-servers 145.18.40.50;
    option routers 192.168.0.1;

    # Master
    host enterprise { # D0-18
    hardware ethernet 00:B00:24:17:43;
    option host-name "kirk";
    fixed-address 192.168.1.1;
    }
    # TOS
    host kirk { # D0-19
    hardware ethernet 00:B00:24:17:63;
    option host-name "kirk";
    fixed-address 192.168.1.1;
    }
    host spock { # D0-5
    hardware ethernet 00:B00:24:16:82;
    option host-name "spock";
    fixed-address 192.168.1.2;
    }
    host scotty { # D0-9
    hardware ethernet 00:B00:24:16:79;
    option host-name "scotty";
    fixed-address 192.168.1.3;
    }

    # Voyager
    host janeway { # D0-8
    hardware ethernet 00:B00:24:16:88;
    option host-name "janeway";
    fixed-address 192.168.2.1;
    }
    host paris { # D0-4
    hardware ethernet 00:B00:24:16:81;
    option host-name "paris";
    fixed-address 192.168.2.2;
    }
    host tuvok { # D0-10
    hardware ethernet 00:B00:24:16:86;
    option host-name "tuvok";
    fixed-address 192.168.2.3;
    }

    # The next generation
    host picard { # D0-29
    hardware ethernet 00:B00:24:17:69;
    option host-name "picard";
    fixed-address 192.168.3.1;
    }
    host worf { # D0-12
    hardware ethernet 00:B00:24:16:68;
    option host-name "worf";
    fixed-address 192.168.3.2;
    }
    host data { # D0-11
    hardware ethernet 00:B00:24:16:75;
    option host-name "data";
    fixed-address 192.168.3.3;
    }

    # DS 9
    host sisko { # D0-30
    hardware ethernet 00:B00:24:17:65;
    option host-name "sisko";
    fixed-address 192.168.4.1;
    }
    host odo { # D0-15
    hardware ethernet 00:B00:24:17:3C;
    option host-name "odo";
    fixed-address 192.168.4.2;
    }
    host quark { # DO-13
    hardware ethernet 00:B00:24:16:64;
    option host-name "quark";
    fixed-address 192.168.4.3;
    }
    }



    --
    Raqueeb Hassan
    Bangladesh


  10. Re: Unauthorized IP usage

    On Tue, 11 Jul 2006, in the Usenet newsgroup comp.os.linux.networking, in
    article , grpprod wrote:

    >we have a rather serious problem in our network (about >1000 PCs), each one
    >having one static IP. I am not administering this network myself, and have
    >no control over the routers/switches.


    Who are you that you feel that it is your job to solve the problem?

    >Unfortunately, there are many 'malicious' users who use arbitrary IPs for
    >their machines (even IPs belonging to other users). So far, we have been
    >dealing with this by disabling the respective switch ports, but I think
    >this is not the best solution possible.


    This is a difficult problem to solve. The solution starts with published
    official policy that each user must acknowledge, that such conduct is not
    acceptable, and is punished by removing the user.

    You can also make life more difficult by disabling unused ports and network
    drops. If your switches allow, you can configure them so that only one MAC
    address is acceptable to each specific port. You should know EXACTLY where
    each port on a switch connects to which network drop. You can monitor the
    switches looking for 'rogue' MAC addresses. You can also monitor the ARP
    cache on specific systems (DNS servers, routers, etc.) comparing the MAC
    and IP addresses against a database. This can actually be done with some
    simple scripts, or you can use an application like 'arpwatch' or 'arpsnmp'.

    >Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
    >not sure how they could help in our case. For example, the use of an ACL
    >could prohibit a 'new' laptop to connect, but would not prevent a laptop
    >which is allowed to connect to use any static IP possible. Not to mention
    >that MAC can be easily forged by software means.


    You are looking to cure the symptoms of the problem, not the problem itself.
    Get the official policy in place, and make sure everyone is aware of it.
    Then start enforcing the policy. You're posting from a smaller university.
    Is it possible to expel the malicious student? Or fine them?

    Where I work (an R&D facility), we put the "no visiting computers" policy
    in place more than twelve years ago. Each employee is aware of this policy,
    and has signed a copy of the policy accepting this. There are large signs
    at all building entrances warning that visiting computers are prohibited
    and subject to confiscation (usually that means that we wipe the disks
    and will return the computer to the owner when they _permanently_ leave,
    provided they are not arrested for other problems). The first visiting
    system we detected turned out to be used by the corporate president who
    was visiting, a week after he personally had approved the policy putting
    it into effect at our facility (the policy is now corporate wide). The
    second (or third - can't remember) visiting system we caught belonged to
    a government auditor who was visiting to lecture us on security (which
    caused much laughter). The current configuration of the monitoring program
    sends alarm messages to network operations AND security on detecting a
    rogue, and we normally have at least one unhappy network administrator and
    two guards at the network drop within two minutes of the rogue system
    being turned on. This happens very rarely now.

    Old guy

+ Reply to Thread