How does one catch IP address thieves within our network?

[pittutuk]

Within our company network, our office is assigned a particular router with a cluster of IP addresses. Because of some privileges allowed for our group, users who belong to the less-privileged groups within the network are frequently stealing our IP addresses.
If the thief's Mac computer has its File Sharing on, I am able to determine who the user is by trying to use the stolen IP address because I get a message saying something like "This IP address is being used by" so and so. However, the thieves have become more clever by having the File Sharing off. Even our IT administrator is unable to trace them and his only recourse is to block the IP address until the thief leaves it.
Any thoughts on how to best trace these thieves even if the File Sharing is off is most appreciated. Thank you.

 

[needfx]

interesting case

subscribed

 

[ghellquist]

Interesting case.

First, in my company, if you break this kind of rules it is a valid cause for getting you fired from the company. It has happened (not exactly this case, but something similar).

Secondly, what do you mean by stealing IP adresses? How does the actual stealing happen? Someone has to do something I guess.

Thirdly, there are specific tools you can use to listen on network traffic. If it is normal Ethernet these can listen to all the traffic and filter out interesting things, as example certain IP-adresses and find the corresponding MAC adress (Mac her means the hardware adress on the Ethernet, not to be confused with Apple stuff).

Fourth, you could probably set up rules in the router regarding MAC adresses, only allowing some specific computers to use the router.

Some pointers, sorry for no details.

// Gunnar

 

[switon]

RE: your router, spoofed IPs, and strong authentication...

Hi,

Now you say that your office has been assigned its own router. You do not specify which privileges are being stolen. Are these privileges ones that reside behind your router for use by your office, such as a RAID disk or something? Or are these stolen "privileges" accessible outside of your office's network on your company's general networks?

First of all, assuming that the "privileges" are on your office's network. Your office's router should be able to distinguish between the WAN (external side) and LAN (internal side), with all of your office computers (the official ones) and only those computers should be on the LAN while all of the "stealers" should be on the WAN. Your router should then be able to reject any spoofed IP address for a packet originating on the WAN side while allowing packets from your office computers to pass through to the WAN side. (Note that if there are other computers that are unprivileged but still officially on the LAN side of your router, then you need to setup a VLAN (Virtual LAN) containing only the privileged and official computers.) If your router does not have these particular filtering capabilities (and some don't), then I would setup a server computer and route all traffic through this server from your router. This server then becomes the gateway and it then distinguishes between external spoofed IPs and official internal real IPs, and its firewall rejects the spoofed IP packets while accepting the real ones. This server also does DHCP assignments to your official computers on its LAN side (internal), based upon MAC addresses. It does not do DHCP assignments for machines on its WAN side. You server could also do DNS for your LAN (official) computers and OD/AD (Open Directory/Active Directory authentication) for users on the official computers. You might even consider doing RADIUS for your LAN computers so that all users for your LAN must authenticate as a known official user. Your logs will then contain records of all users of your LAN. Your server can then require that all official accounts have a strong password policy, thus requiring all official users to have strong passwords.

Secondly, if the "privileges" being stolen exist outside of your LAN, then the best solution, in my mind, is to require OD/AD and RADIUS authentication for all users of your company's networks, both the privileged users and the less-privileged users. RADIUS is then able to restrict access on a person-by-person (authenticated accounts) basis to certain specified network resources. Not only that, but RADIUS is also able to provide some rudimentary logging and statistics for users of those restricted resources, so at the end of the day you will be able to see just which authenticated users were using which resources (e.g., user so-and-so printed out 10,000 pages on our color laser printer today, so that's why our magenta toner is empty). The OD/AD also establishes a password policy for all accounts requiring strong passwords, thus no user will be able to claim that his/her password was stolen. [RADIUS provides AAA (Authentication, Authorization, and Accouting) for your office's LAN as well as for your company's networks.]

Lastly, use wireshark (if on Mac OS X, then you can obtain wireshark from either MacPorts or fink) to sniff and then filter for all packets that are spoofing either their IP addresses or even their MAC addresses. Because it is possible to also spoof MAC addresses, the solutions not requiring a stronger form of authentication, such as DHCP assignment of IPs based upon MAC addresses, will not solve your IP thief problem. In other words, simply using DHCP with reservations for specific MAC addresses is not a solution to your problem since MAC addresses can also be spoofed. Wireshark can be used to find these spoofed IP addresses and spoofed MAC addresses.

...just my two cents worth of free advice, and you get what you pay for...

Good luck,
Switon

P.S. This is a serious issue, and, in my opinion, your company has to decide what to do when you find the "spoofers". A policy needs to be in place and then publicly broadcast to all employees. If the consequences are strict enough, and in my opinion they need to be draconian, and your company publicly explains just what is going to be done to enforce said policy (such as strong authentication with OD, RADIUS, and packet sniffing via wireshark to find all spoofed IPs and MACs), I suspect that this alone will severely limit if not completely eliminate your spoofing problems.

 

[nissan.gtp]

MAC address filtering

 

[switon]

RE: about those MAC addresses...

Hi all,

I do not believe that MAC address filtering or DHCP assignments with reservations based upon MAC addresses is a solution to the OP's IP address spoofing problems. The reason is because the MAC addresses can be spoofed just as easily as the IP addresses can be spoofed. I think that stronger authentication is the primary viable solution to this type of problem, and OD/AD in conjunction with RADIUS is designed to help eliminate this type of trouble.

Just my opinion, of course,
Switon

P.S. My earlier post explains this is greater detail...

----------

Hi,

As a start, you might do "arp -a" (Terminal command) to see just which IPs are assigned to which MAC addresses. This would help determine if the OP's troubles are restricted to just IP spoofing, or whether MAC spoofing is also occurring.

Switon

 

[switon]

RE: strong authentication and further capabilities...

Hi pittutuk,

I have already suggested that strong authentication (OD/AD and RADIUS) is a viable solution to your IP spoofing troubles. And I have stated that I believe that simple DHCP with Reservations for MAC addresses is not a viable solution since MAC addresses can also be easily spoofed.

Along with strong authentication, authorization, and accounting (as provided by RADIUS), you can also provide additional security for the privileged resources that are being stolen. For instance, say the resource is a RAID disk system, then beyond RADIUS restrictions for this RAID you could also do encryption of the disk's file system which then keeps even those hackers that manage to access your privileged RAID disk to then have to surmount the encryption by breaking your encryption scheme. In fact, most types of network resources can further be protected and their security enhanced by using additional encryption.

And lastly, if this is a dire problem with sensitive, say industrial secrets, information being compromised by your IP spoofers, then the ultimate solution is to disconnect your office's LAN from the rest of your company's networks. You must physically secure your office's LAN so that nobody can physically attach a device to your disconnected LAN. And you must diligently examine all devices on your secure LAN, say by sniffing all packets on the secure LAN to make certain that only those devices that should have access to your secure LAN indeed do have access with no unauthorized devices gaining access. This is where a packet sniffer, such as wireshark, comes in handy.

So, in summary, the ultimate solution is to physically disconnect your office's privileged LAN from your company's less-privileged networks. Only strongly authenticated and authorized devices are on this disconnected secure LAN. Your office then might employ other computers that belong to the less-privileged networks of your company to gain access to the rest of the company's networks. You thus end up with a disconnected, physically secured, strongly authenticated LAN for privileged access and a less-privileged network with other computers for access to your company's general networks. The real difficulty with this type of security scheme is that the secure LAN must be physically secured (disconnected and behind locked doors) and monitored 365.25/24/7 for any unauthorized access.

Just further thoughts on security issues,
Switon

P.S. Government research labs sometimes use this type of disconnected secure LANs for sensitive, national security, types of information. In the past (several decades ago) it has been storied that one had to pass through dual barbed wire fencing with dogs between the fences to gain access to national security type of stuff.

 

[switon]

RE: packet sniffing, wireshark and nmap, nessus, tripwire...

Hi pittutuk,

Concerning packet sniffing, I have suggested the use of wireshark. One probably recommends what one is most familiar with, and I have been using wireshark since before it was wireshark (when it was called ethereal), to do my packet sniffing. (Occasionally, I also use tcpdump and EtherApe.) Thus I have developed over the years my own filters for both capturing packets as well as filters for displaying packets that are useful to me for my packet sniffing security chores. Wireshark requires a certain energy barrier to be surmounted before it becomes useful to you, i.e., you have to learn how to use it and the learning curve is fairly steep. I also suggest getting familiar with nmap (also available through MacPorts and fink) in order to generate your own spoofed packets to test your wireshark sniffer.

Now there are other packet sniffers available to you, and I'm sure other forum posters will recommend other sniffers. (As I stated above, I suggested wireshark only because that is the one I'm most familiar with.) In fact, since it appears that you are using Mac OS X, then the Mac OS X comes with its own GUI interface to a rudimentary packet sniffer. It is under the Wi-Fi Diagnostics app (accessed via holding down the option/alt key while clicking on the wireless icon in the menu and selecting "Open Wi-Fi Diagnostics..."), the "Capture Network Traffic" pane. I don't personally use this Mac OS X packet sniffer so I am not familiar with its capabilities, but it might be a starting point for you so that you can do some preliminary packet sniffing.

Penultimately, in the past (in a previous life while woking on Redhat Enterprise OSes and SuSe -- flavors of linux) I have used nessus (again available through MacPorts or fink) to check the security of a router/LAN/computer by attempting my own break-ins of secured networks...once again, there are other products available for just such tasks, but I tend to gravitate to the open source versions.

And finally, if you are worried about hackers adding to or modifying programs or files on your secure machines, then there are Early Incident Detection programs (tripwire is one that comes to mind, again because I have used it myself - it is available through MacPorts or fink on Mac OS X) that will generate checksum hash codes (such as MD5, SHA1, SHA256, etc.) for every application/file on your computer. If any of these applications/files/directories are modified, then tripwire will let you know that your machine has been breached and which applications/files/directories have been modified. An Early Incident Detection application is capable of detecting root kits that attempt to replace your OS's kernel with a hacked kernel or which add extensions to your OS that provide backdoors to hackers.

Regards,
Switon

P.S. Of course, computing a checksum for each file/program on your computer, a la tripwire, only works well for files/programs that do not change often, such as the OS kernel, kernel extensions, configuration files, utilities, and static databases. For transactional databases that change continuously, computing checksums are not useful. This type of continuously changing files must be secured by other means, such as sandboxing, which provides some but not perfect security.

 

[assembled]

split the network using two VLANS, set the priv network to require 802.1x and use machine authentication

 

[switon]

RE: EAP, RADIUS, and 802.1X...

Yes, RADIUS and EAP (Extensible Authentication Protocol) are closely allied, with RADIUS often acting as the 802.1X authentication server to verify the RADIUS-packaged EAP protocol credentials of the client.

Regards,
Switon

 

[jared_kipe]

Easy. Ping the ip address, then run netstat -rn to get the routing table.

This will provide you with the hardware MAC address of the computer that you need to go find and punish.

Here is a simple one line command where you just need to change the IP address you're interested in. Note that if the 'Gateway' (2nd) column shows Link#4 or something, then that ip address is not in use.

ping -c 1 192.168.1.1 2>&1>/dev/null && netstat -rn | grep "192.168.1.1 "