"FenderAxe" <(E-Mail Removed)> wrote in message
news:Xns99BDF35EF8EF1faaxecom@198.186.190.163...
> I think you can classify that as a denial of service attack, since it eats
> up your IP addresses and prevents the server from servicing legitimate
> users. I'm not a security expert so others might know more/have differing
> opinions.
I'll call it the "Big Mac Attack", it should be meaningful to those in the
US over 30 years old.
> Use a Class A address range on the DHCP server so there's an "endless"
> supply of IP addresses. You might want to test this before deploying it
> though as it could backfire somehow.
It woulds be a huge undertaking to make it happen. If to lessen the work
you were to start with the existing IP Scheme and try to expand it then
Private RFC ranges beginning with 192 or 172 can't have the mask bit rolled
back that far without stepping on Public IP# on the Internet. Besides all
that this thing would use them all up no matter how many there were.
> Shorten lease times to five minutes or less. This will increase normal
> traffic to and from the DHCP server (renewals will occur at 2.5 minutes),
> but at least the addresses will be freed up more quickly after the
> attacker
> leaves.
I don't think I like that one.
> Break the guest network out into two or more networks with different IP
> address ranges. This way fewer users will be impacted if another attack
> occurs and wireless service will be functioning properly over some of the
> guest area, if not all.
That is a very good idea. Guests should never be allowed onto the regular
LAN segment anyway,..it is just common sense. I would make the IP Segment
very small, like maybe a segment of 8 addresses which would service 6 hosts
after the ID and Broadcast Address are discounted. I wouldn't expect more
than 6 guest at a time, but if more were needed maybe a 16 address segment
(14 hosts).
To find the evil laptop on a wireless network:
--------------------------------------------------
1. There is no easy way. You simply have to find all the "guest" Humans one
at a time and examine their laptop.
2. The guest network was on it's own small segment as suggested,...power off
the Access Point and follow the screems and howls. Examine their machines.
To find the evil laptop on a "wired" network:
--------------------------------------------------
1. Choose one of the offending MAC addresses that is "recent". You may have
to attempt it with more than one
2. Most good switches have a way to view their ARP Table which is where the
Switch stored the MAC Address-to-Port relationships. Locate that MAC
Address and take note what Switch port it is associated with.
3. If that Switch port is connected to another switch, then repeat the
process on that other Switch.
4. You may have to repeat that a couples times going from switch to switch
but eventualy the Switch port will be connected to a particular wall jack
that is connected to a particular PC.
5. After the proper "user beating", dig into the laptop and find out what is
going on with it,..assumming the "user beating" didn't produce any
confessions.
--
Phillip Windell
www.wandtv.com
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/e...epartners.mspx
-----------------------------------------------------
Similar Threads
Linear Mode
