Unauthorized IP usage

Hi all,
we have a rather serious problem in our network (about >1000 PCs), each one
having one static IP. I am not administering this network myself, and have
no control over the routers/switches. Unfortunately, there are many
'malicious' users who use arbitrary IPs for their machines (even IPs
belonging to other users). So far, we have been dealing with this by
disabling the respective switch ports, but I think this is not the best
solution possible.

For example, I am a malicious user. I plug-in my laptop, and then start
putting static IPs on it, until I find one that actually works....

Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
not sure how they could help in our case. For example, the use of an ACL
could prohibit a 'new' laptop to connect, but would not prevent a laptop
which is allowed to connect to use any static IP possible. Not to mention
that MAC can be easily forged by software means.

Any help would be greatly appreciated.

<snip>

> Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
> not sure how they could help in our case. For example, the use of an ACL
> could prohibit a 'new' laptop to connect, but would not prevent a laptop
> which is allowed to connect to use any static IP possible. Not to mention
> that MAC can be easily forged by software means.

<snip>

You are right. The problem of forging MAC address is difficult to deal
with ... how about assigning fixed IPs to mac addresses through dhcpd
with DDNS support on hosts? The reverse lookup should also be assigned
to BIND's named zone file or hosts file.

# dhcpd.conf

ddns-update-style ad-doc;

host your_pc {
hardware ethernet 00:0f:77:hh:kk:99;
fixed-address 10.0.0.4;
}

Then assigning the IP addresses in the Access Control Lists in
iptables, rest all (new connections) will be denied. Even if someone
tries to forge the MAC address, (s)he has to manipulate a whole lot
range.

Looking forward for new solutions from others.



--
Raqueeb Hassan
Bangladesh

grpprod wrote:
> Hi all,
> we have a rather serious problem in our network (about >1000 PCs), each one
> having one static IP. I am not administering this network myself, and have
> no control over the routers/switches. Unfortunately, there are many
> 'malicious' users who use arbitrary IPs for their machines (even IPs
> belonging to other users). So far, we have been dealing with this by
> disabling the respective switch ports, but I think this is not the best
> solution possible.
>
> For example, I am a malicious user. I plug-in my laptop, and then start
> putting static IPs on it, until I find one that actually works....
>
> Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
> not sure how they could help in our case. For example, the use of an ACL
> could prohibit a 'new' laptop to connect, but would not prevent a laptop
> which is allowed to connect to use any static IP possible. Not to mention
> that MAC can be easily forged by software means.
>
> Any help would be greatly appreciated.
>

Your network administrator has to take action!

robert

> You are right. The problem of forging MAC address is difficult to deal
> with ... how about assigning fixed IPs to mac addresses through dhcpd
> with DDNS support on hosts? The reverse lookup should also be assigned
> to BIND's named zone file or hosts file.
>
> # dhcpd.conf
>
> ddns-update-style ad-doc;
>
> host your_pc {
> hardware ethernet 00:0f:77:hh:kk:99;
> fixed-address 10.0.0.4;
> }
>
> Then assigning the IP addresses in the Access Control Lists in
> iptables, rest all (new connections) will be denied. Even if someone
> tries to forge the MAC address, (s)he has to manipulate a whole lot
> range.

Thanks for the reply. The thing is, our main problem is static IPs. I
haven't deployed a DHCP server before, and I am not sure how it behaves. For
example, what if someone uses a static IP which is assigned dynamically to
another machine on the SAME subnet? Would the conflict still occur?

On Tue, 11 Jul 2006 16:09:17 +0300, grpprod wrote:

>> You are right. The problem of forging MAC address is difficult to deal
>> with ... how about assigning fixed IPs to mac addresses through dhcpd
>> with DDNS support on hosts? The reverse lookup should also be assigned
>> to BIND's named zone file or hosts file.
>>
>> # dhcpd.conf
>>
>> ddns-update-style ad-doc;
>>
>> host your_pc {
>> hardware ethernet 00:0f:77:hh:kk:99;
>> fixed-address 10.0.0.4;
>> }
>>
>> Then assigning the IP addresses in the Access Control Lists in
>> iptables, rest all (new connections) will be denied. Even if someone
>> tries to forge the MAC address, (s)he has to manipulate a whole lot
>> range.
>
> Thanks for the reply. The thing is, our main problem is static IPs. I
> haven't deployed a DHCP server before, and I am not sure how it behaves. For
> example, what if someone uses a static IP which is assigned dynamically to
> another machine on the SAME subnet? Would the conflict still occur?

I had a script once that was tied in to samba. (Assuming all your users
are Win-based.)

Basically, anyone connecting to the network had to log in to the master
server, which also worked as the DHCP and DNS server, and firewall/router
to the DMZ. All IPs were blocked from accessing any services on the
network.

All known MAC addresses were given IP addresses from specific pools.

When an IP was assinged, *and* that user logged via samba, then the master
router would add a rule to the iptables that would allow that *user* at
that IP his/her access rights based on which pool he was in. This way we
could allow some users access to specific network resources.

All unknown MACs were assinged to the 'guest' pool, and were given minimal
rights (in our case, were allowed to browse the net, but no access to
local resources.)

Since each pool was its own subnet, you can exploit Windows' inability to
cross-browse across subnets to prevent unauthorized users from even seeing
machines on other subnets. The only thing they can see is other
unauthorized users. (makes it easy for the admin to track them down, too.)

--Yan

--
o__
,>/'_ o__
(_)\(_) ,>/'_ o__
Yan Seiner, PE (_)\(_) ,>/'_ o__
Certified Personal Trainer (_)\(_) ,>/'_ o__
Licensed Professional Engineer (_)\(_) ,>/'_
Who says engineers have to be pencil necked geeks? (_)\(_)

"grpprod" <(E-Mail Removed)> wrote in message
news:e8vvtd$c5u$(E-Mail Removed)

> we have a rather serious problem in our network (about >1000 PCs),
> each one having one static IP.
....
> Unfortunately,
> there are many 'malicious' users who use arbitrary IPs for their
> machines (even IPs belonging to other users).
....
> For example, I am a malicious user. I plug-in my laptop, and then
> start putting static IPs on it, until I find one that actually
> works....
>
> Can someone suggest a workaround?

Ask your employer to fire you.

On Tue, 11 Jul 2006 13:52:29 +0300, grpprod wrote:

> Hi all,
> we have a rather serious problem in our network (about >1000 PCs), each one
> having one static IP. I am not administering this network myself, and have
> no control over the routers/switches. Unfortunately, there are many
> 'malicious' users who use arbitrary IPs for their machines (even IPs
> belonging to other users). So far, we have been dealing with this by
> disabling the respective switch ports, but I think this is not the best
> solution possible.
>
> For example, I am a malicious user. I plug-in my laptop, and then start
> putting static IPs on it, until I find one that actually works....
>
> Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
> not sure how they could help in our case. For example, the use of an ACL
> could prohibit a 'new' laptop to connect, but would not prevent a laptop
> which is allowed to connect to use any static IP possible. Not to mention
> that MAC can be easily forged by software means.
>
> Any help would be greatly appreciated.

Whoever administers your network needs to consult with management to
develop a network architecture and IT policy. Maybe whoever
administers/manages this network needs some basic refresher training. You
don't need a "workaround", you need a better understanding and
implementation of your IT environment.

I can't believe a network with >1000 nodes is being managed so poorly that
users are looking for "workarounds". Is your question a serious one? If it
is, maybe you should hire an IT consultant to fix your mess.

"grpprod" <(E-Mail Removed)> said:
>we have a rather serious problem in our network (about >1000 PCs), each one
>having one static IP. I am not administering this network myself, and have
>no control over the routers/switches. Unfortunately, there are many
>'malicious' users who use arbitrary IPs for their machines (even IPs
>belonging to other users). So far, we have been dealing with this by
>disabling the respective switch ports, but I think this is not the best
>solution possible.

Ok, what is the reason these users use other than the assigned IP address
in the first place? Are there f.ex. connectivity filters that only let
some select users access the Internet?

Or is it just that "something doesn't work, and it starts working when I
take another address"?

Start with finding answers to the above, and the solution to the problem
will follow.

If the case is the former (bypassing access control restrictions, to access
external or internal services without appropriate authorization), there
is a severe need for disciplinary action.

If the case is the latter, then you'll have to start working _with_ those
you consider malicious, to narrow down what the actual problem is, and
fix the problem, instead of just annoying your users.

Of course, it could be a combination of the two: having to "steal" an address
to access a site the user should be able to access in the first place, but
having so slow bureaucracy set in place, that it is less effort to
circumvent security than it is to gain access via the proper process.
In this case it is the process that needs fixing - and to some extent
the system security as well. Access control by policy (and weak
technical access control) is seldom sufficient, and can easily cause chaos
as people start circumventing the fake security.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

> Thanks for the reply. The thing is, our main problem is static IPs. I
> haven't deployed a DHCP server before, and I am not sure how it behaves. For
> example, what if someone uses a static IP which is assigned dynamically to
> another machine on the SAME subnet? Would the conflict still occur?

<snip>

Well, this dhcpd (IP bound with MAC) will behave like your static ip
environment. This will assign IP addresses to your machines looking up
the corresponding MAC addresses in dhcpd.conf. So, there won't be any
IP conflict.

Just have a look to this sample dhcpd.conf, populate the whole range.

subnet 192.168.0.0 netmask 255.255.0.0 {
range 192.168.1.1 192.168.100.100;
}
# D0-18 == enterprise == me
group {
filename="pxelinux.0";
option domain-name-servers 145.18.40.50;
option routers 192.168.0.1;

# Master
host enterprise { # D0-18
hardware ethernet 00:B00:24:17:43;
option host-name "kirk";
fixed-address 192.168.1.1;
}
# TOS
host kirk { # D0-19
hardware ethernet 00:B00:24:17:63;
option host-name "kirk";
fixed-address 192.168.1.1;
}
host spock { # D0-5
hardware ethernet 00:B00:24:16:82;
option host-name "spock";
fixed-address 192.168.1.2;
}
host scotty { # D0-9
hardware ethernet 00:B00:24:16:79;
option host-name "scotty";
fixed-address 192.168.1.3;
}

# Voyager
host janeway { # D0-8
hardware ethernet 00:B00:24:16:88;
option host-name "janeway";
fixed-address 192.168.2.1;
}
host paris { # D0-4
hardware ethernet 00:B00:24:16:81;
option host-name "paris";
fixed-address 192.168.2.2;
}
host tuvok { # D0-10
hardware ethernet 00:B00:24:16:86;
option host-name "tuvok";
fixed-address 192.168.2.3;
}

# The next generation
host picard { # D0-29
hardware ethernet 00:B00:24:17:69;
option host-name "picard";
fixed-address 192.168.3.1;
}
host worf { # D0-12
hardware ethernet 00:B00:24:16:68;
option host-name "worf";
fixed-address 192.168.3.2;
}
host data { # D0-11
hardware ethernet 00:B00:24:16:75;
option host-name "data";
fixed-address 192.168.3.3;
}

# DS 9
host sisko { # D0-30
hardware ethernet 00:B00:24:17:65;
option host-name "sisko";
fixed-address 192.168.4.1;
}
host odo { # D0-15
hardware ethernet 00:B00:24:17:3C;
option host-name "odo";
fixed-address 192.168.4.2;
}
host quark { # DO-13
hardware ethernet 00:B00:24:16:64;
option host-name "quark";
fixed-address 192.168.4.3;
}
}



--
Raqueeb Hassan
Bangladesh

On Tue, 11 Jul 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <e8vvtd$c5u$(E-Mail Removed)>, grpprod wrote:

>we have a rather serious problem in our network (about >1000 PCs), each one
>having one static IP. I am not administering this network myself, and have
>no control over the routers/switches.

Who are you that you feel that it is your job to solve the problem?

>Unfortunately, there are many 'malicious' users who use arbitrary IPs for
>their machines (even IPs belonging to other users). So far, we have been
>dealing with this by disabling the respective switch ports, but I think
>this is not the best solution possible.

This is a difficult problem to solve. The solution starts with published
official policy that each user must acknowledge, that such conduct is not
acceptable, and is punished by removing the user.

You can also make life more difficult by disabling unused ports and network
drops. If your switches allow, you can configure them so that only one MAC
address is acceptable to each specific port. You should know EXACTLY where
each port on a switch connects to which network drop. You can monitor the
switches looking for 'rogue' MAC addresses. You can also monitor the ARP
cache on specific systems (DNS servers, routers, etc.) comparing the MAC
and IP addresses against a database. This can actually be done with some
simple scripts, or you can use an application like 'arpwatch' or 'arpsnmp'.

>Can someone suggest a workaround? I considered DHCP and MAC ACLs but I am
>not sure how they could help in our case. For example, the use of an ACL
>could prohibit a 'new' laptop to connect, but would not prevent a laptop
>which is allowed to connect to use any static IP possible. Not to mention
>that MAC can be easily forged by software means.

You are looking to cure the symptoms of the problem, not the problem itself.
Get the official policy in place, and make sure everyone is aware of it.
Then start enforcing the policy. You're posting from a smaller university.
Is it possible to expel the malicious student? Or fine them?

Where I work (an R&D facility), we put the "no visiting computers" policy
in place more than twelve years ago. Each employee is aware of this policy,
and has signed a copy of the policy accepting this. There are large signs
at all building entrances warning that visiting computers are prohibited
and subject to confiscation (usually that means that we wipe the disks
and will return the computer to the owner when they _permanently_ leave,
provided they are not arrested for other problems). The first visiting
system we detected turned out to be used by the corporate president who
was visiting, a week after he personally had approved the policy putting
it into effect at our facility (the policy is now corporate wide). The
second (or third - can't remember) visiting system we caught belonged to
a government auditor who was visiting to lecture us on security (which
caused much laughter). The current configuration of the monitoring program
sends alarm messages to network operations AND security on detecting a
rogue, and we normally have at least one unhappy network administrator and
two guards at the network drop within two minutes of the rogue system
being turned on. This happens very rarely now.

Old guy