I have one of these as well... IPS is dumping them as a LAND attack
(remember all of THAT fun?) but I've had trouble getting an "un
rewritten" packet.
Ryan Dorman
Network Engineering Specialist
Millersville University
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of BACHAND, Dave (Info.
Tech. Services)
Sent: Thursday, February 02, 2006 1:57 PM
To: [log in to unmask]
Subject: Re: [PERFIGO] Rogue computer detection
Hello-
Yes, our internal equipment is in fact rejecting the traffic.
Now I'm looking for the little cherub that is the cause. MAC address
data is just stamped by the CCA gateway, so all of my routers etc. are
showing it's MAC and not the originator. What I am trying to do is to
get the CCA gateway to flag the originating computer so we can go visit,
I mean clean him(or her) up..
++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Eric Weakland
Sent: Thursday, February 02, 2006 12:58 PM
To: [log in to unmask]
Subject: Re: Rogue computer detection
Dave,
First step - you should be able to set your routers to reject packets
from non valid "spoofed" sources.
On Cisco hardware the command is "ip verify unicast reverse-path" - I
may be miss spelling it. Also - only do this on router interfaces that
face towards end users, with no uplinks on them. I.E. - it may be very
bad to do this on say a backbone link that has traffic from all over
running on it.
After setting the unicast reverse path to make sure it is from a valid
address, your routers should contain good info on IP->MAC and vice versa
in their ARP tables. After you know the MAC -start looking at your CAM
tables on your switches to find the person.
Hope this helps.
Eric Weakland, CISSP
Director, Network Security
Office of Information Technology
American University
eric at american.edu
202.885.2241
"BACHAND, Dave (Info. Tech. Services)" <[log in to unmask]>
Sent by: Perfigo SecureSmart and CleanMachines Discussion List
<[log in to unmask]>
02/02/2006 12:46 PM
Please respond to
Perfigo SecureSmart and CleanMachines Discussion List
<[log in to unmask]>
To
[log in to unmask]
cc
Subject
Rogue computer detection
Hello-
I have a fun problem! One of the students in CCA is apparently burdened
by some sort of a Trojan, hard though that may be to believe. The
device is beaconing to various Internet addresses on the outside from a
source address that doesn't belong here. We've tracked it back to a
particular CCA zone, but can't go much further. In looking at the
ACL's that are in place, this shouldn't be possible! We have the roles
configured that only the valid source IP address should be able to get
through.
Could it be that CCA isn't really checking source addresses?
Does anybody know if there is a way to log the MAC and other information
from a particular source IP?
We are running 3.5.8..
Thanks,
++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++
|
