J
J
juffinhalli2011-12-05 13:38:34
Computer networks
juffinhalli, 2011-12-05 13:38:34

[SOLVED] The troll surrendered himself. Network map by mac addresses or how to catch an evil green troll?

Hey Habr!
There are 150 computers on the network
There are evil trolls on the network who like to drive someone else's IP with their hands, which leads to conflicts.
The evil green troll has all ports closed, I can’t find out who he is yet.
Known only busy IP and mac address that showed nmap
Please tell me if there is any software that could build a network map with hubs, mac addresses and their IP. Knowing the IP of the "neighbors" of the troll on the hub, I think I could figure out the villain and give him a cruel anal punishment.
Please help restore justice.
Thanks in advance.
PS Open Source solutions are welcome.
update. The green troll came with a confession. This hand-assed creature demolished the network settings, forgot them and randomly entered someone else's IP. Moreover, the old gateway and DNS were driven in, from an already non-existent server. The Internet stopped working and the next day the creature came to repent of sins. This explains the strange behavior of the troll - there was complete silence in the vuurmuur and squid logs.
Thank you all for your help!

Answer the question

In order to leave comments, you need to log in

11 answer(s)
A
Andrey Grigoriev, 2011-12-05
@juffinhalli

If it is not possible to restrict at the level of network equipment using smart switches, then you can restrict at a higher level - configure some kind of PPPoE or OpenVPN, for example. Although this will not save you from destructive attacks - if someone wants to put a grid of ordinary switches, then you can only prevent him with a good blow to the kidneys.
Calculating it is quite simple - physically disconnect one of the links in the central switch, and if the attacker no longer pings (does not respond to ARP requests), then go see who is included in the switch that you cut off. Well, and so on.

B
BasilioCat, 2011-12-05
@BasilioCat

In the case of normal switches, you can
- display a list of mac-addresses on the switch port, find the physical tail and the villain
- bind mac-addresses to physical ports (port security)
In the case of hubs or stupid switches, you can change them to normal =)))

A
Akint, 2011-12-05
@Akint

*nix: arping -I [interface] [ip]
Will respond with the villain's poppy, even if he is closed for pings. And then either look for a poppy on managed switches and turn off the port, or physically pull out the tails until arping stops going if the switches are unmanaged.

Y
YourChief, 2011-12-05
@YourChief

smart switches? if yes, then something like www.netdisco.org/ and if not, then I trolled you

E
Eddy_Em, 2011-12-05
@Eddy_Em

> There are evil trolls in the network who like to drive someone else's IP with their hands, which leads to conflicts.
Do you think that your "evil trolls" will not be able to change the mac-address too? This is done in an elementary way: I pinged the necessary addresses, collected the arp data into the database, then pinged again and changed my IP address and mac to the IP address and mac of some disconnected computer.
It will be possible to calculate such an impudent person only if you have “smart” routers. And it is impossible to find a pest in a network of switches and hubs!

A
AccessForbidden, 2011-12-05
@AccessForbidden

Monitor the network for arp changes. On Linux, there is an arpwatch daemon that logs the IP address poppy and sends an alert if it changes.

M
Maxim, 2011-12-05
@Maxim_ka

The friendly pinger+dameware program should fully satisfy all your needs.

D
Denis, 2011-12-05
@uscr

Zenmap not suitable?

D
DimonZ, 2011-12-05
@DimonZ

You can make a list of all used mac addresses and allow access only from them. The user who tries to change mac will not be able to access the Internet and therefore it will be easy to figure it out. After that, collect all IP-mac pairs at a certain point in time and then, if you suspect a change in IP, collect all pairs again. After that, the mac address of the one who changed the IP will be known. Then you can arrange repression at the mac address.

B
baalmor, 2011-12-05
@baalmor

I may say something stupid now, but in Windows there is such a tracert utility, it displays the entire route, if you know the conflicting IP, you can try to get the route. two samples, and the search field is already greatly reduced. What do you think?

A
Alexander Chekalin, 2011-12-06
@achekalin

Look at the equipment where such a poppy is connected, calculate the port, run there and find the client on the port.
I would advise you to think about what you will do when you find a troll. If “to hit in the eye” (at least figuratively) is permissible, then solve the problem, but if there is nothing to punish, they will play cat and mouse. In the latter case, you will have to do authorization of one kind or another (raise a VPN for clients, PPPoE, authorize somehow cleverly on a proxy), and it will obviously be opaque.
As an option, look at ISA, more precisely, authorization through its client - everything is more cunning and interesting there, but there is more fuss.
PS They wrote that it was "decided" - where did they stop, if not a secret?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question