Board index Linux Networking

Nodes and IP address

Nodes and IP address

Post by acruxi » Wed, 12 Mar 2003 16:55:54



Hi,
On a switched network, and given a DHCP-assigned
IP address, how do you figure out which node
sent a particular frame? What if the offending
node is offline/gets a new lease with a spoofed
MAC address/sends a packet with a spoofed IP?

TIA

 
 
 
Top

Nodes and IP address

Post by Frank Sweetse » Tue, 18 Mar 2003 00:06:52



> Hi,
> On a switched network, and given a DHCP-assigned
> IP address, how do you figure out which node
> sent a particular frame? What if the offending
> node is offline/gets a new lease with a spoofed
> MAC address/sends a packet with a spoofed IP?

Well, first off, what does a switched network have to do with this?  All of
the same spoofings are just as possible on a shared network as a switched
network.

And secondly, if you can recieve the frame, just look at the source ether
address, assuming that that wasn't spoofed too.  If it was spoofed, then you
will have to walk through the FDB on each switch until you find what physical
port the spoofed ether is appearing on.  Once you have that you can trace the
physical cable to the offending machine.

--
Frank Sweetser fs at wpi.edu
WPI Network Engineer

 
 
 
Top

Nodes and IP address

Post by acruxi » Fri, 21 Mar 2003 14:13:03




>>Hi,
>>On a switched network, and given a DHCP-assigned
>>IP address, how do you figure out which node
>>sent a particular frame? What if the offending
>>node is offline/gets a new lease with a spoofed
>>MAC address/sends a packet with a spoofed IP?

> Well, first off, what does a switched network have to do with this?  All of
> the same spoofings are just as possible on a shared network as a switched
> network.

> And secondly, if you can recieve the frame, just look at the source ether
> address, assuming that that wasn't spoofed too.  If it was spoofed, then you
> will have to walk through the FDB on each switch until you find what physical
> port the spoofed ether is appearing on.  Once you have that you can trace the
> physical cable to the offending machine.

hm...let me explain my scenario in more detail:
- machine spoofs ethernet address
- machine asks for IP address
- DHCP server links IP address with ethernet address
- machine sends packets with assigned IP address and spoofed
MAC address
- machine goes offline
- machine reverts to original MAC and gets new IP address
- spoofed MAC is never used again

Given this scenario, how do we trace which machine sent the spoofed
packets, if its possible?

TIA

 
 
 
Top

1. Should Node IP addresses be hidden for the users ?

To have a single system image for a n-node cluster, is it a must to hide the
IP addresses of all the nodes and give only 1 IP address to the client ?

2. backup with tar a problem

3. How to recover an application node and an ADSM node into one node?

4. Problem making Miro 20SV work with XFree86

5. Changing IP address on Solaris 9 with multiple virtual IP addresses

6. cable modem to fast for linux ?

7. WANTED: pingmac <IP ADDR> which returns <MAC ADDRESS of IP ADDRESS>

8. ethernet

9. dynamic ip address - how to get to know my ip address?

10. IP Masquerading with IP Address and Mac Address Restrictions

11. Why ip-fw reject for IP's outside node's netmask?

12. Matrox Mystique ands X.

13. I wanted to extract the Source IP address and Destination IP address from packets passing through bridge, Is IP address offset is fixed?


All times are UTC
Board index