[784] in resnet
Re: Rerouting of ResNet traffic
daemon@ATHENA.MIT.EDU (Randall Watanabe)
Thu Feb 7 02:28:39 2002
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 7bit
Message-ID: <NDBBIGEEGLOCOICPMEGIMEKJCHAA.randallw@hawaii.edu>
Date: Wed, 6 Feb 2002 21:30:28 -1000
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Randall Watanabe <randallw@HAWAII.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To: <IJEPJCLMEEHCGPGKCLLJAEOHCBAA.troberge@uci.edu>
We actually had a problem like THAT as well =). But in this particular
instance, the computers getting rerouted actually have all the correct IP
and gateway settings. The equipment in the student's room actually seems to
be impersonating our real router and getting our switches to route traffic
to it.
Randall Watanabe
Resnet Computer Specialist
UH Student Housing Services
randallw@hawaii.edu
-----Original Message-----
From: Resnet Forum [mailto:RESNET-L@listserv.nd.edu]On Behalf Of Ted
Roberge
Sent: Wednesday, February 06, 2002 6:11 PM
To: RESNET-L@listserv.nd.edu
Subject: Re: Rerouting of ResNet traffic
Hello,
This came up on a post to the unisog@sans.org list from the University of
Ottawa----sounds like what you are talking about. Unless the resident
checks his ip, and knows what it should be...this would be tough find! Good
call on doing a tracert.
<snip>
How is this for a nasty trick by students in residences?
An interesting man-in-the-middle style thing.
First, it must be in a double room, that has two network
connections. Second, the student has a Linux machine
with two interfaces, set up as you would a home firewall.
Each interface is plugged onto the residence network. One
of them obtains its address normally, through the University
DHCP server.
The second interface, runs a DHCP server, and is on a 192.168.x.x
network. The linux box is configured to do NAT.
As people reboot/turn on their machines, they are given a 192.168.x.x
address from this machine (probably... at least some are...)
Most people will not realize that they have been given an improper
address, since, with NAT, common things will work.
So, now, you have this student, who has all kinds of traffic
running through his machine, where it can be sniffed, snorted,
and spit out...
</snip>
Ted Roberge
Manager, Residential Network Services
University of California, Irvine
(949) 824-3868
http://resnet.uci.edu
-----Original Message-----
From: Resnet Forum [mailto:RESNET-L@listserv.nd.edu]On Behalf Of Randall
Watanabe
Sent: Wednesday, February 06, 2002 7:26 PM
To: RESNET-L@listserv.nd.edu
Subject: Rerouting of ResNet traffic
Ran into a strange problem yesterday and I am appealing to this group for
some help...
Long story short, basically one of the residents on our network appears to
have had all of our traffic getting routed to him before passing along to
our "real" router. We noticed this when tracerts from several ResNet
computers were getting routed to one of our DHCP assigned addresses before
hitting the router. Occasionally, the tracert would show it passing through
the real routers IP address twice before moving along.
When we disconnected the port we tracked the problem to, we lost all
connectivity for a short period then everything went back to normal. I'm
thinking that somehow the resident had setup a router with the IP of our
real router, but my big question is if it was an intentional malicious act
(perhaps to sniff packets) or if it could have conceivably been an accident.
If anyone has had any kind of experiences like this or may know of how it
happened, I'd really appreciate it. For the sake of brevity I omitted a lot
of details but can provide them if they are relevant. Thanks!
Randall Watanabe
Resnet Computer Specialist
UH Student Housing Services
randallw@hawaii.edu
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________
___________________________________________________
You are subscribed to the ResNet-L mailing list.
To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________