[785] in resnet

home help back first fref pref prev next nref lref last post

Re: Rerouting of ResNet traffic

daemon@ATHENA.MIT.EDU (Erik McCroskey)
Thu Feb 7 02:48:07 2002

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Complaints-To: /dev/null
Message-ID:  <20020206234238.W3285@pellam.ucr.edu>
Date:         Wed, 6 Feb 2002 23:42:38 -0800
Reply-To: Resnet Forum <RESNET-L@listserv.nd.edu>
From: Erik McCroskey <erik@PELLAM.UCR.EDU>
To: RESNET-L@listserv.nd.edu
In-Reply-To:  <NDBBIGEEGLOCOICPMEGIMEKJCHAA.randallw@hawaii.edu>; from
              randallw@HAWAII.EDU on Wed, Feb 06, 2002 at 09:30:28PM -1000

This could be done using something like the program arpspoof which
comes with dsniff (http://www.monkey.org/~dugsong/dsniff).  This is a
very affective way of sniffing on switched networks.  It can be done
with a single NIC.  The disadvantages to it is that the sniffer sees
only half of the TCP connection and the attacking machine must respond
to ARP requests faster than the router to be affective.

--Erik McCroskey
Computer Resources Coordinator
University of California, Riverside

On Wed, Feb 06, 2002 at 09:30:28PM -1000, Randall Watanabe wrote:
> We actually had a problem like THAT as well =).  But in this particular
> instance, the computers getting rerouted actually have all the correct IP
> and gateway settings.  The equipment in the student's room actually seems to
> be impersonating our real router and getting our switches to route traffic
> to it.
>
> Randall Watanabe
> Resnet Computer Specialist
> UH Student Housing Services
> randallw@hawaii.edu
>
> -----Original Message-----
> From: Resnet Forum [mailto:RESNET-L@listserv.nd.edu]On Behalf Of Ted
> Roberge
> Sent: Wednesday, February 06, 2002 6:11 PM
> To: RESNET-L@listserv.nd.edu
> Subject: Re: Rerouting of ResNet traffic
>
>
> Hello,
>
> This came up on a post to the unisog@sans.org list from the University of
> Ottawa----sounds like what you are talking about.  Unless the resident
> checks his ip, and knows what it should be...this would be tough find! Good
> call on doing a tracert.
>
> <snip>
> How is this for a nasty trick by students in residences?
> An interesting man-in-the-middle style thing.
>
> First, it must be in a double room, that has two network
> connections.  Second, the student has a Linux machine
> with two interfaces, set up as you would a home firewall.
>
> Each interface is plugged onto the residence network.  One
> of them obtains its address normally, through the University
> DHCP server.
>
> The second interface, runs a DHCP server, and is on a 192.168.x.x
> network.  The linux box is configured to do NAT.
>
> As people reboot/turn on their machines, they are given a 192.168.x.x
> address from this machine (probably... at least some are...)
> Most people will not realize that they have been given an improper
> address, since, with NAT, common things will work.
>
> So, now, you have this student, who has all kinds of traffic
> running through his machine, where it can be sniffed, snorted,
> and spit out...
> </snip>
>
> Ted Roberge
> Manager, Residential Network Services
> University of California, Irvine
> (949) 824-3868
> http://resnet.uci.edu
>
> -----Original Message-----
> From: Resnet Forum [mailto:RESNET-L@listserv.nd.edu]On Behalf Of Randall
> Watanabe
> Sent: Wednesday, February 06, 2002 7:26 PM
> To: RESNET-L@listserv.nd.edu
> Subject: Rerouting of ResNet traffic
>
> Ran into a strange problem yesterday and I am appealing to this group for
> some help...
>
> Long story short, basically one of the residents on our network appears to
> have had all of our traffic getting routed to him before passing along to
> our "real" router.  We noticed this when tracerts from several ResNet
> computers were getting routed to one of our DHCP assigned addresses before
> hitting the router.  Occasionally, the tracert would show it passing through
> the real routers IP address twice before moving along.
>
> When we disconnected the port we tracked the problem to, we lost all
> connectivity for a short period then everything went back to normal.  I'm
> thinking that somehow the resident had setup a router with the IP of our
> real router, but my big question is if it was an intentional malicious act
> (perhaps to sniff packets) or if it could have conceivably been an accident.
>
> If anyone has had any kind of experiences like this or may know of how it
> happened, I'd really appreciate it.  For the sake of brevity I omitted a lot
> of details but can provide them if they are relevant.  Thanks!
>
> Randall Watanabe
> Resnet Computer Specialist
> UH Student Housing Services
> randallw@hawaii.edu
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________
>
> ___________________________________________________
> You are subscribed to the ResNet-L mailing list.
>
> To subscribe, unsubscribe or search the archives,
> go to http://LISTSERV.ND.EDU/archives/resnet-l.html
> ___________________________________________________

___________________________________________________
You are subscribed to the ResNet-L mailing list.

To subscribe, unsubscribe or search the archives,
go to http://LISTSERV.ND.EDU/archives/resnet-l.html
___________________________________________________

home help back first fref pref prev next nref lref last post