Re: users bypassing shaper limitation
Do they make steel braided ethernet cables? :P I'd bet the DoD has a milspec for it! :-) Pete -- http://www.elbnet.com ELB Internet Services, Inc. Web Design, Computer Consulting, Internet Hosting -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
One possible way to defeat this would be to use those metal security chains that they use to keep people from carrying off computers. Use a very short one, about 2 long. Affix one side to the computer case, and the other to the ethernet cable. Now, even this can be overcome if the crafty hacker should bring an extension cable with them. But there is still one method that will prevent anyone from stealing cable ports. Enclose the CPU case in an outer steel case. That way the cable head isn't accessible to anyone, hence, they can't unplug it. The only way to defeat that lockup is to physically cut the cable and attach a new jack head. But if you need that kind of security, you're in sad shape. :) Do they make steel braided ethernet cables? :P At 03:07 PM 7/3/01 +0200, Holger Lubitz wrote: Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
One possible way to defeat this would be to use those metal security chains that they use to keep people from carrying off computers. Use a very short one, about 2 long. Affix one side to the computer case, and the other to the ethernet cable. Now, even this can be overcome if the crafty hacker should bring an extension cable with them. But there is still one method that will prevent anyone from stealing cable ports. Enclose the CPU case in an outer steel case. That way the cable head isn't accessible to anyone, hence, they can't unplug it. The only way to defeat that lockup is to physically cut the cable and attach a new jack head. But if you need that kind of security, you're in sad shape. :) Do they make steel braided ethernet cables? :P At 03:07 PM 7/3/01 +0200, Holger Lubitz wrote: Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: users bypassing shaper limitation
Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. Holger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: users bypassing shaper limitation
Your method would allow someone to attach their computer to the network, certainly, but it would not allow them to bypass the traffic shaping limitations configured for that host. That is the goal of the original poster, as I understand. - jsw -Original Message- From: news [mailto:[EMAIL PROTECTED]]On Behalf Of Holger Lubitz Sent: Tuesday, July 03, 2001 9:08 AM To: [EMAIL PROTECTED] Subject: Re: users bypassing shaper limitation Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. Holger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. Holger
RE: users bypassing shaper limitation
Your method would allow someone to attach their computer to the network, certainly, but it would not allow them to bypass the traffic shaping limitations configured for that host. That is the goal of the original poster, as I understand. - jsw -Original Message- From: news [mailto:[EMAIL PROTECTED] Behalf Of Holger Lubitz Sent: Tuesday, July 03, 2001 9:08 AM To: debian-isp@lists.debian.org Subject: Re: users bypassing shaper limitation Jeff S Wheeler proclaimed: cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. Easy. Disconnect any machine, set your MAC/IP-addresses to its addresses, connect your laptop. Don't know its addresses? Just sniff around on the port for a while, but make sure you keep quiet. Holger -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
On Sun, 1 Jul 2001 15:59:34 -0400, Jeff S Wheeler [EMAIL PROTECTED] wrote: I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. There is no requirement to run 2.4.x and iptables, nor iproute2, to accomplish the policy implementation that was specified. The administrative policy is bandwith control over a defined set of IP addresses. That policy is being circumvented with the current configuration by the whizkids. It is up to the tech to implement a solution. Beside, I'm sure I have a MAC address changer utility (or is that a feature of iproute2) that I downloaded sometime in the past. The same whizkids would use it and circumvent the policy based on MAC addresses with it ... although it would be a trickier thing to accomplish. I think I have read on some mailing list that it is quite a security issue with PPPoE and some wireless connections. Gerard MacNeil System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: users bypassing shaper limitation
You fail to understand. Drop traffic from any MAC/IP pair that isn't registered with you, thus in your traffic shaper configuration. Keeping track of MAC addresses and where they're supposed to be on your network in a campus environment is pretty standard. I work on a University campus and must notify the IT department anytime I want to add a host or move network cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. - jsw -Original Message- From: Gerard MacNeil [mailto:[EMAIL PROTECTED]] Sent: Monday, July 02, 2001 5:39 AM To: [EMAIL PROTECTED] Subject: Re: users bypassing shaper limitation On Sun, 1 Jul 2001 15:59:34 -0400, Jeff S Wheeler [EMAIL PROTECTED] wrote: I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. There is no requirement to run 2.4.x and iptables, nor iproute2, to accomplish the policy implementation that was specified. The administrative policy is bandwith control over a defined set of IP addresses. That policy is being circumvented with the current configuration by the whizkids. It is up to the tech to implement a solution. Beside, I'm sure I have a MAC address changer utility (or is that a feature of iproute2) that I downloaded sometime in the past. The same whizkids would use it and circumvent the policy based on MAC addresses with it ... although it would be a trickier thing to accomplish. I think I have read on some mailing list that it is quite a security issue with PPPoE and some wireless connections. Gerard MacNeil System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
On Sun, 1 Jul 2001 15:59:34 -0400, Jeff S Wheeler [EMAIL PROTECTED] wrote: I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. There is no requirement to run 2.4.x and iptables, nor iproute2, to accomplish the policy implementation that was specified. The administrative policy is bandwith control over a defined set of IP addresses. That policy is being circumvented with the current configuration by the whizkids. It is up to the tech to implement a solution. Beside, I'm sure I have a MAC address changer utility (or is that a feature of iproute2) that I downloaded sometime in the past. The same whizkids would use it and circumvent the policy based on MAC addresses with it ... although it would be a trickier thing to accomplish. I think I have read on some mailing list that it is quite a security issue with PPPoE and some wireless connections. Gerard MacNeil System Administrator
RE: users bypassing shaper limitation
You fail to understand. Drop traffic from any MAC/IP pair that isn't registered with you, thus in your traffic shaper configuration. Keeping track of MAC addresses and where they're supposed to be on your network in a campus environment is pretty standard. I work on a University campus and must notify the IT department anytime I want to add a host or move network cards around. If I do not, they will grumble and/or disable the ethernet ports that unknown MAC addresses appear on. In some areas (e.g. student labs) they do that automatically so kids can't just bring their laptop in and hop on napster at 100Mbit. - jsw -Original Message- From: Gerard MacNeil [mailto:[EMAIL PROTECTED] Sent: Monday, July 02, 2001 5:39 AM To: debian-isp@lists.debian.org Subject: Re: users bypassing shaper limitation On Sun, 1 Jul 2001 15:59:34 -0400, Jeff S Wheeler [EMAIL PROTECTED] wrote: I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. There is no requirement to run 2.4.x and iptables, nor iproute2, to accomplish the policy implementation that was specified. The administrative policy is bandwith control over a defined set of IP addresses. That policy is being circumvented with the current configuration by the whizkids. It is up to the tech to implement a solution. Beside, I'm sure I have a MAC address changer utility (or is that a feature of iproute2) that I downloaded sometime in the past. The same whizkids would use it and circumvent the policy based on MAC addresses with it ... although it would be a trickier thing to accomplish. I think I have read on some mailing list that it is quite a security issue with PPPoE and some wireless connections. Gerard MacNeil System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
On Sat, Jun 30, 2001 at 12:07:28PM +0100, Karl E. Jorgensen wrote: On Sat, Jun 30, 2001 at 06:23:19AM +0200, Maurice Verhagen wrote: This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the bad guys is to swap the NICs from another machine to get the same effect as changing the IPs now. Nope. DHCP does not prevent people from changing their IP addresses, it merely makes it marginally more difficult. Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. but if you make dynamic firewall rules based on the leases file, blocking all outside traffic, it would be efficient enough. Sami -- - Sami Haahtinen - -[ Is it still a bug, if we have learned to live with it? ]- - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
On Sun, 1 Jul 2001 14:30:33 +0300, [EMAIL PROTECTED] (Sami Haahtinen) wrote: On Sat, Jun 30, 2001 at 12:07:28PM +0100, Karl E. Jorgensen wrote: Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. but if you make dynamic firewall rules based on the leases file, blocking all outside traffic, it would be efficient enough. Yes, do routing by host /32 rather than network /24. Or you can subnet depending on your hardware configuration. Gerard MacNeil System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: users bypassing shaper limitation
I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. I hear there are serious problems with using 2.4.x series kernels as a firewall, though; what are they? - jsw -Original Message- From: Gerard MacNeil [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 01, 2001 7:46 AM To: [EMAIL PROTECTED] Subject: Re: users bypassing shaper limitation On Sun, 1 Jul 2001 14:30:33 +0300, [EMAIL PROTECTED] (Sami Haahtinen) wrote: On Sat, Jun 30, 2001 at 12:07:28PM +0100, Karl E. Jorgensen wrote: Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. but if you make dynamic firewall rules based on the leases file, blocking all outside traffic, it would be efficient enough. Yes, do routing by host /32 rather than network /24. Or you can subnet depending on your hardware configuration. Gerard MacNeil System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. I hear there are serious problems with using 2.4.x series kernels as a firewall, though; what are they? I believe the 2.4.x iptable issues were resolved in 2.4.4. The problem was that allowing FTP connections through the firewall enabled a resourceful person to also create unauthorized non-FTP TCP connections which, obviously, defeats the purpose of a firewall. I haven't had a chance to play with iptables yet but your suggestion for using the MAC address sounds reasonable. Pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
On Sat, Jun 30, 2001 at 06:23:19AM +0200, Maurice Verhagen wrote: On Fri, 29 Jun 2001, anon wrote: my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the bad guys is to swap the NICs from another machine to get the same effect as changing the IPs now. Nope. DHCP does not prevent people from changing their IP addresses, it merely makes it marginally more difficult. Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. Regards, Maurice Verhagen -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com Today's fortune: MSDOS didn't get as bad as it is overnight -- it took over ten years of careful development. -- [EMAIL PROTECTED] pgpHipOyF5nY7.pgp Description: PGP signature
Re: users bypassing shaper limitation
My first choice is also what the other Chris said, use a large LART on the offending [computer|user]. You can use smart switches to base the ip on pre-authorized MAC addresses. That way you are effectivly shaping based on MAC address. But in true hacker form, even that can be overcome. Some (most?) NIC's can have their MAC addresses set by software. So all some crafty luser has to do is change MAC addresses. The only sure fire way is to hard code the MAC and ip address into each port on a smart switch. That way even if they swap ethernet cables they won't be able to bypass the shaper, unless of course they know what MAC address the absconded cable goes with. :) At 12:07 PM 6/30/01 +0100, Karl E. Jorgensen wrote: On Sat, Jun 30, 2001 at 06:23:19AM +0200, Maurice Verhagen wrote: On Fri, 29 Jun 2001, anon wrote: my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the bad guys is to swap the NICs from another machine to get the same effect as changing the IPs now. Nope. DHCP does not prevent people from changing their IP addresses, it merely makes it marginally more difficult. Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. ---=ALL YOUR BASE ARE BELONG TO US=--- ___/`YOU HAVE NO CHANCE TO SURVIVE MAKE YOUR TIME!`\___ 0100
Re: users bypassing shaper limitation
On Sat, Jun 30, 2001 at 12:07:28PM +0100, Karl E. Jorgensen wrote: On Sat, Jun 30, 2001 at 06:23:19AM +0200, Maurice Verhagen wrote: This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the bad guys is to swap the NICs from another machine to get the same effect as changing the IPs now. Nope. DHCP does not prevent people from changing their IP addresses, it merely makes it marginally more difficult. Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. but if you make dynamic firewall rules based on the leases file, blocking all outside traffic, it would be efficient enough. Sami -- - Sami Haahtinen - -[ Is it still a bug, if we have learned to live with it? ]- - 2209 3C53 D0FB 041C F7B1 F908 A9B6 F730 B83D 761C -
Re: users bypassing shaper limitation
On Sun, 1 Jul 2001 14:30:33 +0300, [EMAIL PROTECTED] (Sami Haahtinen) wrote: On Sat, Jun 30, 2001 at 12:07:28PM +0100, Karl E. Jorgensen wrote: Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. but if you make dynamic firewall rules based on the leases file, blocking all outside traffic, it would be efficient enough. Yes, do routing by host /32 rather than network /24. Or you can subnet depending on your hardware configuration. Gerard MacNeil System Administrator
RE: users bypassing shaper limitation
I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. I hear there are serious problems with using 2.4.x series kernels as a firewall, though; what are they? - jsw -Original Message- From: Gerard MacNeil [mailto:[EMAIL PROTECTED] Sent: Sunday, July 01, 2001 7:46 AM To: debian-isp@lists.debian.org Subject: Re: users bypassing shaper limitation On Sun, 1 Jul 2001 14:30:33 +0300, [EMAIL PROTECTED] (Sami Haahtinen) wrote: On Sat, Jun 30, 2001 at 12:07:28PM +0100, Karl E. Jorgensen wrote: Besides, the bad guys may choose not to use DHCP - this is entirely up to the config on the client machines. but if you make dynamic firewall rules based on the leases file, blocking all outside traffic, it would be efficient enough. Yes, do routing by host /32 rather than network /24. Or you can subnet depending on your hardware configuration. Gerard MacNeil System Administrator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: users bypassing shaper limitation
I have been reading this thread and noticed no one has suggested the MAC address filtering capabilities in Linux 2.4's new ip tables subsystem. I hear there are serious problems with using 2.4.x series kernels as a firewall, though; what are they? I believe the 2.4.x iptable issues were resolved in 2.4.4. The problem was that allowing FTP connections through the firewall enabled a resourceful person to also create unauthorized non-FTP TCP connections which, obviously, defeats the purpose of a firewall. I haven't had a chance to play with iptables yet but your suggestion for using the MAC address sounds reasonable. Pete
Re: users bypassing shaper limitation
On Fri, 29 Jun 2001, anon wrote: my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? This first that pops into mind is use DHCP and give a IP-lease to the machines in your local network based on the NIC's Mac address. I guess the only way out for the bad guys is to swap the NICs from another machine to get the same effect as changing the IPs now. Regards, Maurice Verhagen
Re: users bypassing shaper limitation
If the nodes in question are plugged into a switch with managment capabilities then you could set the security of the port to only allow legal mac/ip address's. It depends on the switch. You could go to the person and whack them on the head. Which might be the easiest. Chris At 06:12 PM 6/29/2001, anon wrote: hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance
Re: users bypassing shaper limitation
If the nodes in question are plugged into a switch with managment capabilities then you could set the security of the port to only allow legal mac/ip address's. It depends on the switch. You could go to the person and whack them on the head. Which might be the easiest. Chris At 06:12 PM 6/29/2001, anon wrote: hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
users bypassing shaper limitation
hello all, this is my first post. my problem is that some local users are changing their own local ip numbers (like, 192.168.1.40 to 192.168.1.50) then bypassing the Traffic shaper bandwidth limitation. (that was set on 192.168.1.40) anyone know how can i prevent this ? thanks in advance
