How about some of the free network auditing tools like nmap even Spiceworks
to detect the devices on your network?
Martin
On Sunday, 14 October 2012, Jonathan Rogers wrote:
> Gentlemen,
>
> An issue has come up in my organization recently with rogue access points.
> So far it has manifested itse
Do the layer 2 switches include sFlow instrumentation?
http://sflow.org/products/network.php
The following paper describes how IP TTL values can help identify
unauthorized NAT devices.
http://www.sflow.org/detectNAT/
Peter
On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote:
> Gentlemen,
>
If you are using APNIC as an RPKI trust anchor, please update your
Trust Anchor Set.
APNIC will be switching to a new RPKI 'split' trust anchor system
on the 25th of October. This change is needed to align APNIC
administered resources with their allocation hierarchy. These
resources will also be
On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote:
> Gentlemen,
>
> An issue has come up in my organization recently with rogue access points.
> So far it has manifested itself two ways:
>
> 1. A WAP that was set up specifically to be transparent and provided
> unprotected wireless access to
On 10/14/2012 1:59 PM, Jonathan Rogers wrote:
Gentlemen,
>
> An issue has come up in my organization recently with rogue access
> points. So far it has manifested itself two ways:
>
> 1. A WAP that was set up specifically to be transparent and provided
> unprotected wireless access to our networ
On Sun, 2012-10-14 at 16:59 -0400, Jonathan Rogers wrote:
> An issue has come up in my organization recently with
> rogue access points.
No-one has said this yet, so I will - why are people working around your
normal network policies? This is often a sign of something lacking that
people need in t
--- sh.vahabza...@gmail.com wrote:
From: Shahab Vahabzadeh
It was TCP and I think it was not a DDoS attack because the traffic was not
heavy.
---
Many/most DoS attacks do not push up the traffic levels considerably.
You can see this when looking at packet per sec
SSL throughout the network, with access control enforced using certificates
is certainly a good idea.
But most of the problem you face is metrics and inventory control of
authorized devices. Commercial WIPS gear does a lot of this heavy lifting
without your having to script it all yourself.
On M
On Oct 15, 2012, at 3:57 AM, Nick Hilliard wrote:
> If you haven't already configured CoPP on your BRASs, you might want to look
> at deploying it.
CoPP is pretty much a wash on software-based boxes; it only really helps on
hardware-based boxes. And iACLs is easier/a bigger win, anyways (thou
On Oct 15, 2012, at 2:59 AM, Shahab Vahabzadeh wrote:
> I think it act like a warm or some attacks which cause high CPU load in some
> IOS.
i.e., a DDoS attack.
You should configure iACLs at your edge so that random sources on the Internet
can't packet your routers. Hopefully, you have hardw
On 10/14/12, Jonathan Lassoff wrote:
> I've yet to see a solid methodology for detecting NATing devices,
> short of requiring 802.1x authentication using expiring keys and
> one-time passwords. :p
Or implement network access protection, w IPsec between the hosts
and the resources on the LAN;
restricting the number of mac addresses per switch port to one for your
dhcp pool too, though more than one ap clones mac addresses. and make it
unpopulr for the usual use cases by firewalling off stuff like dropbox,
siri and icloud.
there is of course commercial wips gear like this ..
http://www
On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote:
> Gentlemen,
>
> An issue has come up in my organization recently with rogue access points.
> So far it has manifested itself two ways:
>
> 1. A WAP that was set up specifically to be transparent and provided
> unprotected wireless access to
Scan the local network from the local network.
From: Aaron C. de Bruyn [mailto:aa...@heyaaron.com]
Sent: Sunday, October 14, 2012 5:44 PM
To: Kenneth M. Chipps Ph.D.
Cc: nanog@nanog.org
Subject: Re: Detection of Rogue Access Points
On Sun, Oct 14, 2012 at 3:27 PM, Kenneth M. Chipps Ph.D.
On Sun, Oct 14, 2012 at 3:27 PM, Kenneth M. Chipps Ph.D.
wrote:
> Scan for devices with open port 80 as these are managed by a GUI.
>
That'd be tough if they plug the WAN port into your network and remote
access isn't enabled.
-A
Scan for devices with open port 80 as these are managed by a GUI.
-Original Message-
From: Jonathan Rogers [mailto:quantumf...@gmail.com]
Sent: Sunday, October 14, 2012 3:59 PM
To: nanog@nanog.org
Subject: Detection of Rogue Access Points
Gentlemen,
An issue has come up in my organizati
On 2012-10-14, at 14:56 PM, Matthias Waehlisch wrote:
> do you mean http://conferences.sigcomm.org/imc/2007/papers/imc122.pdf
> ?
That's the one!
On Sun, 14 Oct 2012, Lyndon Nerenberg wrote:
> There was a SIGCOMM paper a few years back that described a scheme
> based on measuring the the ACK delays of TCP sessions. In a nutshell,
> you can detect nodes on the wireless network by looking for the extra
> delay added by the radio link. It
Automated solution would be something like Air defense or Air Scout with
sensors. Cheap solution would be to lock down your switches with port based
authentication.
Dustin
Dustin Jurman
CEO
Rapid Systems Corporation
1211 N. West Shore Blvd. Suite 711
Tampa, FL 33607
Ph: 813-232-4887
http:
> I'm looking for innovative ideas on how to find such a rogue device,
> ideally as soon as it is plugged in to the network.
There was a SIGCOMM paper a few years back that described a scheme based on
measuring the the ACK delays of TCP sessions. In a nutshell, you can detect
nodes on the wirele
I should probably mention that we do not have any legitimate wireless
devices at these locations. I realize that this complicates matters.
The most recent one we found was found exactly like Joe suggested; we were
looking at an ARP table for other reasons and found suspicious things
(smartphones).
--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
On Sun, Oct 14, 2012 at 1:59 PM, Jonathan Rogers wrote:
> Gentlemen,
>
>
> I'm looking for innovative ideas on how to find such a rogue device,
>
Check ARP tables for MAC address of wireless devices (first few nybbles
show manufacturer.) Or for
Gentlemen,
An issue has come up in my organization recently with rogue access points.
So far it has manifested itself two ways:
1. A WAP that was set up specifically to be transparent and provided
unprotected wireless access to our network.
2. A consumer-grade wireless router that was plugged in
On 14/10/2012 20:59, Shahab Vahabzadeh wrote:
> But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR.
If you haven't already configured CoPP on your BRASs, you might want to
look at deploying it. It won't solve this sort of problem, but it will
probably help:
> http://www.cis
Hi there,
It was TCP and I think it was not a DDoS attack because the traffic was not
heavy.
But I see abnormal cpu usage (%99) in my BRAS's which are Cisco 7206 VXR.
I think it act like a warm or some attacks which cause high CPU load in
some IOS.
Thanks
On Sun, Oct 14, 2012 at 5:13 PM, Dobbins,
On Sun, Oct 14, 2012 at 5:55 PM, Rodrick Brown wrote:
> On Oct 14, 2012, at 1:42 PM, Kasper Adel wrote:
>
>> Hello,
>>
>> I have never used any CLI other than Cisco so i am curious what useful and
>> creative knobs and bolts are available for other network appliance Vendors.
>
> Eh??
>
>>
>> I gu
On Oct 14, 2012, at 1:42 PM, Kasper Adel wrote:
> Hello,
>
> I have never used any CLI other than Cisco so i am curious what useful and
> creative knobs and bolts are available for other network appliance Vendors.
Eh??
>
> I guess what makes *NIX CLI/Shell so superior is that you can advanced
>
Hello,
I have never used any CLI other than Cisco so i am curious what useful and
creative knobs and bolts are available for other network appliance Vendors.
I guess what makes *NIX CLI/Shell so superior is that you can advanced
stuff from the CLI using sed, awk and all the great tools there so m
On Friday 12 October 2012 00:01:18 shawn wilson wrote:
> in the past, i've done many different things to create entropy -
> encode videos, watch youtube, tcpdump -vvv > /dev/null, compiled a
> kernel. but, what is best? just whatever gets your cpu to peak or are
> some tasks better than others?
Ha
RIPE Labs had an interesting article about filtering of /48 prefixes earlier
this year that might be of some interest to you:
https://labs.ripe.net/Members/emileaben/ripe-atlas-a-case-study-of-ipv6-48-filtering
There's also a useful RIPE Labs article on general prefix filtering lengths
from Aug
On Oct 14, 2012, at 4:48 PM, Shahab Vahabzadeh wrote:
> Does any body know what kind of attack can be come to port 0?
If it's protocol 0, instead of port 0, it's likely a packet-flooding DDoS
attack.
If it's port 0, you may be incorrectly blocking non-initial fragments.
Alternately, it could
Hi,
When you let OpenSSH use the egd protocol directly it will get its entropy from
an egd daemon. Otherwise it uses /dev/random. When you use ekeyd-egd-linux then
you feed the entropy from the egd daemon to the pool used for /dev/random. That
way you are not completely dependent on the egd dae
Hi everybody,
Does any body know what kind of attack can be come to port 0? I see such a
logs in my routers which make high cpu loads:
MYROUTERIP:0
*41.78.77.178:2816*
MYROUTERIP:0
*217.160.5.153:2816*
Thanks
--
Regards,
Shahab Vahabzadeh, Network Engineer and System Administrator
Cell Phone:
* John Levine:
> Are there DNS caches that allow you to partition the cache for
> subtrees of DNS names? That is, you can say that all entries from
> say, in-addr.arpa, are limited to 20% of the cache.
You can build something like that using forwarders and most DNS
caches. But it won't result i
34 matches
Mail list logo
