Date: Fri, 24 Mar 2006 00:07:57 -0800 (PST) From: Mark Jayson Alvarez <jay2xra@yahoo.com> To: Erik "Nørgaard" <norgaard@locolomo.org> Cc: questions@freebsd.org Subject: Re: How do you keep users from stealing other user's ip?? Message-ID: <20060324080757.50004.qmail@web51606.mail.yahoo.com> In-Reply-To: <4423A23E.4010700@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Ok here's our problems. Mostly pertaining to tracking down who is this user eating up our bandwidth or who is this user flooding our network. 1. Users when they want to plug a machine to the network... let's say their own testbeds, they will choose whatever ip they want possibly stealing used ip's. 2. Users workstations are mixed Windows and *nixes. Most windows machines are getting infected with worm from time to time... Some of them are not so skillful enough to clean their own workstations. Given an unmanaged ip allocation, it would also be hard to trace which machines are causing the network congestion. 3. Some users with public workstations and testbeds are eating up bandwidth through file sharing...Still hard to trace this without proper ip allocation management. Erik Nørgaard <norgaard@locolomo.org> wrote: I once set up such a solution in a student house with about 120 users. People had their own private pcs so we couldn't just take away their admin rights on their own pc. Now, question to ask: - Are all users legitimate users? Do users have friends coming in and connect to the network? is it wired or do you have neighbors trying to use the net also? - What is the benefit of stealing another users ip? Do you have limitations on access such as download? Is it to hide behind another user? In our case we had a wired network, so all users was legitimate users, but we had a limitation on download so some users would try to use their neighbors ip to get more quota. What we did was: 1) Static ip assigned with dhcp - people wouldn't need to learn to configure their computer. 2) Static arp table on router, to spoof, one would have to spoof mac-address. 3) Require registration of all hosts owned by the user: To hold users accountable for their hosts. 4) Count traffic per host, up and download, this was done with ipfilter. 5) Make current usage visible, the users could always check their quota and knew when they hit the limit. That way they didn't get surprises and annoyed. This actually worked fine. It was sufficiently complicated to spoof that people wouldn't bother. A different and possibly better way around this would be to limit bandwidth for ports higher than 1023, this is where most file sharing takes place. You can do that with packet filter, I still haven't figured how to effectively implement traffic quotas on packet filter as accounting is not so easy. If your concerns are people trying to hide behind others identity, or unauthorized access such as if you have a wireless lan, then there are two good options: 1) Use authpf with packet filter. This requires the user to authenticate with the firewall to get access. No proxy needed. 2) Let each client establish a VPN to the router, this have the advantage of also encrypting traffic if you have a wireless or non-switched network. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9 --------------------------------- New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060324080757.50004.qmail>