Tracking a Torrent user

DB CooperDB Cooper Member Posts: 94 ■■□□□□□□□□
My company received an email from our ISP provider, stating someone had downloaded a copy of the walking dead hardcore. It appears someone had brought in a laptop plugged into our network, connected to a torrent site and started downloading. After explaining what torrent files are and how its used to my manager, we started trying to track the user down. I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.

The laptop has been removed, and hasn't been plugged in since the incident happened. They were issued an IP address, and will be released in 5 days.

If possible, how can I find out what port an IP used, but is no longer plugged into the network? I'm trying to figure out the location, then I would have a pretty good idea who the user is. Then justice will be served with with extreme prejudice. icon_twisted.gif

Thanks

Comments

  • BobMeadBobMead Member Posts: 55 ■■■□□□□□□□
    From you firewall logs you should see the ip address that contacted the torrent site. I would then look at your DHCP server and see if you can match the lease to a mac address. Then you can look through switch logs and see if you see anything for that Mac. It is a shot in the dark without logging tools.
    Press RETURN to get started

    :roll:
  • ObdurateObdurate Member Posts: 108
    I've got an idea: turn off the port and see who complains. icon_twisted.gif

    Obdurate~
  • bbarrickbbarrick Member Posts: 242 ■■■□□□□□□□
    Could you not check the ARP table in the router back to the switch it came in from then the CAM table of that switch to determine the port at the switch?
  • NetworkVeteranNetworkVeteran Member Posts: 2,338 ■■■■■■■■□□
    DB Cooper wrote: »
    I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.
    I'd ask again, in business terms. "Why do we allow Kazaa and other apps, primarily used to download illegal content on our network? In less than an hour, we could plug that hole, and avoid upsetting anyone with an investigation." I'd also consider sending an e-mail out about acceptable use of the corporate network and consequences of violations--a gentle warning/nudge.

    Investigation time may be better focused into a review of your overall security policy.
    They were issued an IP address, and will be released in 5 days.
    Your DHCP binding table probably lists their MAC address, Client-Identifier, etc. If this is a company laptop, records may be kept about the details of each system. If this is not a company laptop, the OUI may help you identify if he was using an odd brand. You may be able to correlate the lease time with building access records and/or video cameras, especially if this occurred at an off-hours time. You may have some network logging. Otherwise, you should be able to trace them if they plug-in again.
  • doverdover Member Posts: 184 ■■■■□□□□□□
    After five days...good luck.

    CAM entry is going to go away within minutes - I think Cisco default 5 min.
    ARP will likely have long since timed out in a matter of hours for the router and minutes for any windows machines that may have 'spoken' to the laptop.

    Your DHCP server may still have the IP to MAC assignment - depending on your lease time. But then, the only additional information you know is the MAC address. You could determine the NIC vendor based on the OUI but that won't get you to a specific user.

    If nothing else, this incident might help you make a case for some (much needed) changes in your network

    Filter P2P
    Implement some kind of port security - even mac address sticky would have given you an interface you could track down
    NAC/NAP or some other system/user validation method before being granted network access
  • doverdover Member Posts: 184 ■■■■□□□□□□
    NetworkVeteran had excellent thoughts...was it a work issued laptop? That should be easy enough to track down under the pretext of 'mandatory laptop inventory/software update.'
  • DB CooperDB Cooper Member Posts: 94 ■■□□□□□□□□
    The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.

    I described the different options for port security, but he felt it was too much of a hassle.

    We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.
  • antielvisantielvis Member Posts: 285 ■■■□□□□□□□
    This type of situation is more common than most people want to imagine. Many companies have limited security in place to stop this from happening.

    The fact that a user is able to do this tells me this network is likely insecure. Rather than dwell on this, consider the implications of what could happen. What if someone used spear phishing as a means to acquire access to your network? Have you considered a review of your perimeter routers? Have you considered using NAP? Have you considered having a "visitor" wireless where password registration is required (allowing for audits).
  • t5yll4t5yll4 Member Posts: 54 ■■□□□□□□□□
    DB Cooper wrote: »
    The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.

    I described the different options for port security, but he felt it was too much of a hassle.

    We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.

    You manager should be fired...especially if he thinks port security is "too much of a hassle"

    That alone might have helped curb this incident in the first place.

    I'd look in to Netflow, IP acct from here on out...
    2015 Certification Goals:
    [ ] JNCDA (August), [ ] JNCIA-Junos (September), [ ] CCDA (pending), [ ] CCNP RS (tentative November)

    "Duty then is the sublimest word in the English language. You should do your duty in all things. You can never do more, you should never wish to do less."
    - Robert E. Lee
  • bbarrickbbarrick Member Posts: 242 ■■■□□□□□□□
    DB Cooper wrote: »
    The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.

    I described the different options for port security, but he felt it was too much of a hassle.

    We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.

    Look for a big...or maybe really skinny guy with a name that starts with D? Or yell "I'm looking for Heavy D!" and see who raises their hand...or runs...:)
  • DB CooperDB Cooper Member Posts: 94 ■■□□□□□□□□
    We have never had an audit in the IS Department, scary but true. My manager will not allow wifi because he thinks they will make our network vulnerable. The irony...

    I understand the risk of potential internal attacks. Our policy is to hope we don't hire anyone with desire and ability to carry out such attacks.
  • doverdover Member Posts: 184 ■■■■□□□□□□
    DB,

    Understandable...it is your job -I'm assuming- to identify and present the risks and mitigation recommendations to your managers (preferably in writing) - in business terms. It is up to them to make the right decision for their organization. All you can do is move on soldier :)

    HeavyD...ha! At least you/we got a laugh out of it.
  • DB CooperDB Cooper Member Posts: 94 ■■□□□□□□□□
    He has been found....

    I checked the time the IP was assigned, the user was issued the IP address at 1:15am. We had only one person in one of our buildings at that time. The local police department uses one of our buildings as a remote office, and the officer on duty decided to take a break and down a movie. His choice for the night, The Walking Dead Hardcore, a p*rn spoof of the tv series.

    I called the police chief, explained what we found and the name of the computer. Without looking who was working Friday night, he knew who HeavyD was.

    Thanks for all the help!
  • doverdover Member Posts: 184 ■■■■□□□□□□
    Pirate + **** on duty...from a law enforcement officer no less. Bet ol' Chief was happy to hear about that :) And who the hell wants to watch zombie pron?!

    Excellent work DB!
  • RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    We had a situation when I was brand new and my boss was down here. Someone was torrenting movies and games... brought down the entire company with bandwidth usage.

    Confiscate the movie as 'evidence'
    I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.
    Play the Political card. Make him understand why he should care, first. What it means to the bottom line of his job. 1) People breathing down his throat asking more questions and want to have answers.

    For example if the ISP reports the business, and blocks the internet. Execs and clients will require an answer and want a resolution.
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

Sign In or Register to comment.