Tracking a Torrent user

DB Cooper

My company received an email from our ISP provider, stating someone had downloaded a copy of the walking dead hardcore. It appears someone had brought in a laptop plugged into our network, connected to a torrent site and started downloading. After explaining what torrent files are and how its used to my manager, we started trying to track the user down. I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.

The laptop has been removed, and hasn't been plugged in since the incident happened. They were issued an IP address, and will be released in 5 days.

If possible, how can I find out what port an IP used, but is no longer plugged into the network? I'm trying to figure out the location, then I would have a pretty good idea who the user is. Then justice will be served with with extreme prejudice.

Thanks

BobMead

From you firewall logs you should see the ip address that contacted the torrent site. I would then look at your DHCP server and see if you can match the lease to a mac address. Then you can look through switch logs and see if you see anything for that Mac. It is a shot in the dark without logging tools.

Obdurate

I've got an idea: turn off the port and see who complains.

Obdurate~

bbarrick

Could you not check the ARP table in the router back to the switch it came in from then the CAM table of that switch to determine the port at the switch?

NetworkVeteran

DB Cooper wrote: »

I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.

I'd ask again, in business terms. "Why do we allow Kazaa and other apps, primarily used to download illegal content on our network? In less than an hour, we could plug that hole, and avoid upsetting anyone with an investigation." I'd also consider sending an e-mail out about acceptable use of the corporate network and consequences of violations--a gentle warning/nudge.

Investigation time may be better focused into a review of your overall security policy.

They were issued an IP address, and will be released in 5 days.

Your DHCP binding table probably lists their MAC address, Client-Identifier, etc. If this is a company laptop, records may be kept about the details of each system. If this is not a company laptop, the OUI may help you identify if he was using an odd brand. You may be able to correlate the lease time with building access records and/or video cameras, especially if this occurred at an off-hours time. You may have some network logging. Otherwise, you should be able to trace them if they plug-in again.

dover

After five days...good luck.

CAM entry is going to go away within minutes - I think Cisco default 5 min.
ARP will likely have long since timed out in a matter of hours for the router and minutes for any windows machines that may have 'spoken' to the laptop.

Your DHCP server may still have the IP to MAC assignment - depending on your lease time. But then, the only additional information you know is the MAC address. You could determine the NIC vendor based on the OUI but that won't get you to a specific user.

If nothing else, this incident might help you make a case for some (much needed) changes in your network

Filter P2P
Implement some kind of port security - even mac address sticky would have given you an interface you could track down
NAC/NAP or some other system/user validation method before being granted network access

dover

NetworkVeteran had excellent thoughts...was it a work issued laptop? That should be easy enough to track down under the pretext of 'mandatory laptop inventory/software update.'

DB Cooper

The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.

I described the different options for port security, but he felt it was too much of a hassle.

We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.

antielvis

This type of situation is more common than most people want to imagine. Many companies have limited security in place to stop this from happening.

The fact that a user is able to do this tells me this network is likely insecure. Rather than dwell on this, consider the implications of what could happen. What if someone used spear phishing as a means to acquire access to your network? Have you considered a review of your perimeter routers? Have you considered using NAP? Have you considered having a "visitor" wireless where password registration is required (allowing for audits).

t5yll4

DB Cooper wrote: »

The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.

I described the different options for port security, but he felt it was too much of a hassle.

We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.

You manager should be fired...especially if he thinks port security is "too much of a hassle"

That alone might have helped curb this incident in the first place.

I'd look in to Netflow, IP acct from here on out...

bbarrick

DB Cooper wrote: »

The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.

I described the different options for port security, but he felt it was too much of a hassle.

We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.

Look for a big...or maybe really skinny guy with a name that starts with D? Or yell "I'm looking for Heavy D!" and see who raises their hand...or runs...:)

DB Cooper

We have never had an audit in the IS Department, scary but true. My manager will not allow wifi because he thinks they will make our network vulnerable. The irony...

I understand the risk of potential internal attacks. Our policy is to hope we don't hire anyone with desire and ability to carry out such attacks.

dover

DB,

Understandable...it is your job -I'm assuming- to identify and present the risks and mitigation recommendations to your managers (preferably in writing) - in business terms. It is up to them to make the right decision for their organization. All you can do is move on soldier

HeavyD...ha! At least you/we got a laugh out of it.

DB Cooper

He has been found....

I checked the time the IP was assigned, the user was issued the IP address at 1:15am. We had only one person in one of our buildings at that time. The local police department uses one of our buildings as a remote office, and the officer on duty decided to take a break and down a movie. His choice for the night, The Walking Dead Hardcore, a p*rn spoof of the tv series.

I called the police chief, explained what we found and the name of the computer. Without looking who was working Friday night, he knew who HeavyD was.

Thanks for all the help!

dover

Pirate + **** on duty...from a law enforcement officer no less. Bet ol' Chief was happy to hear about that And who the hell wants to watch zombie pron?!

Excellent work DB!

Roguetadhg

We had a situation when I was brand new and my boss was down here. Someone was torrenting movies and games... brought down the entire company with bandwidth usage.

Confiscate the movie as 'evidence'

I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.

Play the Political card. Make him understand why he should care, first. What it means to the bottom line of his job. 1) People breathing down his throat asking more questions and want to have answers.

For example if the ISP reports the business, and blocks the internet. Execs and clients will require an answer and want a resolution.