Tracking a Torrent user
DB Cooper
Member Posts: 94 ■■□□□□□□□□
in CCNA & CCENT
My company received an email from our ISP provider, stating someone had downloaded a copy of the walking dead hardcore. It appears someone had brought in a laptop plugged into our network, connected to a torrent site and started downloading. After explaining what torrent files are and how its used to my manager, we started trying to track the user down. I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.
The laptop has been removed, and hasn't been plugged in since the incident happened. They were issued an IP address, and will be released in 5 days.
If possible, how can I find out what port an IP used, but is no longer plugged into the network? I'm trying to figure out the location, then I would have a pretty good idea who the user is. Then justice will be served with with extreme prejudice.
Thanks
The laptop has been removed, and hasn't been plugged in since the incident happened. They were issued an IP address, and will be released in 5 days.
If possible, how can I find out what port an IP used, but is no longer plugged into the network? I'm trying to figure out the location, then I would have a pretty good idea who the user is. Then justice will be served with with extreme prejudice.
Thanks
Comments
-
BobMead Member Posts: 55 ■■■□□□□□□□From you firewall logs you should see the ip address that contacted the torrent site. I would then look at your DHCP server and see if you can match the lease to a mac address. Then you can look through switch logs and see if you see anything for that Mac. It is a shot in the dark without logging tools.Press RETURN to get started
:roll: -
bbarrick Member Posts: 242 ■■■□□□□□□□Could you not check the ARP table in the router back to the switch it came in from then the CAM table of that switch to determine the port at the switch?
-
NetworkVeteran Member Posts: 2,338 ■■■■■■■■□□I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.
Investigation time may be better focused into a review of your overall security policy.They were issued an IP address, and will be released in 5 days. -
dover Member Posts: 184 ■■■■□□□□□□After five days...good luck.
CAM entry is going to go away within minutes - I think Cisco default 5 min.
ARP will likely have long since timed out in a matter of hours for the router and minutes for any windows machines that may have 'spoken' to the laptop.
Your DHCP server may still have the IP to MAC assignment - depending on your lease time. But then, the only additional information you know is the MAC address. You could determine the NIC vendor based on the OUI but that won't get you to a specific user.
If nothing else, this incident might help you make a case for some (much needed) changes in your network
Filter P2P
Implement some kind of port security - even mac address sticky would have given you an interface you could track down
NAC/NAP or some other system/user validation method before being granted network access -
dover Member Posts: 184 ■■■■□□□□□□NetworkVeteran had excellent thoughts...was it a work issued laptop? That should be easy enough to track down under the pretext of 'mandatory laptop inventory/software update.'
-
DB Cooper Member Posts: 94 ■■□□□□□□□□The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.
I described the different options for port security, but he felt it was too much of a hassle.
We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project. -
antielvis Member Posts: 285 ■■■□□□□□□□This type of situation is more common than most people want to imagine. Many companies have limited security in place to stop this from happening.
The fact that a user is able to do this tells me this network is likely insecure. Rather than dwell on this, consider the implications of what could happen. What if someone used spear phishing as a means to acquire access to your network? Have you considered a review of your perimeter routers? Have you considered using NAP? Have you considered having a "visitor" wireless where password registration is required (allowing for audits). -
t5yll4 Member Posts: 54 ■■□□□□□□□□The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.
I described the different options for port security, but he felt it was too much of a hassle.
We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.
You manager should be fired...especially if he thinks port security is "too much of a hassle"
That alone might have helped curb this incident in the first place.
I'd look in to Netflow, IP acct from here on out...2015 Certification Goals:
[ ] JNCDA (August), [ ] JNCIA-Junos (September), [ ] CCDA (pending), [ ] CCNP RS (tentative November)
"Duty then is the sublimest word in the English language. You should do your duty in all things. You can never do more, you should never wish to do less."- Robert E. Lee -
bbarrick Member Posts: 242 ■■■□□□□□□□The computer name is HeavyD, not a standard computer name we use, so its a personal laptop.
I described the different options for port security, but he felt it was too much of a hassle.
We've had security issues in the past, I make recommendations that usually result in being disregarded. Whatever the result, its his choice, I move on in a military manner to my next project.
Look for a big...or maybe really skinny guy with a name that starts with D? Or yell "I'm looking for Heavy D!" and see who raises their hand...or runs...:) -
DB Cooper Member Posts: 94 ■■□□□□□□□□We have never had an audit in the IS Department, scary but true. My manager will not allow wifi because he thinks they will make our network vulnerable. The irony...
I understand the risk of potential internal attacks. Our policy is to hope we don't hire anyone with desire and ability to carry out such attacks. -
dover Member Posts: 184 ■■■■□□□□□□DB,
Understandable...it is your job -I'm assuming- to identify and present the risks and mitigation recommendations to your managers (preferably in writing) - in business terms. It is up to them to make the right decision for their organization. All you can do is move on soldier
HeavyD...ha! At least you/we got a laugh out of it. -
DB Cooper Member Posts: 94 ■■□□□□□□□□He has been found....
I checked the time the IP was assigned, the user was issued the IP address at 1:15am. We had only one person in one of our buildings at that time. The local police department uses one of our buildings as a remote office, and the officer on duty decided to take a break and down a movie. His choice for the night, The Walking Dead Hardcore, a p*rn spoof of the tv series.
I called the police chief, explained what we found and the name of the computer. Without looking who was working Friday night, he knew who HeavyD was.
Thanks for all the help! -
dover Member Posts: 184 ■■■■□□□□□□Pirate + **** on duty...from a law enforcement officer no less. Bet ol' Chief was happy to hear about that And who the hell wants to watch zombie pron?!
Excellent work DB! -
Roguetadhg Member Posts: 2,489 ■■■■■■■■□□We had a situation when I was brand new and my boss was down here. Someone was torrenting movies and games... brought down the entire company with bandwidth usage.
Confiscate the movie as 'evidence'I question my manager about why peer to peer sharing is allowed through our firewall, his eyes glazed over so I left the subject alone.
For example if the ISP reports the business, and blocks the internet. Execs and clients will require an answer and want a resolution.In order to succeed, your desire for success should be greater than your fear of failure.
TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams