[unisog] Tracking usage of dynamic IP

Zachary P Reimer zreimer2 at unlnotes.unl.edu
Mon Nov 12 05:16:45 GMT 2007 

We actually don't use either here, in our dorm networks (and wireless) we 
use almost entirely dynamic addresses, and have some kids that try to 
'beat' the system by hardcoding IP addresses, so we scrape ARP information 
from the routers  periodically and dump the information into a database. 
We used to use 1-hour intervals, but due to frequent turnover on 
particularly wireless addresses, we have some systems grabbing this info 
at 5-minute intervals.  This gives us MAC addresses associated with the IP 
at the given time, which we then correlate with user registration 
databases to get the user info. We currently retain the ARP data for 62 
days, although for nearly all uses, 31 days was sufficient.

Zac

Zac Reimer
Network Security Analyst
University of Nebraska-Lincoln
(402)472-4826
zreimer2 at unl.edu



Russell Fulton <r.fulton at auckland.ac.nz> 
Sent by: unisog-bounces at lists.dshield.org
11/11/2007 04:52 PM
Please respond to
UNIversity Security Operations Group <unisog at lists.dshield.org>


To
unisog at lists.sans.org
cc

Subject
[unisog] Tracking usage of dynamic IP






Hi Folks

We have largely static IP address allocations with some meaningful (for
varying values of meaningful) information in PTR records indicating who
is using it or in some cases where the machine physically is.

With wireless networks and a small but increasing increasing mobile
population (people with laptops who genuinely need to plug in in a
number of different places) we are coming to grips with tracking these
dynamic addresses.

A couple of years ago we set up a mysql data base with tables for the
DHCP logs and Radius logs.  This was less than ideal since, in most
cases we only had a login time and no record when the machine
disconnected from the network.  To find out who was using an IP at a
particular time we did a query on the join (on mac address) of the two
tables and selected the first record for that IP after the given time. 
This works OK for small tables but once you get several million entries
the finding the 'first after the time' gets really painful.  The pain
can be reduced significantly by adding a lower bound on the search time
(say 24 hours) but it still is not ideal.  I can think of other ways of
tackling this problems but I won't prejudice the discussion at this point.

Anyway we are revisiting the whole issue and I really don't want to
reinvent the wheel here so I am asking how others deal with this.  What
data are you collecting from DHCP and authentication systems?  How are
you storing it and how are you doing queries on it.

Has anyone bent standard software (e.g security consoles) to report user
names instead of domain names for dynamic IPs  .

Russell.

_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20071111/3ef87afa/attachment.htm

More information about the unisog mailing list