Network Device Hide and Seek

Enterprise Networks & Servers, Jan 2004 by Patterson, Michael

Virtual living is great. No one needs to know whether you are answering your e-mail from your office, the local pub or the beach in Cancun. No matter what the physical location, the virtual address is the same.

But for those who mean ill, the Internet is also a great place to hide. Anonymizers, address spoofing, Distributed Denial of Service attacks, temporary e-mail addresses, you name it. Most scam artists and virus writers are as hard to track to a physical location as Osama bin Laden.

But the problem isn't limited to outside attacks. There are also times when you need to identify and track down the physical location and port of an internal network device which is causing problems. While this should be simple enough to accomplish, the difference between the logical structure and physical structure of the network can sometimes make this difficult. No, it is not as challenging as finding that "Nigerian prince" so you can collect the million dollars he promised you in exchange for the $10,000 you just wired into his Swiss account. In fact, with the right tools it can be quite easy.

Hiding in Plain Sight

There are different situations where you will notice a problem in the traffic load originating from a particular MAC address and want to take that device off line. Here are some examples.

A MAC is sending out a large number of Address Resolution Protocol (ARP) requests. ARP is the protocol that a client station uses when it knows the IP address (Layer 3 on the OSI stack) of the device and needs to learn its physical address (Layer 2 or MAC address) so it can send packets to that device. In such a case the station desiring the information broadcasts packets containing the ARP request to the entire subnet which every other station then has to process.

If the receiving station is the one with that IP address, it will send back a message giving its MAC address. Too many ARP requests not only ties up bandwidth, but also slows down other stations in the network and can raise havoc with routers, so this needs to be investigated and handled.

The MAC is from an unauthorized camera or Web server that sends out enormous amounts of traffic every time someone connects to it. The increase in traffic is detrimental to the limited bandwidth and degrades performance for all users on the network.

The device could be a bridge that keeps causing the switched network to respan the bridging topology.

Or, let's say you are running a sniffer (packet analyzer) and, looking at the packet's header, you identify a MAC address that you would like to isolate from the rest of the network. How do you figure out what the device is and which switch port it resides on?

Generally, the administrator will narrow down the search by considering the vendor ID of the MAC address and by considering the IP address, if it is an IP network.

The MAC (Media Access Control) address consists of a six byte number. The first 24 bits comprise the vendor ID or Organizational Unique Identifier (OUT). The Institute of Electrical and Electronic Engineers (IEEE) hands out the OUIs to companies building equipment that complies with its 802 LAN and MAN protocols. So far, IEEE has assigned about 7000 OUIs. It maintains a searchable database (http://standards.ieee.org/regauth/oui/index.shtml) and downloadable list (standards.ieee.org/ regauth/oui/oui.txt) of these numbers on its Web site.

So, if you know the MAC address of the device, you can search for the OUI (enter it in either Base 16 or Hexadecimal format) and find out the manufacturer of the piece of equipment. If the OUI was 006048, you would find that that is the OUI for EMC Corp. and it would narrow down the search immediately since you probably don't have that many of their units on hand.

If, however, the OUI was 00065B, you are out of luck. That number belongs to Dell; it wouldn't tell you which of your 5000 desktops or servers was causing the problem. But at least you would know it wasn't a router.

So, here you would have to look at the last half of the MAC address which is the unique identifier assigned by the vendor to that particular Network Interface Card at the time of manufacture.

If you have a complete, accurate and up to date inventory of all your equipment, then you can identify the device that is causing the problem.

Still in the Dark

There are two other problems that you should be aware of with regard to OUIs and MAC addresses. The OUI won't necessarily lead you to the vendor that you are aware of. Most hardware companies contract out some or all of the manufacturing process, and the OUI may belong to the component manufacturer rather than the company whose name is on the box.

The other is that MAC addresses, although they are supposed to be permanent, can be changed. This is a problem that crops up occasionally on wireless networks. A person will learn the MAC address of a device that has authorized access to the network, and then change the address on their own wireless card to match that authorized MAC address in order to gain network access.