Tracing Mac Addresses

Quote:

---

It would probably be more hassle free if you just secure you network against these attacks and learn something from them instead of trying to take revenge

---

Wooooah there, when did I say anything about taking revenge? Actually, I'm trying to trace the IPs to make sure they don't belong to us. Given that this is a newly set up AP, there may still be employees with laptops whose addresses haven't been authorized yet, so if the MAC traces back to one of them, I know it wasn't an intrusion and that they simply need to be authorized. If, however, it does turn out to be an intruder, rather than taking revenge, I'd simply analyze the attack and harden defenses accordingly. The revenge thing is only asking for more trouble, and putting my employment at risk!

By the way, stupid me for not mentioning this already, but it's a US Robotics AP.

Also, we're beginning to suspect that the "intruders" are from businesses next door, unintentionally. Still better to err on the side of caution though.

Quote:

---

It would probably be more hassle free if you just secure you network against these attacks and learn something from them instead of trying to take revenge

---

Wooooah there, when did I say anything about taking revenge? Actually, I'm trying to trace the IPs to make sure they don't belong to us. Given that this is a newly set up AP, there may still be employees with laptops whose addresses haven't been authorized yet, so if the MAC traces back to one of them, I know it wasn't an intrusion and that they simply need to be authorized. If, however, it does turn out to be an intruder, rather than taking revenge, I'd simply analyze the attack and harden defenses accordingly. The revenge thing is only asking for more trouble, and putting my employment at risk!

By the way, stupid me for not mentioning this already, but it's a US Robotics AP.

Also, we're beginning to suspect that the "intruders" are from businesses next door, unintentionally. Still better to err on the side of caution though.

Been a while since I visited this issue, but I have new developments. After watching the AP closely on a daily basis and talking to the AP vendor, I understood that I shouldn't be concerned with the warnings of unauthorized access attempts since they are being successfully blocked. So, I've just been writing down each MAC address it reports as unauthorized and keeping that on record as an added precaution.

Now, I notice that most of the addresses are always different, suggesting that these are just individual cases of a nearby laptop accidently scanning our network. However, there is one MAC address that appears repeatedly, about every couple of weeks or so, so evidently there is one computer out there that is trying to access our network without authorization fairly regularly.

So do I have any courses of action available beyond letting the AP continue to just block and report it, since this issue is fairly persistent?

Hmmmm... trying to track down people just based on their MAC addresses is kind of a flawed approach though, atleast as I see it. I mean you can change your MAC address easily on Linux to anything that you want and through the Windows registry you can change it as well.. no program required. MAC Address spoofing isn't hard to accomplish. Also, keep in mind that the MAC addresses recorded may be from the last router that the attempt passed through.. could be that the person is trying to access your network gateway device directly.. through a configuration page over HTTP or through telnetting into it or SSH. If a proxy is used, like through HTTP with your browser, the MAC address will change by the time it reaches the logs on your end and will have the MAC address of the last router that was hopped to and not the attacker's MAC address. When I send and recieve, being on a LAN behind a router, it will record the MAC address of my router and the opposite side will only see that address or last router that served them my packets and not actually mine. The same way when I recieve packets from the internet (WAN) they're all marked from the src MAC address of my router.. which makes sense as it served me the packets.