Mark
asked on
how to determine IP of wireless device
How can I determine the public IP associated with a wireless device? For example, using `iwconfig wlan0 scan` I can get the ESSID and MAC address, but no IP is listed. The reason I am asking is because our building ISP said that someone from our office made an unauthorized access from a wireless device assigned to us. He provided the IP. I am trying to determine if this IP is associated with one of our wireless devices.
When you say "public IP" what do you actually mean?
In most set ups all internal devices have a network internal IP address and once they hit the router and onto the ISP network they all use the same public IP address. Unless you have a different setup or talking about something that not a standard computer network setup.
If they have given you an internal IP to trace then it all depends on your setup. If devices are given IP's by DHCP then you might be out of luck as they might have changed IP's by now depending on the lease time.
If the lease time is long or the IP's are static you could either check the DNS or DHCP server to see if the IP is listed with a client computer name. From a Windows PC you could in theory do a nslookup 192.168.1.1 etc or run the command arp -a which might help trace it down little.
This all depends on your setup within your office / building as unable to give any detailed information until know a bit more details.
In most set ups all internal devices have a network internal IP address and once they hit the router and onto the ISP network they all use the same public IP address. Unless you have a different setup or talking about something that not a standard computer network setup.
If they have given you an internal IP to trace then it all depends on your setup. If devices are given IP's by DHCP then you might be out of luck as they might have changed IP's by now depending on the lease time.
If the lease time is long or the IP's are static you could either check the DNS or DHCP server to see if the IP is listed with a client computer name. From a Windows PC you could in theory do a nslookup 192.168.1.1 etc or run the command arp -a which might help trace it down little.
This all depends on your setup within your office / building as unable to give any detailed information until know a bit more details.
You have the MAC addresses. Run this command at the command prompt:
arp -a
This will give you a list of MAC addresses with their associated IP addresses.
And, you can run:
nbtstat -a [ipaddress] without the brackets
and get the name of the device if it has one.
Oh, but you said "public IP" - why is that an issue? Unless you have more than one, it would be the same for everyone. Google "what is my IP" and they should all be the same.
arp -a
This will give you a list of MAC addresses with their associated IP addresses.
And, you can run:
nbtstat -a [ipaddress] without the brackets
and get the name of the device if it has one.
Oh, but you said "public IP" - why is that an issue? Unless you have more than one, it would be the same for everyone. Google "what is my IP" and they should all be the same.
ASKER
OK, I need to provide more information ...
The building has several wireless access points, 4 of which could be construed as belonging to our office, the others belong to other tenants. Our ISP said the problem occurred on IP 64.128.165.39 which, they say, is assigned to us. This, of course, is the incoming IP from the building router/switch to the wireless local router. As you all have pointed out, when e.g. a laptop connects to one of these devices it gets a DHCP address such as 192.168.0.10, but we can't see what the "incoming" IP is. Now, I could do so in some cases by connecting to the Admin IP of the router and looking at the admin page settings, but some of these are wireless access points created by the ISP and don't really have Admin pages.
For example, my home Linksys router connects to Time-Warner and gets the IP address 76.181.64.99 from the cable modem. Since the Linksys is doing dhcp for my home computers, its LAN address is 192.168.0.1, and that is the address all the LAN connected devices see. What I'm trying to figure out is how to see the 76.181.64.99 address which is what I'm calling the "public" or "incoming" address.
Ideally, given the "incoming" IP address, I'd like to run some command that shows the SSID, or visa versa, e.g.
getSSID 64.128.165.39
or
getIP "mySSID"
fmarshall: arp -a, did give me the LAN IP of the wireless network to which I am connected: 192.168.1.1, but not the incoming-to-the-router IP.
I don't have nbstat and it does not appear to be in the Ubuntu repository nor is it on my Windows box.
I can get the MAC addresses of these wirelesses, but how to correlate that with IP? I though nmap would return MAC addresses, but I haven't figured out how to do that yet.
The building has several wireless access points, 4 of which could be construed as belonging to our office, the others belong to other tenants. Our ISP said the problem occurred on IP 64.128.165.39 which, they say, is assigned to us. This, of course, is the incoming IP from the building router/switch to the wireless local router. As you all have pointed out, when e.g. a laptop connects to one of these devices it gets a DHCP address such as 192.168.0.10, but we can't see what the "incoming" IP is. Now, I could do so in some cases by connecting to the Admin IP of the router and looking at the admin page settings, but some of these are wireless access points created by the ISP and don't really have Admin pages.
For example, my home Linksys router connects to Time-Warner and gets the IP address 76.181.64.99 from the cable modem. Since the Linksys is doing dhcp for my home computers, its LAN address is 192.168.0.1, and that is the address all the LAN connected devices see. What I'm trying to figure out is how to see the 76.181.64.99 address which is what I'm calling the "public" or "incoming" address.
Ideally, given the "incoming" IP address, I'd like to run some command that shows the SSID, or visa versa, e.g.
getSSID 64.128.165.39
or
getIP "mySSID"
fmarshall: arp -a, did give me the LAN IP of the wireless network to which I am connected: 192.168.1.1, but not the incoming-to-the-router IP.
I don't have nbstat and it does not appear to be in the Ubuntu repository nor is it on my Windows box.
I can get the MAC addresses of these wirelesses, but how to correlate that with IP? I though nmap would return MAC addresses, but I haven't figured out how to do that yet.
You cannot necessarily correlate MAC and IP because the device is almost certainly DHCP and will give up its IP (may give up its IP) when it disconnects.
Our ISP said the problem occurred on IP 64.128.165.39 which, they say, is assigned to us <-- ISP's are now supplying wireless on their modems. Turn that OFF or secure it so no one can access. If no one paid attention to this and did not secure it, there is your issue.
Use your own wireless for access and secure it as well.
Our ISP said the problem occurred on IP 64.128.165.39 which, they say, is assigned to us <-- ISP's are now supplying wireless on their modems. Turn that OFF or secure it so no one can access. If no one paid attention to this and did not secure it, there is your issue.
Use your own wireless for access and secure it as well.
As I suggested, Google "What is my IP" from a computer on your network. That will give you your public IP address and should either confirm or deny that the ISP is correct in their claim.
You should have nbtstat on your Windows box. Maybe it's a matter of turning on some Windows features.
For Linux, I found this:
alias nbtstat
nmblookup -S -U <server> -R
You are likely not going to get the public address from any wireless SSID because they should all be on private subnets and unaware of any public addresses.
I'm a bit unclear as to the objective here. You mention receiving reports about an "unauthorized" access. What constitutes that???
The normal situation is that you have a "rogue" connection and want to find the device. This has nothing at all to do with the public IP address. It has everything to do with a private IP address.
The process usually goes like this:
1) determine the PRIVATE IP address of the rogue connection.
2) map that private IP to a MAC address.
3) grok the MAC address to get the manufacturer of the device.
4) ken the manufacturer of the device to the type of device/user the rogue connection is/might be.
You should have nbtstat on your Windows box. Maybe it's a matter of turning on some Windows features.
For Linux, I found this:
alias nbtstat
nmblookup -S -U <server> -R
You are likely not going to get the public address from any wireless SSID because they should all be on private subnets and unaware of any public addresses.
I'm a bit unclear as to the objective here. You mention receiving reports about an "unauthorized" access. What constitutes that???
The normal situation is that you have a "rogue" connection and want to find the device. This has nothing at all to do with the public IP address. It has everything to do with a private IP address.
The process usually goes like this:
1) determine the PRIVATE IP address of the rogue connection.
2) map that private IP to a MAC address.
3) grok the MAC address to get the manufacturer of the device.
4) ken the manufacturer of the device to the type of device/user the rogue connection is/might be.
You might be asking yourself if this is worth an ounce of prevention?
It's not clear yet what the ISP is complaining or reporting about.......
One example would be to assign known IP addresses to known MAC addresses. It's a bit of an administrative load but it will work. You just have to keep up with the new devices being introduced all the tiem. MAC addresses are easy to copy / then spoof but that's at another level of sophistication for the user; so it's not a bad idea to start right there.
It's not clear yet what the ISP is complaining or reporting about.......
One example would be to assign known IP addresses to known MAC addresses. It's a bit of an administrative load but it will work. You just have to keep up with the new devices being introduced all the tiem. MAC addresses are easy to copy / then spoof but that's at another level of sophistication for the user; so it's not a bad idea to start right there.
ASKER
fmarshall: > It's not clear yet what the ISP is complaining or reporting about.......
Here's what our ISP wrote:
fmarshal: > You might be asking yourself if this is worth an ounce of prevention?
Yes, of course, we will likely disconnect some of the wireless devices, but first we want to know which device. In one case it might be a building-public, no security device, in another case it might be a secure wireless meaning someone would have to know, or to have hacked, the password, in another case it could be the phone system (why that has a wireless, I don't know!), which also implies known or hacked password.
Someone connected via a wireless device to a bit-torrent site and downloaded a movie -- that's the "unauthorized" bit. The ISP is assuming that someone physically inside our office connected with e.g. a laptop. He is mistaken in that we have no wireless devices as part of our office LAN, all wireless are separate from the office LAN and could have been accessed from almost anywhere in the building. These wireless devices are "ours" only in that we requested them for access from conference rooms, but they are not connected to the office LAN and get their IP addresses from the building Cisco switch (not the office server). Clearly there are implications of responsibility/liability with this situation which need to be cleared up.
I will disable and secure things, but first I want to know *which* device is involved. The ISP gave us the IP, and I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case.
I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets. Our office has 3 public IPs, none of which are consecutively numbered or on their own subnet.
Any other ideas?
Here's what our ISP wrote:
I am sorry to have to send you this. We received a copyright infringement
notice of pornography coming from an IP address that is assigned to the <xxx>
office. I have confirmed that this is an IP address that we assigned to your
company and it terminates at 6161 <address>. It was reported at
around noon yesterday, I just received the complaint this afternoon.
Please let us know if you need help tracking it down. Given that we have never
seen this before, It is more than likely a temporary computer (Laptop) that
someone may have attached to your network. I tried to scan for the open port
today and did not see it. Most likely it was someone that was in your office
yesterday. Did you have any vendors or outsiders in your office yesterday with
a computer that would have attached to the network?
64.128.165.39 Ohio State xxx System WAN IP
Work Title: Lesbian Family Affair
Copyright Owner: Combat Zone Inc
Unauthorized File Name: Lesbian Family Affair ( NEW 2014 FILLY FILMS ) [ DVD RIP ALL 4 SPLIT SCENES ]
Unauthorized Hash: 719791471bb04eb5c357500f8102b3ba8e30dec1
Unauthorized File Size: 1342806857 bytes
Unauthorized Protocol: BitTorrent
Timestamp: 2014-11-04 12:01:21 North American Eastern Time
Unauthorized IP Address: 64.128.165.39
Unauthorized Port: 1190
64.128.165.39 Ohio State Highway Patrol Ret. System WAN IP
Work Title: Lesbian Family Affair
Copyright Owner: Combat Zone Inc
Unauthorized File Name: Lesbian Family Affair ( NEW 2014 FILLY FILMS ) [ DVD RIP ALL 4 SPLIT SCENES ]
Unauthorized Hash: 719791471bb04eb5c357500f8102b3ba8e30dec1
Unauthorized File Size: 1342806857 bytes
Unauthorized Protocol: BitTorrent
Timestamp: 2014-11-04 12:01:21 North American Eastern Time
Unauthorized IP Address: 64.128.165.39
Unauthorized Port: 1190
fmarshal: > You might be asking yourself if this is worth an ounce of prevention?
Yes, of course, we will likely disconnect some of the wireless devices, but first we want to know which device. In one case it might be a building-public, no security device, in another case it might be a secure wireless meaning someone would have to know, or to have hacked, the password, in another case it could be the phone system (why that has a wireless, I don't know!), which also implies known or hacked password.
Someone connected via a wireless device to a bit-torrent site and downloaded a movie -- that's the "unauthorized" bit. The ISP is assuming that someone physically inside our office connected with e.g. a laptop. He is mistaken in that we have no wireless devices as part of our office LAN, all wireless are separate from the office LAN and could have been accessed from almost anywhere in the building. These wireless devices are "ours" only in that we requested them for access from conference rooms, but they are not connected to the office LAN and get their IP addresses from the building Cisco switch (not the office server). Clearly there are implications of responsibility/liability with this situation which need to be cleared up.
I will disable and secure things, but first I want to know *which* device is involved. The ISP gave us the IP, and I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case.
I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets. Our office has 3 public IPs, none of which are consecutively numbered or on their own subnet.
Any other ideas?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to be tracking NAT translations to be able to find out which device did what. For that you'll need to be logging every single connection at your proxy or firewall. That is the only way you'll be able to get the info you require to determine who did what, but that may or may not actually directly reveal which device or user was the offender.
NAT tracking is one step, then device login and DHCP lease binding is another. Device login tracking should allow you to see which MAC a user logged in from (if you use RADIUS) and the DHCP lease database will then reveal which MAC got which IP. Tie that in with the NAT translation and you can match it all up.
NAT tracking is one step, then device login and DHCP lease binding is another. Device login tracking should allow you to see which MAC a user logged in from (if you use RADIUS) and the DHCP lease database will then reveal which MAC got which IP. Tie that in with the NAT translation and you can match it all up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@John - sometimes legitimate users do illegitimate things - even when they don't necessarily know about it.
True EXCEPT legitimate users are not Unauthorized users which (as I understand it) was the initial purpose of this thread.
No, the purpose of the thread was to determine which user was the culprit, legitimite or not. It's completely feasible that a legit user was to blame.
I merely interpreted the use of unauthorized access as it was written.
However I have unsubscribed as I think differently here.
Cheers ;)
However I have unsubscribed as I think differently here.
Cheers ;)
The letter received by the author says:
That's something that someone did via the public IP which was assigned to the internet connection in question. We need to help locate the user that did this. As we don't yet know which user did this we don't know if it was done by a legitimate user or not.
I am sorry to have to send you this. We received a copyright infringement
notice of pornography coming from an IP address that is assigned to the <xxx>
office. I have confirmed that this is an IP address that we assigned to your
company and it terminates at 6161 <address>. It was reported at
around noon yesterday, I just received the complaint this afternoon.
That's something that someone did via the public IP which was assigned to the internet connection in question. We need to help locate the user that did this. As we don't yet know which user did this we don't know if it was done by a legitimate user or not.
ASKER
Thanks for all the responses!
fmarshall: > This appears to be quite confused. ... Apparently the ISP has identified which of the 3 was involved. Is that correct? If so, we are down to ONE public IP. Is that correct?
> "I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets"
> This is confusing because you don't qualify them as public or private. Thus, it's hard to interpret the meaning. Please clarify.
Yes, it is quite confused. The ISP manages all Internet connections in the building. Yes, the ISP has its own subnet from Time-Warner. When I said that "there are no subnets" I meant for the tenants. Our 3 IP addresses are non-consecutive and are assigned by the ISP from his building pool of available public IPs. To anwser your last question (above), most tenants simply get a DHCP address from the Cisco switch/router in the building. If a tenant requests a public IP, that is assigned to the tenant. So, the tenant IPs are a mix of public and private. We have requested 3 IPs that I know of and no, the IP in question is not one of those 3. However, the ISP believes it is assigned to us. If so, we don't use it and as far as I know it is not accessible from our office, although it might be from the building-wide LAN cable coming into the office, but that routes into a router/switch set to one of the assigned public IPs. None of our servers uses the "bad" IP.
> The ISP gave you the public IP, right? The ISP did not give you the private IP, right? Please answer these questions.
Sorry, but not sure what you're asking here. Yes, we got our public IPs from the ISP. The offending IP, 64.128.165.39, is also public and nmap'pable from anywhere. Don't know to what you are referring with "private IP".
> "I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case."
> If you mean that using arp -a, nbtstat -a [ipaddress] and so forth will only work if you're connected to the offending private subnet then that's correct. If you want to learn about a network with tools like this, you have to be connected to the network. Other networks are just foreign to the process.
Yes, that's what I thought. Since that IP is not on "our" subnet, I can't get MAC information about it. An nmap from the outside shows ports 22, 82, 2000 and 8291 open and the OS guesses show:
> If you don't know the private IP address of the "someone" then how do you know it's wireless? There may be important information in the answer.
You're right. I don't know that it's wireless. I was guessing since there are 2 wireless access points requested by us for building tenant use (we own the building) and these could be "assigned" to us. But, I suppose an existing tenant could have plugged into a wall outlet and accessed that IP.
> "The ISP is assuming that someone physically inside our office connected with e.g. a laptop. "
> I see nothing in the ISP's message that suggests this. How would they even be able to venture a guess?
He wrote in the posted message, "Please let us know if you need help tracking it down. Given that we have never seen this before, It is more than likely a temporary computer (Laptop) that someone may have attached to your network." And later, "A scan and inspection of your internal network devices for Bit Torrent software would be a good place to start if you want to try to look for it." This does suggest to me that he is assuming an origination inside our office. "How would they even be able to venture a guess"? Well, that's the question and the reason for this post. I don't think they can venture such a guess.
> OK. So there are multiple subnets on VLANs no doubt. The scheme for associating these various subnets/VLANs to particular public IP addresses is unclear.
Yes, quite unclear.
> The message from the ISP seems to not have anything to do with the "office LAN and/or the office server.
but - see my quote of the ISP opinion above wherein he suggest it may have originated with a vendor's laptop inside the office LAN.
craigbeck: > You need to be tracking NAT translations to be able to find out which device did what.
But, we actually don't have anything connected to this IP or any upstream routers to which it may be connected. The ISP should be able to do that.
John Hurst: > I do not see why you cannot simply disable wireless you do not need (ISP) and secure the other. Then NO unauthorized devices get in. Works GREAT for me.
That is my future "prevention" plan, but since we own the building, and since there is a public, unsecured wireless for the tenants, there are lease/contract issues to be investigated to see if such a service is explicitly provided in the tenant's leases. If not, it's gone!
> I merely interpreted the use of unauthorized access as it was written.
craigbeck is correct. It may have been a legitimate user (building tenant) that performed an unauthorized use by downloading a copyrighted film. Or, it could have been an illegitimate person in the parking lot stealing the unsecure wireless connection.
fmarshall: > This appears to be quite confused. ... Apparently the ISP has identified which of the 3 was involved. Is that correct? If so, we are down to ONE public IP. Is that correct?
> "I should mention that this is an office building and all IP addresses are individually assigned to tenants; there are no subnets"
> This is confusing because you don't qualify them as public or private. Thus, it's hard to interpret the meaning. Please clarify.
Yes, it is quite confused. The ISP manages all Internet connections in the building. Yes, the ISP has its own subnet from Time-Warner. When I said that "there are no subnets" I meant for the tenants. Our 3 IP addresses are non-consecutive and are assigned by the ISP from his building pool of available public IPs. To anwser your last question (above), most tenants simply get a DHCP address from the Cisco switch/router in the building. If a tenant requests a public IP, that is assigned to the tenant. So, the tenant IPs are a mix of public and private. We have requested 3 IPs that I know of and no, the IP in question is not one of those 3. However, the ISP believes it is assigned to us. If so, we don't use it and as far as I know it is not accessible from our office, although it might be from the building-wide LAN cable coming into the office, but that routes into a router/switch set to one of the assigned public IPs. None of our servers uses the "bad" IP.
> The ISP gave you the public IP, right? The ISP did not give you the private IP, right? Please answer these questions.
Sorry, but not sure what you're asking here. Yes, we got our public IPs from the ISP. The offending IP, 64.128.165.39, is also public and nmap'pable from anywhere. Don't know to what you are referring with "private IP".
> "I can get MAC and SSID from `iwlist wlan0 scan`. I'm trying to connect these. So far, it appears that this is not doable unless the device is part of the probing computer's subnet -- which is not the case."
> If you mean that using arp -a, nbtstat -a [ipaddress] and so forth will only work if you're connected to the offending private subnet then that's correct. If you want to learn about a network with tools like this, you have to be connected to the network. Other networks are just foreign to the process.
Yes, that's what I thought. Since that IP is not on "our" subnet, I can't get MAC information about it. An nmap from the outside shows ports 22, 82, 2000 and 8291 open and the OS guesses show:
Aggressive OS guesses: Linux 2.6.32 - 3.9 (96%), Linux 3.0 - 3.9 (93%), Linux 2.6.32 - 3.2 (93%), Linux 2.6.38 - 3.0 (92%), Linux 3.6 (92%), Netgear DG834G WAP or Western Digital WD TV media player (92%), Linux 3.2 (91%), Linux 3.1 (91%), OpenWrt 12.09-rc1 Attitude Adjustment (Linux 3.3 - 3.7) (91%), Android 4.0.3 - 4.0.4 (Linux 3.0) (90%)
Netgear DG834G WAP is one guess and port 2000 is listed as "bandwidth-test MikroTik bandwidth-test server". MicroTik is also a router and I know the ISP uses port 82 as the external engineering port to the MikroTic admin page. I get a similar port list on the MikroTik that *is* attached to one of our IP and a similar OS list, so I'm guessing the IP is connected to a MikroTik router somewhere.> If you don't know the private IP address of the "someone" then how do you know it's wireless? There may be important information in the answer.
You're right. I don't know that it's wireless. I was guessing since there are 2 wireless access points requested by us for building tenant use (we own the building) and these could be "assigned" to us. But, I suppose an existing tenant could have plugged into a wall outlet and accessed that IP.
> "The ISP is assuming that someone physically inside our office connected with e.g. a laptop. "
> I see nothing in the ISP's message that suggests this. How would they even be able to venture a guess?
He wrote in the posted message, "Please let us know if you need help tracking it down. Given that we have never seen this before, It is more than likely a temporary computer (Laptop) that someone may have attached to your network." And later, "A scan and inspection of your internal network devices for Bit Torrent software would be a good place to start if you want to try to look for it." This does suggest to me that he is assuming an origination inside our office. "How would they even be able to venture a guess"? Well, that's the question and the reason for this post. I don't think they can venture such a guess.
> OK. So there are multiple subnets on VLANs no doubt. The scheme for associating these various subnets/VLANs to particular public IP addresses is unclear.
Yes, quite unclear.
> The message from the ISP seems to not have anything to do with the "office LAN and/or the office server.
but - see my quote of the ISP opinion above wherein he suggest it may have originated with a vendor's laptop inside the office LAN.
craigbeck: > You need to be tracking NAT translations to be able to find out which device did what.
But, we actually don't have anything connected to this IP or any upstream routers to which it may be connected. The ISP should be able to do that.
John Hurst: > I do not see why you cannot simply disable wireless you do not need (ISP) and secure the other. Then NO unauthorized devices get in. Works GREAT for me.
That is my future "prevention" plan, but since we own the building, and since there is a public, unsecured wireless for the tenants, there are lease/contract issues to be investigated to see if such a service is explicitly provided in the tenant's leases. If not, it's gone!
> I merely interpreted the use of unauthorized access as it was written.
craigbeck is correct. It may have been a legitimate user (building tenant) that performed an unauthorized use by downloading a copyrighted film. Or, it could have been an illegitimate person in the parking lot stealing the unsecure wireless connection.
Thanks for the comprehensive answers!
The normal thing is for the ISP to assign you a "block" of public IP addresses. The ones you *actually use* may not be contiguous but the entire block would be. In reality it's a small subnet of maybe 8 or 16 addresses. There will be the usual network address used up and the usual broadcast address used up so they aren't usable otherwise. This leaves one with 6 or 14 addresses in the block. So, when the ISP says "it's one of your addresses", I'll bet that's it.
Once the block is assigned to you, those addresses are routed by the ISP to and from your location.
So: all you have to do is hook up a device with one of those addresses to your internet portal / gateway.
So, while you may not be using an address in "your" block, they remain available. But I believe that someone has to be on site to make that work. Much of that detail is up to the ISP but I can't imagine them doing it otherwise.
Here is how we do it: We have an internet interface device (in our case a simple router) with no NAT. One side has a public IP address assigned by the ISP. The other side has a public IP address which is the lowest in our block.
So, if our block is 222.333.222.0/28 then we have 222.333.222.0 through 222.333.222.8 with network and broadcast. So, the router, on the inside, has 222.333.222.1 and we have 222.333.222.2 through 222.333.222.6 available whether we use them or not. So, with 64.128.165.39, I might guess that your addresses fall between:
64.128.165.33 to .38 or .46. Might that be the case?
The router LAN side is connected to a switch that I call the "internet switch" providing access to the router by multiple devices. As long as a device has an IP address in the block, I expect it to work (and it does).
So , it sounds like someone was able to light up one of your unused IP addresses and that seems it would be in the switch room.
Just a theory..... but, if true, it seems to narrow down the possibilities.
The normal thing is for the ISP to assign you a "block" of public IP addresses. The ones you *actually use* may not be contiguous but the entire block would be. In reality it's a small subnet of maybe 8 or 16 addresses. There will be the usual network address used up and the usual broadcast address used up so they aren't usable otherwise. This leaves one with 6 or 14 addresses in the block. So, when the ISP says "it's one of your addresses", I'll bet that's it.
Once the block is assigned to you, those addresses are routed by the ISP to and from your location.
So: all you have to do is hook up a device with one of those addresses to your internet portal / gateway.
So, while you may not be using an address in "your" block, they remain available. But I believe that someone has to be on site to make that work. Much of that detail is up to the ISP but I can't imagine them doing it otherwise.
Here is how we do it: We have an internet interface device (in our case a simple router) with no NAT. One side has a public IP address assigned by the ISP. The other side has a public IP address which is the lowest in our block.
So, if our block is 222.333.222.0/28 then we have 222.333.222.0 through 222.333.222.8 with network and broadcast. So, the router, on the inside, has 222.333.222.1 and we have 222.333.222.2 through 222.333.222.6 available whether we use them or not. So, with 64.128.165.39, I might guess that your addresses fall between:
64.128.165.33 to .38 or .46. Might that be the case?
The router LAN side is connected to a switch that I call the "internet switch" providing access to the router by multiple devices. As long as a device has an IP address in the block, I expect it to work (and it does).
So , it sounds like someone was able to light up one of your unused IP addresses and that seems it would be in the switch room.
Just a theory..... but, if true, it seems to narrow down the possibilities.
How do you connect your LAN to the ISP?
Another thought, if some of those public IP addresses are being used by others then they have access to that "internet switch" that I mentioned .. because the cable they use is connected. So anyone with such a cable could switch in another device and use one of "your" IP addresses. And, that "device" could be a laptop or anything.
I doubt that @fmarshall. The ISP will likely be doing NAT overload based on source subnet so unless a wired client can jump onto the same segment/VLAN it's unlikely.
craigbeck: He did say that there are public IP addresses assigned to some tenants. That implies direct access to the public IP block and no NAT.
Turn the argument around:
"It's unlikely that a wired client can connect to the "internet switch". Therefore, that's a good place to look for connections IF the ISP saw a normally unused public IP address being used. The possibilities are greatly reduced."
Turn the argument around:
"It's unlikely that a wired client can connect to the "internet switch". Therefore, that's a good place to look for connections IF the ISP saw a normally unused public IP address being used. The possibilities are greatly reduced."
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> craigbeck ... it is entirely possible that real addresses are used throughout. Perhaps jmarkfoley could clarify what device is used to separate his LAN from the other tenants, and how it's configured?
Yes, real addresses are used throughout. As far as I can tell, nothing is used to separate my LAN from other tenants except for our MicroTik router/firewall.
In any case, I think I have a conclusion to the mystery.
I did a traceroute from my home computer to the office mail server:
You will notice that the "offending" IP is at hop 8. Our public IP mail server (actually MicroTik router) is at hop 9. I did a traceroute from the office mail server and office web server to my home IP. The first hop after leaving the office hosts was 64.128.165.39. I've checked some mail headers received in the office going back 4 years. Many have this IP as the last hop before hand-off to our mail server.
This is not one of our hosts. This is clearly and up-stream server/router for this building and certainly other tenants' computers route through this server as well. Our ISP has not pursued this issue any further despite prodding by us to investigate further. I think he realized it was one of his own boxes and is quietly dropping the matter. Obviously, anyone in the building could have downloaded from anywhere via this host!
While our ISP has good people working for him, he's a bit of a dork and is often wrong on such things. I think this is a non-issue in the end. We will be changing ISP soon.
Yes, real addresses are used throughout. As far as I can tell, nothing is used to separate my LAN from other tenants except for our MicroTik router/firewall.
In any case, I think I have a conclusion to the mystery.
I did a traceroute from my home computer to the office mail server:
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 45.64 ms cpe-76-181-64-1.columbus.res.rr.com (76.181.64.1)
2 8.81 ms CPE-69-23-8-205.new.res.rr.com (69.23.8.205)
3 11.91 ms 24.33.160.58
4 12.63 ms tge9-2.ftpfoh0302h.midwest.rr.com (24.33.161.207)
5 10.62 ms CPE-69-23-10-166.new.res.rr.com (69.23.10.166)
6 25.73 ms host-70-34-190-114.host.ussignalcom.net (70.34.190.114)
7 27.07 ms 69-58-113-2.brescobroadband.com (69.58.113.2)
8 29.45 ms 64-128-165-39.brescobroadband.com (64.128.165.39)
9 29.90 ms mail.ohprs.org (64.129.23.80)
You will notice that the "offending" IP is at hop 8. Our public IP mail server (actually MicroTik router) is at hop 9. I did a traceroute from the office mail server and office web server to my home IP. The first hop after leaving the office hosts was 64.128.165.39. I've checked some mail headers received in the office going back 4 years. Many have this IP as the last hop before hand-off to our mail server.
This is not one of our hosts. This is clearly and up-stream server/router for this building and certainly other tenants' computers route through this server as well. Our ISP has not pursued this issue any further despite prodding by us to investigate further. I think he realized it was one of his own boxes and is quietly dropping the matter. Obviously, anyone in the building could have downloaded from anywhere via this host!
While our ISP has good people working for him, he's a bit of a dork and is often wrong on such things. I think this is a non-issue in the end. We will be changing ISP soon.
ASKER
Thanks for all the feedback!
If your wireless is probably secured, such access should be limited anyway.