Security: disabling a hacked
machine's network connection
When a UCAR machine is successfully attacked by a hacker, it may
be used to attack other machines. At such times, NETS may be
asked to disconnect the machine from the network, as described in
the
Computing Security and Networking Emergency Procedures Policy.
You'll probably be given an IP address to "turn off". This web
page describes how to track down the relevant switch port and
disable it.
If you're lucky, the host will be in the Port
Lists. You can feed the IP address to the Inktomi
search engine to
search the NETS web. If you get search hits, you can use
your browser's "Find In Page" function to find the port. If you
don't find the port this way, use the following method.
- Guess whether the host is at Foothills or at the Mesa Lab.
Log in to fl2-3095-c1-gs or ml-mr-c1-gs.
- To find out the MAC address and the switch that the host is
connected to, use a command like:
show mls entry ip destination 128.117.110.2
In the resulting display, the DPort shows the
port out which packets will go to get to the host.
- To find out the name of the the switch that the host is
connected to, use this command:
show cdp neighbors
The line that corresponds to the DPort will
show the name of the switch that the host is connected to.
- Log in to the switch that the host is connected to. To find
out the port that the host is connected to, use a command like:
show cam 08-00-20-9f-7d-18
using the MAC address that you learned from the earlier
show mls entry command.
- To disable the port, use a command like:
set port disable 4/23
Pete Siemsen
Last modified: Tue Nov 20 13:46:34 MST 2001