How do you figure out the attacker from their MAC and IP addresses?

anushkakohli · ‎04-10-2023

If there's an attacker on a public LAN like a school or a shopping centre for example, the adminstators can look at the router's packet capture and see the attackers MAC and IP addresses, but what can they do with this information to figure out who the attacker was?

VidMate

Leo Laohoo · ‎04-10-2023

MAC addresses can be spoofed.

MHM Cisco World · ‎04-10-2023

this can be solve by
block the this mac in your SW by
Switch(conf)#mac address-table static <mac> vlan X drop
if the attacker spoofed another MAC then using
DHCP snooping with IP guard and DAI in your L2 SW.

Marius Gunnerud · ‎04-11-2023

Identifying who the attacker is can be very difficult, but using the IP and MAC you can narrow down where the attacker is located in your network...even if the MAC is spoofed as it is done by default on all new iOS devices.

Now, assuming the attacker is connected to the WiFi network you can use the IP and MAC to identify which AP the device is connected to. Assuming the attack is in progress, you can narrow down the the geographic location of the attacker within the building given that each AP has a limited range. If the attacker is on the move, you will see the IP and MAC move to another AP and you can then have an idea of which direction the attacker is moving. Combine this with monitoring cameras you might be able to identify the attacker based on his / her movements.

--
Please remember to select a correct answer and rate helpful posts