Alex Feigenson's Blog Systems Administrator That Communicates Effectively

12Apr/102

iPhone users can’t hide from netflow!

I couldn't resist blogging about this one.

Last Friday I wrote a blog post about how netflow was making my users happy. This week I'm going to talk about how netflow is still making my users happy - except for one.

After a few days of watching CPU usage on my routers, I added a second site to my netflow collector and started investigating.

The first thing I noticed was more users backing up to the wrong location (we're now performing an audit). The second thing I noticed was someone transferring a lot of data from Akamai - and I started looking into what it was.

The IP in question didn't have a DNS entry, so I got curious. I used nmap to find out more information and lo and behold:

Running: Apple iPhone OS 3.X
OS details: Apple iPhone mobile phone (iPhone OS 3.0 - 3.0.1)

An iPhone?!

After realizing it was an iphone, and not even a user's computer - I decided to take action against the offending device. After all, we're having bandwidth issues! Because we're using DHCP, I took a look at our DHCP leases to find out the MAC address of the iPhone:

Now that I had the MAC address, I could send it to the /dev/null blackhole. I logged into my wireless access point and went to work. I would outline the CLI commands, but I must confess to using the web interface. As you can tell from these instructions, it's much easier (on the surface) to do it that way. Also, as it turns out Cisco WAP's don't play nice if you configure through both the GUI and CLI.

Essentially what I did was create a filter for the particular offending MAC address. If you are doing this yourself, be careful! By default it will set the Default Action to "Block All," meaning you will knock everyone off.

This is how I set it up:

Yeah, I know - I'm a terrible person - the poor user can't get on our ultra fast (not really) wireless network! Well, the way I see it is there isn't a single business use case where a user would need to transfer 120+ MB worth of data to their phone. That's what the cell phone carrier network is for! Let AT&T handle it says I!

VN:F [1.9.1_1087]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.1_1087]
Rating: 0 (from 0 votes)

Tagged as: , Leave a comment
Comments (2) Trackbacks (0)
  1. Bryan
    April 12th, 2010 - 17:43

    You’re the BOFH. Excuse of the day #425:

    stop bit received

    VA:F [1.9.1_1087]
    Rating: 4.0/5 (1 vote cast)
    VA:F [1.9.1_1087]
    Rating: 0 (from 0 votes)
  2. Alex Feigenson
    April 12th, 2010 - 17:50

    I can’t help it :)

    VN:F [1.9.1_1087]
    Rating: 0.0/5 (0 votes cast)
    VN:F [1.9.1_1087]
    Rating: 0 (from 0 votes)

Leave a comment


No trackbacks yet.

« PowerCLI – Windows VM Partition Alignment How to lose $1,000 in 30 seconds. »

Links

Tags

12.5 Active Directory apache asa backup exec backups certification Cisco corrupt esxi exchange 2007 fasttrack firewall Food ftp GRT HP introduction it LDAP LDAPS Linux looped folders Microsoft move-mailbox netflow Postini powercli powershell recipe sim SVN u1 ubuntu update 1 vcap vcenter vcp Veritas VMWare vsphere windows 7