| reply to Its a Secret
Re: [Help] Syncflood attack on Belkin Excuse me, I didn't say I was stealing anything. He bought the router so I can have internet up here. He owns the house and I am living in the upstairs part of it. I developed a disability last year and am unable to work. Applying for Social Security is a long painful process. He knows I'm up here, he bought the router for that purpose, he gave me his WEP key.
Now moving on. Would it be easier for him to call Time Warner and ask for a different IP? It's supposed to be dynamic but when we turn it off for an hour or so it picks up the same IP it had before. I thought it was supposed to flush out the old IP after being off a certain amount of time and just pick up a new one. Is the attack on the wireless router specifically or is it on his roadrunner modem? I can't really tell. |
|
 Its a SecretPlease speak into the microphonePremium
join:2008-02-23
Da wet coast
kudos:3 | If you're using WEP, you're probably feeding the 'hood. WTF, man... |
|
| I don't know what you mean by that but the DHCP client list only shows our computers on the network. If we were not WEP enabled then everybody in the "hood" would be feeding off of us, as you so eloquently referred to my neighborhood as. |
|
Its a SecretPlease speak into the microphonePremium
join:2008-02-23
Da wet coast
kudos:3 | Use WPA2, it's backwards compatible to WPA, and far more secure. Use a 63 ASCII character PW from GRC: »www.grc.com/passwords.htm |
|
 NetFixerFreedom is NOT freePremium
join:2004-06-24
The 'Boro
 ·Vonage
 ·Cingular Wireless
 ·Comcast
 ·AT&T Southeast
1 edit | reply to aerinndis
said by aerinndis:Would it be easier for him to call Time Warner and ask for a different IP? It's supposed to be dynamic but when we turn it off for an hour or so it picks up the same IP it had before. I thought it was supposed to flush out the old IP after being off a certain amount of time and just pick up a new one. Is the attack on the wireless router specifically or is it on his roadrunner modem? I can't really tell. Most cable internet suppliers will reuse the same IP for the same connecting device unless it is left disconnected for a very long time (like a week or more). You may be able to "clone" your PC's MAC address into the Belkin routers WAN, and that should force a new WAN IP to be assigned to you (after you make the MAC address change and power cycle the cable modem).
If your landlord is doing P2P traffic (since you say that you are not doing that), that may be what is attracting what the Belkin router is interpreting as synflood traffic, and changing the WAN IP address will not help. The attacker(s) may also just be scanning a large IP subnet for routers and servers to use as slaves in a "reflection" synflood attack, and once again, changing the WAN IP address will not help. Without actually knowing anything about what your Belkin router is calling a synflood attack, any speculation would be just that.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
 sivranBack to Opera againPremium
join:2003-09-15
Arlington, TX
kudos:1
·RoadRunner Cable
| said by NetFixer:Most cable internet suppliers will reuse the same IP for the same connecting device unless it is left disconnected for a very long time (like a week or more). You may be able to "clone" your PC's MAC address into the Belkin routers WAN, and that should force a new WAN IP to be assigned to you (after you make the MAC address change and power cycle the cable modem). Slight caveat to that - it may just flat out break the internet access. Last time I swapped routers, power-cycling did not restore access. I had to clone the MAC from the previous router.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
|
|
NetFixerFreedom is NOT freePremium
join:2004-06-24
The 'Boro Reviews:
·Vonage
·Cingular Wireless
·Comcast
·AT&T Southeast
1 edit | said by sivran:Slight caveat to that - it may just flat out break the internet access. Last time I swapped routers, power-cycling did not restore access. I had to clone the MAC from the previous router. Interesting. RR may be reverting to old habits. That was once a common practice among cable internet suppliers, and it is one reason that consumer grade router suppliers started allowing the router MAC address to be spoofed.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander. |
|
| reply to sivran
Thanks guys. I don't know much about cloning. According to Shield's Up, all of my ports are stealth. Wouldn't we appear to be nonexistant to someone doing random sweeps? Just the past hour there are about 50 attacks from an IP in Columbia on port 50146. There is no known protocol for that one. There is one single attack from another IP on port 22. When I looked it up it said, SSH Remote Login Protocol. This has me slightly worried.
Yea I'm pretty sure there is something nasty on my friend's laptop. He mentioned before that he has a virus or something. I sort of have to yell at him and kick him in the butt to get him to do anything so this might be like pulling teeth fixing this problem. He mentioned that he keeps getting kicked off the internet and he gets the blue screen of death. There are no recovery discs, I never used a laptop before so I don't know anything about that. There is something about F10 recovery but as I said before, I will have to nag him to death to get him to do it. I don't know if that will fix anything now.
It doesn't seem like any of them are making it through the NAT firewall. Should I just wait for them to give up? We have nothing to steal......no credit cards, bad credit, I'd have to pay someone to steal my identity, then the student loan ppl can hound them to the gates of hell instead of me. |
|
sivranBack to Opera againPremium
join:2003-09-15
Arlington, TX
kudos:1 Reviews:
·RoadRunner Cable
1 edit | "Known protocols" means, quite frankly, very little. Any service can be run on any port. It's just a matter of whether one wants the service to be found by "normal" users--and scripts. My ssh does not run on 22. It used to, and every once in a while, some bot would come along and try to brute-force the password (always unsuccessfully). I changed the port it listened on, and now, no bots bang on its door.
quote:
When I looked it up it said, SSH Remote Login Protocol. This has me slightly worried.
Don't be. You don't have an SSH server running, and even if you did, the port is closed to the world, and short of some sort of exploit being possible on your router, or perhaps a malware infection on yours or the other guy's pc, will remain so no matter what.
quote:
all of my ports are stealth. Wouldn't we appear to be nonexistant to someone doing random sweeps?
No. It just means your router does not respond. "stealth" isn't all its cracked up to be by Gibson. In fact, there's no difference, safety-wise, between "stealth" and closed.
If you show full "stealth" or full closed on a port scan, then you have no services open to the world, and no need to worry about "attacks" on your router -- aside from the annoyance of them possibly knocking you offline.
All that said, that doesn't mean that your roomie's virus-ridden laptop can't do anything to your computer! I hope you have firewall and antivirus software running on your machine, as the router will not protect you from an attack from within, and your computer may have something exploitable running and visible locally.
quote:
Said by NetFixer 
RR may be reverting to old habits.
Well, it may just be simple laziness. This area's seen nearly a half-dozen cable ISPs, and it's been this way forever. Changing MAC address results in connectivity loss, regardless of power-cycle dancing.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
| Well I am using Comodo and Avira. I scan regularly. I like Avira because it's heuristic, although I have gotten a couple false positives from it while browsing neopets lol.
So all of that hoohaw in my security log doesn't mean much. It was knocking me offline but the last couple days it hasn't. Occasionally my internet really slows down but this could be due to the fact that just about everyone here uses RR because we only have two choices for internet in this town. I'm also using a LinkSys adapter to connect to his wireless and I think I'm losing some speed there. It is a USB device rather than a card.
I will talk to my friend about getting a different router because this one makes me feel like a duck in water. I can't really do much in the settings and it's frustrating. I can't open/close ports and it has no SPI.
I did want to ask about WAN ping blocking because ours is enabled and there have been two pingdeath attacks since my last post from Lemon Grove, California lol. Belkin says I'm protected against that but my internet sure did slow down to a crawl when it happened. |
|
sivranBack to Opera againPremium
join:2003-09-15
Arlington, TX
kudos:1 Reviews:
·RoadRunner Cable
| Pretty much.
quote:
I did want to ask about WAN ping blocking because ours is enabled and there have been two pingdeath attacks since my last post from Lemon Grove, California lol. Belkin says I'm protected against that but my internet sure did slow down to a crawl when it happened.
Responding to pings is a good thing. Your router also sounds pretty wimpy, try to get it replaced. You can get fairly decent deals on older model WRT-54G's (the older ones have more memory) on ebay. You could probably even find some with DD-WRT or Tomato already installed.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
| reply to aerinndis
To get a new IP try changing the MAC address on your router. There should be an option to clone a mac. I would cut your real mac out and change the last character then restart your router. This should get you a new IP address. Worth a shot. |
|
