Another user on subnet taking out ISP router & mine?

Figure this is probably a good place to ask this, although I used a
(gasp!) Windows machine.. :-)

I have a fiber to the home connection. Periodically, my connection
becomes unusable for ½ an hour to an hour at a time. The WAN
connection gets so screwed up that my SMC 7004WBR will not even allow
me to connect to it on the LAN side. In order to login, I have to
disconnect the WAN cable. With the WAN connection in place, the ping
times are "Request timed out." With the WAN cable out, there is no
packet loss to the router.

My provider, Surewest Broadband, says there is nothing wrong. (They
claim they'd know if there was.) So, I got annoyed and put a hub in
between my router and the fiber demarcation unit and plugged my
computer into the hub. I started up Ethereal and had it dump
everything it saw. I observed thousands of packets between
64.30.123.92 (an IP on my subnet) and it had a connection to
209.11.45.139 (WhenU - Just In Time Marketing) and NO OTHER TRAFFIC.

On another occasion, I observed thousands of packets between
64.30.123.92 (the same IP on my subnet) and it had a connection to
24.205.49.38 (A cable modem?) and NO OTHER TRAFFIC. (Src Port 80 and
Dst. Port 3080)

So something that 64.30.123.92 is doing is completely destroying my
ability for my router to communicate with my provider and wipes out
the routers ability to communicate on the LAN side. Any ideas what it
might be? I've already sent the ISPs support an e-mail and a copy of
a previous Ethereal dump and they never even bothered to acknowledge
it.

Anyone who'd like to see a 15 second Ethereal dump can download it
from: http://www.mailsack.org/surewest.zip

Thanks!

__________________
Note: To reply, replace the word 'spam' embedded in return address with 'mail'.
N38.6 W121.4


Barry S.

Barry S. <(E-Mail Removed)> wrote:
> everything it saw. I observed thousands of packets between
> 64.30.123.92 (an IP on my subnet) and it had a connection to
> 209.11.45.139 (WhenU - Just In Time Marketing) and NO OTHER TRAFFIC.

Well, unless your machine have been hacked and turned into a zombie
(thing that you can easily check... I hope), there is obviously
something wrong in the way someone setup the routing table.

If your machine isn't the culprit, you'd have to clear that with your
ISP.

Davide

--
| The bad reputation UNIX has gotten is totally undeserved, laid on by
| people who don't understand, who have not gotten in there and tried
| anything.
|

On 6 Jul 2004 07:25:56 GMT, Davide Bianchi
<(E-Mail Removed)> wrote:

>Barry S. <(E-Mail Removed)> wrote:
>> everything it saw. I observed thousands of packets between
>> 64.30.123.92 (an IP on my subnet) and it had a connection to
>> 209.11.45.139 (WhenU - Just In Time Marketing) and NO OTHER TRAFFIC.
>
>Well, unless your machine have been hacked and turned into a zombie
>(thing that you can easily check... I hope), there is obviously
>something wrong in the way someone setup the routing table.
>
>If your machine isn't the culprit, you'd have to clear that with your
>ISP.

My machine is fine.. Everything points to the 64.30.123.92 and
something that he is doing.. Just not sure what he could do that
would wipe out my router's WAN side.

__________________
Note: To reply, replace the word 'spam' embedded in return address with 'mail'.
N38.6 W121.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Barry S. wrote:

> On another occasion, I observed thousands of packets between
> 64.30.123.92 (the same IP on my subnet) and it had a connection to
> 24.205.49.38 (A cable modem?) and NO OTHER TRAFFIC. (Src Port 80 and
> Dst. Port 3080)

Looks like a scan. Nmap does this kind of request wehen scanning. But I have
never saw so many packets to just one port. A DOS atack?

Maybe the person hacked his cable modem, and got the speed uncaped. This,
combined with a DOS on someone, would efectively kill you subnet.

But I'm not sure.

[]s

- --
Página oficial u-br: http://u-br.tk
Fale com os admins: u-br.admin
Veja as novidades da u-br: u-br.admin.avisos
Linux Counter user #208269
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFA60fR977gajvh3yYRAo0wAJ9CICPz1vrqkNcVs5G/wSyG0eDkfACaArSa
v7F+iHN/c9b8CAoiopfIjOY=
=thmd
-----END PGP SIGNATURE-----

On Tue, 06 Jul 2004 21:46:08 -0300, Marcelo Rodrigues <(E-Mail Removed)>
wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Barry S. wrote:
>
>> On another occasion, I observed thousands of packets between
>> 64.30.123.92 (the same IP on my subnet) and it had a connection to
>> 24.205.49.38 (A cable modem?) and NO OTHER TRAFFIC. (Src Port 80 and
>> Dst. Port 3080)
>
>Looks like a scan. Nmap does this kind of request wehen scanning. But I have
>never saw so many packets to just one port. A DOS atack?

Maybe. The other "attack" was to a company called whenu.com who makes
spyware/malware/adware.. whenu.com So maybe.

>Maybe the person hacked his cable modem, and got the speed uncaped. This,
>combined with a DOS on someone, would efectively kill you subnet.

It an unrestricted 10 Mbps symmetric fiber ethernet line.. So he can
have a full 10 Mbps if he likes.. But its not supposed to wipe me
out.

__________________
Note: To reply, replace the word 'spam' embedded in return address with 'mail'.
N38.6 W121.4