Here's the situation in a nutshell: I have Mandrake 9.2 running on one machine with all non-critical services (httpd, sshd, ftp, etc.) stopped. Whenever I plug in the network connection, I immediately get a ton of network traffic on that machine. Lots of frantic blinking on the hub and the cable modem. This is annoying, and what's more, my cable company called because they think a machine at my house is sending spam.

I suspect that another machine (likely with the same ISP), like a hacked Windows box, is sending spam and spoofing my IP address somehow. I have cable Internet access, and I'd like to know if there's some simple way of releasing my IP address (obtained through DHCP) and getting a different address. This machine has had the same IP address ever since I installed Mandrake in February.

I tried erasing the dhclient.leases file, but my machine grabbed the same old address anyway when I plugged the network cable back in. I'm really quite a newbie, could someone tell me how to get a different IP address?

That's more up to the DHCP server than the client. Is this a dynamically assigned address from your ISP? If so you'll have to call them to get a new one. If this is the situation then I don't think it's someone else spoofing your IP since if that were the case you'd probably not get so much traffic (only a guess, though).

A good thing to do would be to port scan your network from the outside. If you can remotely log into a box somewhere else (not on your home network) and port scan yourself you'll be able to see if any strange ports are open. Another question: Is your cable connection slower than it should be?

simple fix... get a new network card. The isp is most likely caching the lease based on your mac address. This means unless you change your mac address, you won't get a new ip address...

Yes, a different ethernet card would do it, unless you have to register your mac address with them (the PC's mac address, not the cable modems - that never changes), I doubt you have to do that.

With my netgear router, (which supports mac address spoofing), I can simply click 'renew' and I'll recieve a new IP address from NTL's DHCP server. I assume what it does is, Release, change mac address, Renew.

What I would do in your situation if I didn't have the router and wanted to force a new IP address is:

1) Power down the cable modem
2) Disconnect the cable modem and reconnect to another computer, probably a friends laptop in my case
3) Power up the modem, connect to the internet, check my e-mail then repeat the process again, this time with my main machine.

Nobody can garuntee you'll get a new IP address, but at least where I live, it's the same IP until I request a new one :)

The ISP can. Just call them. Oh and some ISPs wont let you just change MAC addresses without telling them as a security precaution.

Thanks for the help so far.

With my cable service, IPs are just assigned whenever you plug a computer in, I've had dozens of different machines on my network over the years. So registering MAC addresses isn't an issue.

I've heard with Linux, you can change your card's MAC address. That might do the trick, anyone know how?

adz: I don't know how to do the stuff you suggested (log into another machine, scan my ports). Like I said, I'm a newbie. But I can't find anything malicious on my computer (it's Linux for gosh sakes) so I assume *something* is causing traffic to flood my IP address.

paul_m_d

If you want to perform a ports scan try these sites, on the second one look halfway down the page for ShieldsUP

http://www.dslreports.com/scan

http://www.grc.com/default.htm

For MAC address spoofing go here

http://whoozoo.co.uk/mac-spoof-linux.htm

Do you run a mail server ? if so go here to check that you are not an open relay for spam

http://www.abuse.net/relay.html

Pete

Are you sure it's your ISP assigning the IPs and not your modem? Can you do an ifconfig and post the result?

Well you can just do an nmap <your public IP address>. This is not quite as good as doing it from a remote computer but it will probably do. Note that your public IP will not be in the form 192.168.xxx.xxx or 10.xxx.xxx.xxx. Just because it's linux doesn't mean that it's invulnerable. I'm not saying you've been compromised but it does happen.

Thanks for the links, Pete. The port scan found nothing suspicious. I don't run a mail server. And oddly enough, the MAC spoofing command said "resource busy" even though I took eth0 down first.

adz, I'm typing from my Mac and not my Linux box, so I have to type this in, but the first part of the ifconfig results is (inserting XXs for privacy):

etc. etc. and then there's some similar information for device "lo".

nmap: "command not found"

Still not sure what to do. I'd really like to know if it's the machine or the IP address. I guess I could boot Knoppix.

So what you're saying is each computer on your home network gets assigned an IP by your ISP? That's bizarre. Or is the linux box your gateway? Iguess what I'm saying is how is you network hooked up?

adz: my setup is: cable modem -> network hub -> various computers

As soon as a computer is connected to the hub, it gets a DHCP lease from the ISP. No need to register MAC addresses or anything. That's quite normal here in Canada; if my ISP was picky enough to register MACs, I'd find a different ISP.

Right now, I have a Linux box for file storage/backup and an iMac for "real work". My parents also have an XP machine on the network.

paul_m_d

This is avery biased observation cus I don't do Windows but could'nt the XP machine be causing the problems via some sort of worm or trojan

Pete

If you're using hub, then each computer connected would receive it's own ip from the isp. I would check and see which ip was causing the problem and then check the security settings on the machine. Another solution is to by a router of some sort which would allow you to control the mac address as well as firewall. When setting up the firewall, you might consider blocking certain port going out as well so that if one of your computers is tacken over, it is limited as to what it can do. As for the mac adress registering, it is not so much that the mac address is registered as it is that the dhcp server of your isp knows that your mac address was given a certain ip so when it sees your mac address again, it give you the same ip address. This will continue until the lease runs out. At that time, if you are connected, it will renew the lease, other wise it will relinquish the ip address to another computer. L8rz.

I just don't understand how your ISP can keep doing that. That's a very inefficient use of IPs. What's done in Australia (and - until now - I assumed done everywhere else) is IP masquerading. That way you only have one public IP and as many private ones as you want and no one ever has to worry about running out of IPs.

As to your actual problem of network traffic, could you run your Mandrake box and then run netstat and ps aux (and post them here) and see if there are any strange processes running. Hopefully, something wierd will show up to give us a clue.

Are you using a router or a cable modem/router adz? If so, then that's how you're "masquerading." Another term might be Network Address Translation. If you do not have one, the you are dependant up the ISP's DHCP server. I use Comcast as my ISP here in America, adz, and if I hook up a hub to my modem in lieu of my router, then I can grab as many IP's as I have computers. Maybe it's different with the ISP in question but I assume that it's the same.