I have been trying to get my linux box up and running for a while and I got stuck on some hardware issues. I am ready to begin again but:
This is the message I sent to my ISP.

I have a Linux machine and two XP machines, a belkin router, and a generic modem (grey top & black face).
I put my upstairs machine on DMV for gaming purposes and some remote machine software
well my internet has been going in and out. One minute its working the next its not.
I talked to RR support and they did a test on my line directly to a computer. I have
reset the modem, router, and computers exactly as needed, and still the connection will
work for a couple hours and then it won't work for a couple hours. I looked in my router
log and it tells me this:
>Security log for my Router
>2003/12/02 08:16:43 DHCP Client : Send Discover
>2004/02/16 12:58:32 DHCP Client : Receive Offer from 24.93.41.146
>2004/02/16 12:58:37 DHCP Client : Send Request, Request IP = XX.XX.XX.XX
>2004/02/16 12:58:37 DHCP Client : Receive Ack from 24.93.41.146, Lease time
>= 86394
>2004/02/16 12:50:37 192.168.2.74 login successful
>2004/02/16 12:56:17 DHCP Client : Send Release
>2004/02/16 12:56:26 DHCP Client : Send Discover
>2004/02/16 12:56:26 DHCP Client : Receive Offer from 24.93.41.146
>2004/02/16 12:56:32 DHCP Client : Send Request, Request IP = XX.XX.XX.XX
>2004/02/16 12:56:32 DHCP Client : Receive Ack from 24.93.41.146, Lease time
>= 85783
>2004/02/16 12:56:47 DHCP Client : Send Release
>2004/02/16 12:56:56 DHCP Client : Send Discover
>2004/02/16 12:56:56 DHCP Client : Receive Offer from 24.93.41.146
>2004/02/16 12:57:02 DHCP Client : Send Request, Request IP = XX.XX.XX.XX
>2004/02/16 12:57:02 DHCP Client : Receive Ack from 24.93.41.146, Lease time
>= 85753

Now this person (24.93.41.146) sent some packets (Ack) to block my signal...
or something like that...
I looked it up on google and I found this document:

<<<<<<<um... maybe i'm missing the clue here, but if the router vendors add
something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
becomes too bad make it *easier* for me if i'm doing a denial of service
attack on a host?

instead of denying service to a given host, all i have to do is drive
the router into alarm mode so it shuts off the interface and then i get
to deny service to an entire segment and everything downstream from that
segment...>>>>>>>
This person (24.93.41.146) has been denying me service and I don't know how
to stop him. I have traced that IP address and it says he's a Road Runner Customer.
Please help me stop this malicious act. I would like to press charges if possible.

CAN YOU GUYS HELP ME SQUASH THIS BUG (24.93.41.146) PLEASE...

I JUST WANT TO LEARN LINUX AND START A WEB SERVER

AND THIS GUY IS CAUSING ME ALOT OF PROBEMS AND MY ISP WON'T

DO ANYTHING ABOUT IT...

If you have his isp information just notify them, and send them all the information you have.

Not really an answer here (I only have a minute ).....but, it might be a good idea to post your router's forwarding rules here - I'm sure if you do that someone will quickly offer a suggestion to help secure it.

Would it be possible for you to set a rule in your belkin router to just deny or drop any traffic orginating from that IP address?

edited - lame oversight on my part...

That *IS* your isp...

dhcp server to be exact.

edited - lame oversight on my part...

Router logs tend to scare people...

TCP/IP ain't voodoo...


looking for server

DHCP server offering services

router's DHCP client asking for address

DHCP server acknowledges request, (ACK=acknowledge) assigns (address) lease for 85753 seconds

I do not know much about denial of service attacks but here a few thoughts. I am not sure what type of routers you Internet provider uses but their routers most likely have built in firewalls. I recently took a class on using Cisco routers. In one assignment we had to create an access control list that would tell a Cisco router to block a specific IP address from accessing another specific IP address. Perhaps you could call your Internet provider and ask them to block that specific IP address from reaching your IP address. If they use extended access lists they would most likely do it on a border router that sits between them and the rest of the Internet. They could modify their access control list to block either the incoming or out outgoing packets for that IP address or both. If they use some other brand of routers they could still probably do something similar.

I also used the command whois 24.93.41.146 which is probably what you used to get more information on that IP address. Did you notice that the whois command give an email address, an telephone number and a mailing address for the company that owns that range of IP addresses. You could try contacting them about your problem. I also tried using dig 24.93.41.146.

My knowledge of computer security is still somewhat limited. I hope to learn more about that someday. I have never used DHCP assigned IP address much becuase we mostly just used static IP addresses in the class. I have a dial-up connection and have never used a router at home. In Linux you are most likely using an iptables firewall. I have not played with it much but it also has the ability to block a specific incoming IP address. It can even be fine tuned to allow or deny the use of specific incoming or outgoing ports for specific IP addresses.

Just to be safe I would also hope that you have installed all the latest security patches for both Linux and Windows. At the moment, with Red Hat 9.I can still just click an icon on the taskbar to download the latest security patches and updates. That probably would not help with a DOS attack but is a precation that should be done anyway. I should also add that I do not know enough about using DHCP to know if you have identified you basic problem correctly or not. I will just assume that what you said is correct. One other question is, does the DHCP server assign you different IP addresses at different times? If it sometimes gives you a different IP address how does he still find you?

One other idea that might or might not help anything it to put this in the hosts table in both Linux and Windows:

127.0.0.1 24.93.41.14

If your computer tries to answer him the answer will be sent to your loopback address instead of his IP address. In both Windows and Linux I have a long list of advertising related IP address that I block block in that manner. This hosts file is located int the /etc directory. However, I do not know enough to know if you computer is trying to answer him or not.

Actually, as I think futher are you sure that 24.93.41.14 is not the IP address of your DHCP server. As I mentioned, I do not know much about DHCP. What bnice said reminded me that it sounds like you are describing the normal process and negotiating the temporary use of a DHCP assigned IP address. Are you sure that you really have a denail of service attack. Perhaps not.

Assuming DMV as DMZ. Turning on DMZ in a router to send all packets to a certain computer that has a specific IP address. This is very, very risky. You have to setup a firewall (port filter or packet filter) to secure your web server. You may want to search the internet on how to make LINUX more secured and what kind of attacks are there.

DHCP is used if you have several hundred computers on your network. It will take a long time to assign IP addresses to each computer manually. A DHCP server does the hard work giving an IP address to the computer if they ask for one. You can setup permanent (static) IP address but pick an IP address that is not used. In a DHCP server you can specify the range of IP addresses that it assigns. The rest is for you to use for something else like a computer that has static IP address.

The HOSTS file is used when you are visiting sites not the other way around. The hosts.allow and hosts.deny is where you put the address to block them coming in. Though xinetd is used on many latest LINUX distributions that can block certain IP address or all of them if you really, really paranoid.

After you got the firewall setup and running, go to http://www.nessus.org/ and test your firewall configuration. It will do some real attacks to see if your server can stand up to them.

Go to ipchicken.com if you want to find out your IP address for your internet connection. You can parse the page if your connection is a dynamic internet connection. Many are dynamic for security purposes.