>Here's the picture. I am a client of Adelphia PowerLink CableTV. They use DHCP
>for giving IP addresses. In the last weeks a bogus DHCP server showed up into
>the network giving addresses in 192.168.244.128/25. The guy is using aliasing
>on his Ethernet interface, he has an address aquired from the ISP in the ISP's
>range and he configured his interface with 192.168.244.129 too. I have his
>MAC. He gives DNS services. The system the hacker uses is totally protected,
It's making a bit of a leap that he's a "hacker". Stupidity explains things
just
as well as maliciousness in this case. Obvious the guy is running some sort
of NAT box, and has the DHCP server enabled on his outside interface, too.
Or, he's got them plugged into the same hub.
>no ports are "visible" to allow to try to do something to his system (can syn
>flood be a solution?). Some time ago the hacker provided forwarding also but
>now he's not forwarding anymore anoying lots of people in the net as they
>don't have access to the INTERNET. I believe it is a UNIX box, most likely
>LINUX with NAT. Now here comes the question: is anything there we can do to
>block this guy ?
Sure, call the cable provider and complain. Obviously, since your DHCP
broadcasts
are reaching him, and so are the replies, he's somewhere "nearby" network-wise.
Ping everyone on your subnet, look at your ARP table, and compare MAC
addresses.
Or, if you've got the capability, block packets from his IP or MAC address, and
you'll get the DHCP offers from the real DHCP server.
Ryan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:13 PDT