This sounds strikingly familiar... You may not want to jump right away at thinking this problem is caused intentionally, because this sounds like a situation that I was involved in recently. My day job involves installation and maintenance of various Firewall Appliances in the Pittsburgh area, part of which is covered by Adelphia. I have some experience with the Cable Modems and the DSL modems with Firewalls. The most common firewall I have been installing in recent months has been the Watchguard Firebox II. When installed in a cablemodem environment using the Watchguard "drop in" configuration (all IP addresses are the same on all interfaces, and the Firebox appears to be 'invisible' to all of the equipment and users on the customer's network), the firebox took it upon itself to start serving ALL requests for addresses on the cablemodem, and we all know that placing a snifffer on a cablemodem reveals that all broadcasts are visible to all members of that segment. (The cable modem is layer 2 only). In any case, I "accidentally" took out the ENTIRE segment by installing this Firewall. This was invisible to me, as my customer's network continued to run fine. I only became aware of the problem when the cable company took down our cablemodem remotely quite some time later in an attempt to find out if we were the culprit, and of course we were. I was unaware that the Firewall was going to do this task, and that was combined with the fact that this was my first cablemodem install (I know better now, and DSL around my area proves to have the same shortcomings). Also, you mentioned that you had a clue that it might be Linux based with NAT (which is really IP Masquerading, only ONE address on the public side), the Watchguard product runs on a Linux kernel, and has IP Masquerading as a typical installation option. Also, the Watchguard Firebox will usually show no services running during a port scan because it has what I like to call a "penalty box" where if you scan the network, the Firebox detects this and places that address in a list that blocks all activity to/from that address for a specified period of time (usually 1 hour I believe). This gives the illusion that there are no public services when scanned, when there might actually be several. If you have the MAC address, I believe you can track which cablemodem is causing the problem, and from there contact that customer and see what hardware they have frontending the cablemodem. If you need more details on this just toss me an email or call me. If you are in the Pittsburgh area, maybe I can even help you out. I got to know a few techies at Adelphia recently. :) -Mark Coleman -Tripwire Network Solutions mcolemanat_private 724-437-5940 x7485 ----- Original Message ----- From: TUDOR PANAITESCU <tpanaitescuat_private> To: <firewall-wizardsat_private> Sent: Sunday, October 03, 1999 7:38 AM Subject: Bogus DHCP server in the network.... > Hello fellow wizards, > > Here's the picture. I am a client of Adelphia PowerLink CableTV. They use DHCP > for giving IP addresses. In the last weeks a bogus DHCP server showed up into > the network giving addresses in 192.168.244.128/25. The guy is using aliasing > on his Ethernet interface, he has an address aquired from the ISP in the ISP's > range and he configured his interface with 192.168.244.129 too. I have his > MAC. He gives DNS services. The system the hacker uses is totally protected, > no ports are "visible" to allow to try to do something to his system (can syn > flood be a solution?). Some time ago the hacker provided forwarding also but > now he's not forwarding anymore anoying lots of people in the net as they > don't have access to the INTERNET. I believe it is a UNIX box, most likely > LINUX with NAT. Now here comes the question: is anything there we can do to > block this guy ? > > Any answer will be greately appreciated. I will sumarize also for archiving > purposes. > > TIA & best regards, > Tudor > > ____________________________________________________________________ > Get free email and a permanent address at http://www.netaddress.com/?N=1 >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:42:14 PDT