Still Smurfing around

Discussion in 'Computing and Networks' started by #12, Apr 9, 2016.

  1. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    I just thought I'd update everyone on the situation.

    Two days ago some "Security" guy phoned me from the ISP. It seems the "abuse" section got tired of me sending them a log of Smurf attacks every 24 hours for months, because they don't intend to do anything about them except threaten to shut me off for attacking myself from my own ip address. He said to send the logs to him. He sent a guy to replace my modem. I thought the idea was to change my ip address, but that didn't happen.

    My router logs these Smurf attacks all day and all night, typically 100 to 300 attacks per day. Whenever I fire up my computer, the router immediately logs an incoming Smurf attack against me from my own ip address. This happens with Windows Vista and Ubuntu. I am using Ubuntu right now, and continue seeing new incoming attacks from myself. I have re-loaded my operating system 4 times and replaced my hard drive twice. I have scanned my computer with 3 different virus killers. I have updated the firmware in my router and changed the password. I use MAC Address Filtering so no mac address except this computer can log on to my router. I have had the modem replaced, and disconnected the ROKU tv that I received for Christmas. The ISP might soon look up the definition of a Smurf Attack, which is based on using a false ip address as the sender. If the experts ever read the Wiki entry, they might figure out it is impossible for me to send myself a Smurf Attack and log it as "incoming".

    Bottom line? This computer is not sending out Denial of Service attacks. The Internet Service provider can not stop me from not doing that. Still, they can't figure out that someone is spoofing hundreds of random ip addresses per day and they keep threatening the real occupants of the ip addresses.

    I am still surrounded by idiots.:(

    Do not reply with ways to fix my computer. It isn't broken.
     
  2. crutschow

    Expert

    Mar 14, 2008
    13,016
    3,235
    It's truly amazing to me how much time and effort these psychopathic malcontents spend in trying to mess up other people's lives for there own amusement. :rolleyes:
     
    Last edited: Apr 9, 2016
    #12 and recklessrog like this.
  3. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    It is truly amazing to me that people are employed as IT experts and they couldn't understand what a spoofed ip address is if they had 4 months to figure it out.:eek:

    Quick, send me a paycheck. I am more knowledgeable than Tech Support at Bright House.:p
     
    recklessrog likes this.
  4. bertus

    Administrator

    Apr 5, 2008
    15,648
    2,347
  5. ISB123

    Well-Known Member

    May 21, 2014
    1,239
    527
    It's because they get a job via connections.
     
  6. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    Thank you. I will refer Bright House Security to your links.
     
  7. wayneh

    Expert

    Sep 9, 2010
    12,127
    3,048
    Your dilemma is interesting, although that is small condolences for the annoyance and frustration. If I were in your shoes, "Why me?" would be the top question. Is the ISP claiming that you alone are the only victim of this? How and why this could be true is a puzzle. It makes it seem like a personal attack, but who would bother to attack you in that way? I mean, what's wrong with the old burning-bag-of-dog-doo on the front porch?

    The other thing that would be on my mind is dropping the ISP. I know they often have us by the balls, but in my experience they don't listen or do anything until you call to cancel service. Suddenly things happen.
     
  8. BR-549

    Well-Known Member

    Sep 22, 2013
    1,999
    389
    Hey #12.

    Go over to PIA. Private Internet Access is a VPN service. It's a little steep for just one month, but you might be surprised at the results.

    After downloading the client, go to several DNS Leak test sites and make sure none of you ISP provider DNS servers are on there. Only servers from PIA.

    See if you still have the problem. If you buy PIA by the year, it's only a couples dollars a month.

    I love it. Allows five simultaneous devices at separate locations per account. My ISP has not known which sites I go to for 3 years now. Servers are located world wide.
     
  9. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    Some of you still don't understand. Some hacker is sending out Smurf attacks by the thousands and the definition of a Smurf attack is a fake IP address. One of the addresses used is my IP address, so my Internet Service Provider keeps telling me to stop doing that. There is nothing I can do to stop the hacker from using random IP addresses. This is the log of incoming attacks for the last 17 hours:

    [DoS attack: Smurf] attack packets in last 20 sec from ip [67.9.185.255], Sunday, Apr 10,2016 17:18:23
    [DoS attack: Smurf] attack packets in last 20 sec from ip [176.212.228.107], Sunday, Apr 10,2016 17:07:46
    [DoS attack: Smurf] attack packets in last 20 sec from ip [67.77.147.15], Sunday, Apr 10,2016 17:04:29
    [DoS attack: Smurf] attack packets in last 20 sec from ip [174.34.152.124], Sunday, Apr 10,2016 17:03:21
    [DoS attack: Smurf] attack packets in last 20 sec from ip [129.82.138.44], Sunday, Apr 10,2016 16:56:16
    [DoS attack: Smurf] attack packets in last 20 sec from ip [179.80.199.45], Sunday, Apr 10,2016 16:51:51
    [DoS attack: Smurf] attack packets in last 20 sec from ip [186.115.145.194], Sunday, Apr 10,2016 16:15:00
    [DoS attack: Smurf] attack packets in last 20 sec from ip [206.117.25.90], Sunday, Apr 10,2016 16:13:10
    [DoS attack: Smurf] attack packets in last 20 sec from ip [198.20.99.130], Sunday, Apr 10,2016 16:11:35
    [DoS attack: Smurf] attack packets in last 20 sec from ip [111.163.105.1], Sunday, Apr 10,2016 15:50:02
    [DoS attack: Smurf] attack packets in last 20 sec from ip [171.110.77.166], Sunday, Apr 10,2016 15:15:47
    [DoS attack: Smurf] attack packets in last 20 sec from ip [123.117.148.157], Sunday, Apr 10,2016 14:00:08
    [DoS attack: Smurf] attack packets in last 20 sec from ip [179.205.19.189], Sunday, Apr 10,2016 13:50:13
    [DoS attack: Smurf] attack packets in last 20 sec from ip [27.154.43.185], Sunday, Apr 10,2016 13:43:56
    [DoS attack: Smurf] attack packets in last 20 sec from ip [115.196.129.253], Sunday, Apr 10,2016 13:39:51
    [DoS attack: Smurf] attack packets in last 20 sec from ip [149.6.68.89], Sunday, Apr 10,2016 13:36:56
    [DoS attack: Smurf] attack packets in last 20 sec from ip [139.202.88.212], Sunday, Apr 10,2016 13:18:45
    [DoS attack: Smurf] attack packets in last 20 sec from ip [78.186.14.9], Sunday, Apr 10,2016 13:14:36
    [DoS attack: Smurf] attack packets in last 20 sec from ip [111.119.236.122], Sunday, Apr 10,2016 13:07:49
    [DoS attack: Smurf] attack packets in last 20 sec from ip [177.11.101.65], Sunday, Apr 10,2016 12:58:00
    [DoS attack: Smurf] attack packets in last 20 sec from ip [208.157.176.107], Sunday, Apr 10,2016 12:38:51
    [DoS attack: Smurf] attack packets in last 20 sec from ip [130.117.0.121], Sunday, Apr 10,2016 11:34:08
    [DoS attack: Smurf] attack packets in last 20 sec from ip [216.119.107.21], Sunday, Apr 10,2016 11:28:37
    [DoS attack: Smurf] attack packets in last 20 sec from ip [95.43.4.229], Sunday, Apr 10,2016 11:07:50
    [DoS attack: Smurf] attack packets in last 20 sec from ip [117.205.90.57], Sunday, Apr 10,2016 10:42:41
    [DoS attack: Smurf] attack packets in last 20 sec from ip [71.50.86.38], Sunday, Apr 10,2016 10:28:38
    [DoS attack: Smurf] attack packets in last 20 sec from ip [180.143.114.127], Sunday, Apr 10,2016 10:17:24
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.113.236.100], Sunday, Apr 10,2016 09:57:51
    [DoS attack: Smurf] attack packets in last 20 sec from ip [95.42.224.145], Sunday, Apr 10,2016 09:46:21
    [DoS attack: Smurf] attack packets in last 20 sec from ip [207.226.141.42], Sunday, Apr 10,2016 09:25:32
    [DoS attack: Smurf] attack packets in last 20 sec from ip [203.178.148.19], Sunday, Apr 10,2016 09:20:31
    [DoS attack: Smurf] attack packets in last 20 sec from ip [62.26.193.131], Sunday, Apr 10,2016 09:02:35
    [DoS attack: Smurf] attack packets in last 20 sec from ip [62.82.159.250], Sunday, Apr 10,2016 08:08:53
    [DoS attack: Smurf] attack packets in last 20 sec from ip [195.3.207.13], Sunday, Apr 10,2016 07:48:29
    [DoS attack: Smurf] attack packets in last 20 sec from ip [203.29.27.33], Sunday, Apr 10,2016 07:46:14
    [DoS attack: Smurf] attack packets in last 20 sec from ip [124.244.205.134], Sunday, Apr 10,2016 07:31:05
    [DoS attack: Smurf] attack packets in last 20 sec from ip [61.93.76.39], Sunday, Apr 10,2016 06:37:52
    [DoS attack: Smurf] attack packets in last 20 sec from ip [84.238.183.174], Sunday, Apr 10,2016 06:31:37
    [DoS attack: Smurf] attack packets in last 20 sec from ip [223.64.207.19], Sunday, Apr 10,2016 06:31:01
    [DoS attack: Smurf] attack packets in last 20 sec from ip [27.53.128.126], Sunday, Apr 10,2016 06:09:56
    [DoS attack: Smurf] attack packets in last 20 sec from ip [209.34.206.254], Sunday, Apr 10,2016 06:01:27
    [DoS attack: Smurf] attack packets in last 20 sec from ip [117.22.129.248], Sunday, Apr 10,2016 05:59:11
    [DoS attack: Smurf] attack packets in last 20 sec from ip [110.139.13.175], Sunday, Apr 10,2016 05:29:51
    [DoS attack: Smurf] attack packets in last 20 sec from ip [36.32.114.21], Sunday, Apr 10,2016 04:56:57
    [DoS attack: Smurf] attack packets in last 20 sec from ip [103.17.158.141], Sunday, Apr 10,2016 04:33:47
    [DoS attack: Smurf] attack packets in last 20 sec from ip [184.2.179.223], Sunday, Apr 10,2016 04:30:43
    [DoS attack: Smurf] attack packets in last 20 sec from ip [46.34.96.20], Sunday, Apr 10,2016 04:30:28
    [DoS attack: Smurf] attack packets in last 20 sec from ip [39.64.130.88], Sunday, Apr 10,2016 04:21:48
    [DoS attack: FIN Scan] attack packets in last 20 sec from ip [23.235.40.130], Sunday, Apr 10,2016 03:55:43
    [DoS attack: Smurf] attack packets in last 20 sec from ip [118.213.166.112], Sunday, Apr 10,2016 03:27:22
    [DoS attack: Smurf] attack packets in last 20 sec from ip [83.228.34.146], Sunday, Apr 10,2016 03:17:29
    [DoS attack: Smurf] attack packets in last 20 sec from ip [183.87.161.70], Sunday, Apr 10,2016 03:12:40
    [DoS attack: Smurf] attack packets in last 20 sec from ip [176.97.84.104], Sunday, Apr 10,2016 02:31:05
    [DoS attack: FIN Scan] attack packets in last 20 sec from ip [199.27.76.73], Sunday, Apr 10,2016 02:27:57
    [DoS attack: Smurf] attack packets in last 20 sec from ip [113.110.247.91], Sunday, Apr 10,2016 01:57:18
    [DoS attack: Smurf] attack packets in last 20 sec from ip [115.56.53.185], Sunday, Apr 10,2016 01:07:17
    [DoS attack: Smurf] attack packets in last 20 sec from ip [177.69.44.141], Sunday, Apr 10,2016 00:58:23
    [DoS attack: Smurf] attack packets in last 20 sec from ip [173.192.96.133], Sunday, Apr 10,2016 00:51:13
    [DoS attack: Smurf] attack packets in last 20 sec from ip [182.46.21.75], Sunday, Apr 10,2016 00:39:57
    [DoS attack: Smurf] attack packets in last 20 sec from ip [61.188.56.243], Sunday, Apr 10,2016 00:20:59
    [DoS attack: Smurf] attack packets in last 20 sec from ip [83.228.24.8], Sunday, Apr 10,2016 00:19:16
    [DoS attack: Smurf] attack packets in last 20 sec from ip [80.188.34.149], Sunday, Apr 10,2016 00:18:20

    I can hire a different ISP because that will change my IP address, but as long as the modem provided by my ISP has one of the IP addresses in that random list, Bright House will continue to pretend I am the hacker. The last I heard from Bright House is that they are gong to threaten thousands of the real occupants of all those random IP addresses because they can't understand what a spoofed address is.

    I repeat: There is nothing I can do to stop a hacker from using random IP addresses. It is not my doing and it is not my own computer attacking itself from its own IP address. The only "dilemma" I have is the idiots at Bright House, and, "you can't fix stupid".
     
  10. Alec_t

    AAC Fanatic!

    Sep 17, 2013
    5,801
    1,105
    I'm one of them ;). I must be missing something here, but if you're saying the attack packets purport to come from your IP address then why are they showing in your log as coming from a bunch of different addresses?
     
  11. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    Because the hacker is using hundreds or thousands of random addresses. One of them is assigned to me by Bright House Networks. In fact, ONE of the addresses in that list is MINE! Therefore, I must be attacking myself and I must be stopped!
     
  12. eetech00

    Active Member

    Jun 8, 2013
    650
    112
    Hi

    I understand perfectly.
     
  13. djsfantasi

    AAC Fanatic!

    Apr 11, 2010
    2,809
    834
    This happens because of a misuse of the three way TCP IP handshaking sequence. The hacker sends a request (a SYN request) to many destination IP addresses (actually, a broadcast). But the request is malformed. Instead of the hacker's address in the source field, it's the victims address. The recipients of this request, replies to the SYN request and sends an ACK or acknowledgement back - TO THE VICTIM's IP ADDRESS. In this case, #12. If enough machines respond, the victim's system becomes overwhelmed and his Internet connection is affected as well.
     
    #12 likes this.
  14. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    I have more time to respond right now. The entire absurdity of this complaint from Bright House to me is that there are thousands of these attacks and I sent the logs of thousands of attacks to Bright House. My IP address appears in about 1% to 2% of the INCOMING attacks which are directed at my IP address. The idiots at Bright House thus assume that I am attacking myself and demand that I cease. They have threatened several times to shut off my internet access to stop me from attacking myself.
    The packets do NOT purport to come from my IP address. They are sent TO my ip address. Bright House can not seem to understand that distinction. Bright House purports that the attacks are coming FROM my IP address. I do not. Instead, I sent them thousands of log entries showing that the attacks are coming TO my IP address, not FROM my IP address.
     
  15. BR-549

    Well-Known Member

    Sep 22, 2013
    1,999
    389
    When you use a VPN, your IP address is not associated with, or from your IP service provider.

    I wouldn't steer you wrong. Give it a try.
     
  16. eetech00

    Active Member

    Jun 8, 2013
    650
    112
    Hi

    A smurf attack has nothing to do with a three way hand shake.o_O
    A smurf attack is generated using ICMP, in which case there is no handshake. :cool:
     
    #12 likes this.
  17. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    So, If I use a VPN, the modem provided by my ISP and connected to their wire from the telephone pole will not be connected to the internet and it won't receive attacks from the external world? Will this also stop hackers from using random IP addresses which happen to include the IP address of the modem?

    I need to learn about Virtual Private Networks and how they stop my Internet Service Provider from detecting random hacker activity which never came from my computer in the first place.
     
  18. BR-549

    Well-Known Member

    Sep 22, 2013
    1,999
    389
    The internet has a phone book. It is too big to give with every computer. So they make every computer connect to a phone book, to get the right number, before you can connect to the internet.

    Computer nerds, needing their own turf, insist on calling this phone book a DNS server. And although they deny it, there is an operator listening in and recording every call you make. Of course this is for billing and diagnostic purposes only.

    Now, if you want, you can tell that operator to send all your calls to one number. So as far as the operator knows,... all calls go to and come from one number. And we can encrypt that line and the operator can not tell what or where is being said.

    The new operator at the new phone book can not read or write or record. All it can do is look up numbers and encrypt.

    These simple operators and phone books are located and can be selected by state and world wide.

    No one knows or records your IP address. Your IP service provider does not know your IP address.

    Unless your IP provider assigns your old IP address to someone else, when someone tries your old address, they will get device not found. Because the phone book thinks your modem has a new address.

    It's pretty nerdy. Does it make any sense?
     
  19. Tesla23

    Active Member

    May 10, 2009
    318
    67
    BR-549 - you are on the wrong track, your service provider almost definitely knows your IP address, they almost certainly supplied it to you. Legally, in most countries, they have to record who was using which IP address and when. A VPN simply runs an encrypted pipeline through the existing IP service, packets are delivered to your IP address as before, but no-one can snoop on the contents. If you are running a VPN to a proxy server then it appears to the outside world that you are only talking to one computer, but it can take the encrypted traffic and send it anywhere. Running a VPN does not hide your router from ping packets (and hence smurf attacks) from the rest of the world.

    Don't waste your time #12, a VPN won't stop your smurf attack. You are on the right track - the only way to stop this if it is compromising your service, is to change your IP address.

    For those that don't understand, let me try to explain the Smurf attack. Any computer connected to the internet can send a ping request, you simply put the target IP address and your return IP address on a ping request packet that you send down the blue wire. The target computer receives it and (may) respond to you, using the return address.

    Now there is nothing that stops you putting someone else's IP address as the return address in the ping packet, and if you do, the reply goes to them. This is what #12 is seeing, ping replies to requests that he didn't generate. The Smurf attack uses that fact that when the protocols were initially designed, no-one thought that someone would send a ping to a broadcast address, and early routers would faithfully forward broadcast pings to multiple users. Normally, no sane person would do this as they would then be deluged with responses, but some nefarious types concluded that if they put someone else's IP address (e.g. #12) as the reply address in the ping request they could deluge them and they could overload some target computer. For this to work they need to be connected to a router that will forward their broadcast pings to enough computers.

    Modern routers do not forward broadcast pings.
     
  20. #12

    Thread Starter Expert

    Nov 30, 2010
    16,298
    6,811
    Don't worry. I never suspected a VPN would fool my ISP into thinking their modem had disappeared. I did not suspect a VPN would stop all hackers everywhere from using random IP addresses or that a VPN would stop Bright House from detecting hacker traffic that did not come from my computer. I just wanted to see how far BR-549 would go with this line of false claims about fixing a problem I don't have.

    The Smurf attacks are not interfering with my internet connection.
    A few kilobytes per day is nothing compared to my capability of 10 megs per second.
    The Smurf attacks are not the problem.
    My computer is not the problem.
    The problem is that Bright House thinks hackers use their real IP address to send malware messages and every IP address attached to a malware message is the valid IP address of the sender.
    They also think that if I am being attacked, I must be the attacker and I must be attacking myself from hundreds of different IP addresses.
    That would mean I have hundreds or thousands of valid accounts with unique IP addresses.

    What a bunch of idiots!
     
Loading...