Looking for people that know a bunch about IP addresses/MAC addresses/etc

[Ohaider]

I've looked into it quite a bit and discovered that my router (AT&T U-Verse 2WIRE387), has a dynamic (changes on its own) IP address, but it changes VERY rarely.

I'm currently needing to change it ASAP, and so far i've looked into it enough to find out that the reason the address rarely changes on its own is because the MAC address needs to be changed in order for the DHCP to render a new IP address

I'm currently trying to figure out exactly how to change the MAC address, the farthest i've gotten is downloading SMAC 2.0, but it hasn't proven to be of use.

I have tried unplugging my modem/router overnight to generate a new IP
I've tried contacting AT&T, they were absolutely no help



TL;DR:
I need tips on how to change the IP address or simply the MAC address on an AT&T U-Verse 2WIRE387 router because a DDOS attacker is using my current, nearly static IP address to fuck my connection in the ass, and AT&T isn't helping me.

Unfortunately I have recently learned that Skype was pretty much MADE for inflicting continuous DDOS attacks through bugs that have been exploited through resolving skype usernames, making it as easy to get a Skype user's IP address as simply knowing their username

That's exactly what happened to me, an attacker obtained my IP address through Skype resolving and is continuously DDOS attacking me, making my internet connection virtually null

[qqwref]

Not sure if this'll help, but:

From http://forums.att.com/t5/Receivers-B.../td-p/2678533:

Code:

There is one method that sometimes works, but it's not guaranteed.

1. Go to the following web page on your 2Wire router:

http://192.168.1.254/xslt?PAGE=C_5_7

This will require you to log in with the 2Wire router's password.
If you don't have it, it's usually on a white sticker on the side/bottom of the router.

2. Click the Reset button all the way at the bottom that says
"Reset to Factory Default State".

WARNING: This will erase all configuration in the router, including firewall pinholes,
static IP assignments, etc.  Write any/all of this information down before you
do this so that you can put it back later.

3. Look at the lights on the front of the router.  When the router resets, all the
lights will go out except the power light.  Allow the router to go through this part
of the reset process.  Eventually, the router will fully reset and will come up to
where the Broadband light is blinking red.

--> As soon as the Broadband light is blinking red, pull the plug on the router
to power it off.

4. Leave the router off for about an hour.

5. After an hour, power the router back up and let it come up and sync.

If you're lucky, it will get a new external IP address when it comes back up.

6. If you have any custom firewall or static IP configuration, put it back
into the router now.

or:

Code:

get a new RG or VRAD port, which will require a service call.

Another possibility from http://www.avsforum.com/t/1258888/ho...s-with-uverse:

Code:

Run cmd.exe
at the prompt enter ipconfig /all (be sure to enter the space)
This will give you your current IP address
enter ipconfig /release
this will release your current iP address
enter ipconfig /renew
this should get you a new IP address
enter ipconfig /all
to see what your new IP address.

[choof]

capture the packets using wireshark, and block icmp packets from your attacker's ip address

I want to say that if you have proof of a DDOS attack, you can pursue (threaten) legal action, based off RFC 1087 and, more importantly, the Computer Fraud and Abuse act

edit: for qqwref's post, the only thing that may help is the second little tidbit, and even then that may not work. the other two renew your DHCP lease, which may change your private ip address (with AT&T, I'll say that using ipconfig in command prompt will get you an ip address of 192.168.xxx.xxx and a subnet mask of 255.255.255.000), but they generally don't change your public ip.

[dAnceguy117]

wtf ninja'd I was about to paste that first quote from qqwref (edit: guess it's no help though.)

based on the results from those at&t forums, it doesn't sound like it's easy or simple to accomplish. try everything until something works, basically.


edit: choof, how easy would it be to tell which address(es) are from the attacker? especially if it's actually a DDOS wouldn't there be many?

[choof]

not many people are going to be pinging ohd's public IP haha, if he filters by icmp packets he should be able to find the attacker's address

[dAnceguy117]

download page for wireshark:
http://www.wireshark.org/download.html

quick instructions for ohaider might help. I've only used wireshark once or twice, I have no idea what I'm doing. anyone wanna give it a shot?

[choof]

quick instructions since I'm headed to bed soon

once you open the program, on the left select "Capture Options"
if you're using wifi/wireless, select Wireless Network Connection. likewise, if you're wired, use Local Area Connection

unselect promiscuous mode (mfw promiscuous)
under Capture Filter, type in "icmp"
hit start, and the screen will change. wait for maybe 30s to a minute, then on the bar at the top, select File -> Export Packet Dissections -> as "Plain Text"
copy the contents of that plain text file into pastebin and post here; I'll check it out in the morning

the contents will look something like this

Code:

No.     Time           Source                Destination           Protocol Length Info
      1 0.000000000    184.75.213.250        172.20.102.21         ICMP     146    Destination unreachable (Port unreachable)

Frame 1: 146 bytes on wire (1168 bits), 146 bytes captured (1168 bits) on interface 0
Ethernet II, Src: Hewlett-_42:d4:81 (2c:41:38:42:d4:81), Dst: Tp-LinkT_8a:a3:a8 (64:66:b3:8a:a3:a8)
    Destination: Tp-LinkT_8a:a3:a8 (64:66:b3:8a:a3:a8)
        Address: Tp-LinkT_8a:a3:a8 (64:66:b3:8a:a3:a8)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Hewlett-_42:d4:81 (2c:41:38:42:d4:81)
        Address: Hewlett-_42:d4:81 (2c:41:38:42:d4:81)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 184.75.213.250 (184.75.213.250), Dst: 172.20.102.21 (172.20.102.21)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
    Total Length: 132
    Identification: 0xdaa3 (55971)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 50
    Protocol: ICMP (1)
    Header checksum: 0x0d46 [correct]
    Source: 184.75.213.250 (184.75.213.250)
    Destination: 172.20.102.21 (172.20.102.21)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Internet Control Message Protocol

[arcnmx]

Well, I should mention that things like SMAC only change your computer's MAC, which doesn't matter at all in this case. You'll need to change your router's, which you're likely only going to be able to do with the router's web control panel if it's even possible.

If it's not possible, dunno. You might be able to manually release your dhcp lease and then leave it disconnected for a few days? Either that or hope it has a passthrough/modem mode and use a different router instead. Or install alternate firmware... In the end I would suggest maybe calling your ISP and see if they can help?

[RNGRX]

A MAC address is unique to to router. It is pretty much a physical address rather than a logical one. In order to change your MAC address you would need to buy a new router. You will be unable to get a new IP address because your ISP only gives you one . There are private and public IP addresses. DHCP assigns private IP addresses. Network Address Translation translates all the private IP addresses on your network into the one public IP address that your ISP has assigned you. The public address is the one everyone sees you as. You could get a new IP address by switching providers. Post some stuff if you want to know anything else.

Source: I'm studying networking in school.

[choof]

you can change your mac address through packet spoofing, although there's really no need to do so unless you're traveling through a switch... or trying to do naughty things

[arcnmx]

Quote:

Originally Posted by RNGRX

A MAC address is unique to to router. It is pretty much a physical address rather than a logical one. In order to change your MAC address you would need to buy a new router. You will be unable to get a new IP address because your ISP only gives you one . There are private and public IP addresses. DHCP assigns private IP addresses. Network Address Translation translates all the private IP addresses on your network into the one public IP address that your ISP has assigned you. The public address is the one everyone sees you as. You could get a new IP address by switching providers. Post some stuff if you want to know anything else.

Source: I'm studying networking in school.

Eh, although you often can't physically change your MAC address, it can be spoofed temporarily, and if an OS applies it on startup then it's effectively the same thing. Routers often give you the ability to do that, though I'm not sure I'd expect it from an ISP-branded router that may have a custom/locked-down control interface. Also, many ISPs use DHCP to provide your public IP - PPPoE is more common for DSL though.

Quote:

Originally Posted by choof

you can change your mac address through packet spoofing, although there's really no need to do so unless you're traveling through a switch... or trying to do naughty things

Hey now, forcing your ISP to give you a different IP (or spoofing an old router's address to get your old IP back) is a common legitimate use case for spoofing a mac address :P

[Ohaider]

Thanks for the great info, definitely gonna study all this stuff up
@ choof, i have the name of the guy DDOS attacking because he was so kind as to tell me he was doing it over and over again haha, that's when i began researching only to find out how easy it is to do over skype. honestly surprised it hasn't happened till now

edit: he's appearently pretty notorious for it among the little group of mutual friends we have over skype
internet bully oh no

double edit: I contacted AT&T and they told me it's virtually impossible for them to just give me a new IP manually (reasonable), but told me resetting my router for 15 seconds should do the trick... No results

[choof]

most internet providers have a tiered support system, the people you spoke to are probably bottom of the food chain and are reading from a script

it's not "virtually impossible," it's just that it can be tedious to give someone a new ip on their side

[choof]

Quote:

Originally Posted by arcnmx

Hey now, forcing your ISP to give you a different IP (or spoofing an old router's address to get your old IP back) is a common legitimate use case for spoofing a mac address :P

I thought that since you went through a router to get to your ISP, a mac address wouldn't affect anything?

edit: oops nevermind, I thought we were changing the mac of ohd's (wireless)nic and not the router. disregard !!

[RNGRX]

+1 for using affect/effect correctly.

[Untimely Friction]

I've been getting ddosed on and off for about 6 months as well, I just un plug my router and go to sleep. And in the event I get a root attacker IP that I'm certain of I whois it then contact the abuse email of the isp that IP is under, usually they get cut off from the net, or legal action ensues without me having to do anything but send an email.

Quote:

Originally Posted by Ohaider

Thanks for the great info, definitely gonna study all this stuff up
@ choof, i have the name of the guy DDOS attacking because he was so kind as to tell me he was doing it over and over again haha, that's when i began researching only to find out how easy it is to do over skype. honestly surprised it hasn't happened till now

If you wanna pass this over I can send the abuse report email for you, and everyone else can to maybe to solidify the importance to his ISP. I'd love to dig around with his name too.