[linux-help] Re: Port 18593 attacks

[Jeff Vian <jvian10@xxxxxxxxxxx>]

On Mon, 2004-08-02 at 13:57, Jonathan Hall wrote:
> That's because there is no way to release an IP addres without direct access
> to the DHCP server, and to give that to all tech support would be a security
> violation without purpose.
> 
> However, powering off the modem will (typically) do this.  It is also
> possible for the client to explicitly release the IP address.  Depending on
> your modem's version and features, it may be possible to do this without
> rebooting.
> 
> -- Jonathan
> 

Powering it off will release the IP;  But ONLY when the lease expires
and it does not get renewed.  Bruce said that, and I have experienced
it.

Usually a lease gets renewed some (specified) time before it expires, so
the modem will need to be powered off for at least the lease period in
order to force the issuance of a new IP.

On Fedora Core 2, pump has been removed and dhcp client is serviced by
dhclient. Old lease info is kept in the dhclient.leases file.  Removing
or emptying that file may force assignment of a new lease without
waiting for the lease to expire.  I am unable to test because I do not
use dhcp, but info dhclient has lots of information (including how to
explicitly release a lease). 

Also look at dhclient.conf file.

> ----- Original Message -----
> From: "ironrose" <ironrose@xxxxxxx>
> To: <linux-help@xxxxxxxxx>
> Sent: Monday, August 02, 2004 7:12 AM
> Subject: [linux-help] Re: Port 18593 attacks
> 
> 
> > Powering the cable modem off for 2-5 minutes and rebooting may not give
> > you a new ip address with cox dhcp server.  Even the tech support staff
> > are unable to release & renew your ip address from the cox dhcp server.
> >   It may have to be released and renewed by a supervisor at cox.  I will
> > check on that.  ~Anne
> >
> > Jonathan Hall wrote:
> > > Sounds like a bunch of port scans.  I'm not sure what method there might
> be
> > > to the apparant madness, though.
> > >
> > > Do you have a static IP address?  If not, do you continue to experience
> the
> > > attacks after your IP changes?  It looks like you use Cox... I would
> suggest
> > > powering off you cable modem for 2-5 minutes, then powering it back on.
> > > That should force a new IP address.  Then see if the apparant attacks
> > > continue.
> > >
> > > It may be that someone (or many someones) found your IP address some
> where
> > > (e-mail header, usenet posting, IRC logs... whatever), and whatever
> > > mechanism is attacking you (whether it be an individual or, probably
> more
> > > likely, some automated attack brought on by a trojan horse/virus on some
> > > unsuspecting person/people's computers) is continuing to attack that
> > > address.
> > >
> > > I had an instance several years ago where one of my IP addresses was
> being
> > > attacked after I had connected to a certian IRC network from that IP
> > > address.  A number of IPs then began attacking that IP address for days.
> By
> > > changing IP addresses, the attacks then fail, and so long as the target
> IP
> > > address is not again visible to the would-be attackers, the attacks can
> not
> > > begin again.
> > >
> > > -- Jonathan
> > >
--snipped----

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi