All this morning the internet was down.
I have Optimimum Online and I use a Linksys router to split the
internet connection between a two windows machines and two linux
machines.
On this morning I was able to see all the machines on the network, but
no internet. I called Optimum Online and the guy asked me if I had a
Linsys router connected and I responded with an "Gee...I don't know,
what's that?" and he began to describe it. I told him I didn't see
anything that fit that desciption. He also mentioned that he could
see that my cable modem was active and he asked me how many computers
I had hooked up, and I told him just the one. (I figured he just sees
one machine from his end, the router). He started taking me through
the troubleshooting procedure, but I was very spooked by all this so I
told him I had to go.

At this point I unhooked the router, and hooked in one of my windows
boxes in directly (Windows XP). This wasn't able to reach the internet
either. I then tried the other windows machine (Windows 2000 Pro) and
to my suprise, it worked. Now I was really confused. What, after a
year and a half with this setup has caused it to stop working, and
futhermore, what causes the cable modem to talk to this one machine
and not the other? Does it make a difference that the MAC address the
router was spoofing was the same address as the computer that is now
able to talk to the cable modem? And what's with this guy asking me
about a Linksys router? Can he see the machines on my network behind
the router or is he just trying to bluff information out of me?

Any ideas or similar experiences, please post. Thanks in advance.

"Ken" <yuckybear7@aol.com> wrote in message
news:7ed176ff.0410051258.3422f300@posting.google.c om...
I read somewhere that cable modem manufacturers are working with the cable
companies to implement new snooping features into cable modems that are
purchased in bulk by the cable companies. These new cable modems allow the
cable companies to remotely tie into your LOCAL area network, to see what is
on the other side of the cable modem. This is the first post I've seen from
somebody complaining about it, though. If you are renting a cable modem
from the cable company, you might consider buying your own from compusa or
best buy or circuit city. I'd suggest a Motorola SB5100 or a Linksys
BEFCMU10 (V3).

NOTE: I don't know if your cable modem is one of the new hacked versions
that the cable companies demanded. But it sure sounds that way, especially
if your modem is rented from the cable company, and you haven't had it very
long. -Dave

Dave C. wrote:
ALL cablemodems allow the cable company to see what is connected to the
cablemodem. They, however, cannot see past a NAT box, like a home
router, or a computer running Internet Connection Sharing, to see what
lies beyond there.

My goodness. Is there no end to the misunderstanding you have of how
this stuff works! There are no "hacked versions that the cable companies
demanded." There may be reasons why someone would want to buy their own
cablemodem, but this is not one of them.

This is how urban legends get started. Please. Please learn more about
what you're talking about before you start spreading rumors like this as
if they were fact -- or even possible.

--
Warren H.

==========
Disclaimer: My views reflect those of myself, and not my
employer, my friends, nor (as she often tells me) my wife.
Any resemblance to the views of anybody living or dead is
coincidental. No animals were hurt in the writing of this
response -- unless you count my dog who desperately wants
to go outside now.
Blatant Plug: Fahrenheit 9/11 ships 10/5. Order your copy now:
http://www.holzemville.com/mall/911.html

Ken wrote:

My guess is that they looked at the MAC address of the router and
determined it was from Linksys. You could try spoofing the MAC
address of one of the computers at the router (assuming the router
has that capability) and that should foil their scans.

But if you're going to have them troubleshoot, you should hook it
direct to the computer for the troubleshooting and then when all
is well - attempt to re-institute you router LAN starting from a
working situation.

Ken wrote:
Likely you were talking to someone making just over minimum wage who's
only previous contact with computers were the Apple IIc's at the high
school he may not have even graduated from.

The system would know the MAC addresses of devices connected to the
cablemodem. And they may be running a system that would require manual
input to your customer records of any changes to that MAC address.
However, if your router was spoofing the MAC address they have on file,
you wouldn't need to do that.

Did you try simply rebooting (resetting) the router? Because they're
limited in what they need to do, they don't need to be rebooted as often
as your multi-tasking computer does, but they occasionally do need to be
rebooted. (Heck, my microwave oven needed to be rebooted a few weeks
ago!)

There may also have been issues on the network at the time you called.
The person you spoke to is sitting in a call center someplace, perhaps
in a different state, than the people running the network. Typically the
net-ops have a way of notifying customer service when there is a
problem, but at every ISP I've ever worked with, there are many ways
that procedure can be broken, the desire of the minimum wage drone to
even bother checking the latest information being one of them.

When problem arise, power-down all the computers, the router, and the
cablemodem. Power-up the cablemodem, and let it sync before you power-up
the router. Then let the router sync, and power-up the computers.

At this point if the one computer is working, but if the router that's
cloning that same MAC address isn't, I would have to say the problem is
most likely the router, and if resetting the router, and reconfiguring
it doesn't work, then more information may be needed to troubleshoot.

--
Warren H.

==========
Disclaimer: My views reflect those of myself, and not my
employer, my friends, nor (as she often tells me) my wife.
Any resemblance to the views of anybody living or dead is
coincidental. No animals were hurt in the writing of this
response -- unless you count my dog who desperately wants
to go outside now.
Blatant Plug: Fahrenheit 9/11 ships 10/5. Order your copy now:
http://www.holzemville.com/mall/911.html

$Bill <news@SPAMOLAtodbe.com> wrote:

BZZZT. Another reading-challenged responder.

The OP, Ken, wrote and you quoted

Why the hell would you then reply

when, obviously, that is exactly what the man told us he is doing???

cheers,

Henry

Dave C. <mdupre@sff.net> wrote:

BZZZT. Another reading-challenged responder.

The OP, Ken, wrote and you quoted

Why the hell would you then reply

???

cheers,

Henry

Henry wrote:

Well it's not exactly what he was doing or he would have said so.
You left part of the sentence off:

"Does it make a difference that the MAC address the
router was spoofing was the same address as the computer that is now
able to talk to the cable modem? "

He asked if it makes a difference - he didn't state he was actually
doing it. You may have inferred that's what he meant, but it's not
worded well enough to be sure (esp if he meant is instead of was).
The configuration at the time of his repartee with ISP is not obvious.

$Bill <news@SPAMOLAtodbe.com> wrote:

BZZZT. Another reading-challenged response.

Let's go through it slowly, shall we?

Yes.

No.

"the...MAC...address...the...router...was...spoofi ng"

Can't get much clearer than that.

"was...the...same...address...as...the...computer. .."

It_was_the_same.

Huh? How could it have been better?

If he meant 'is', why would he have said 'was'?

'is'...present tense; now

'was'...past tense; at some time in the past

cheers,

Henry

Henry wrote:

At the time I was troubleshooting with my ISP, I was (or was not)
spoofing the MAC address of one of my PCs.

He also may have meant to say 'difference if' instead of 'difference that'.
After reading thousands of post over the years, I don't trust inexplicit
English and usually attempt to get it qualified (not to mention the fact
that so many posters have English as their second language).

Henry - you're just too argumentative for me.

Henry wrote:

snip

Sorry, I didn't mean to kick off a grammar rodeo.
I did in fact have the router spoofing the MAC address of the
computer.
I figure the reason why one single computer worked and not another is
that when we signed up for Optimum Online, I had the one that is able
to connect, so they probably have that MAC address on file. The
spoofing of this MAC address by the router has worked until this
point. I tried to reset and reconnecting everything several times and
always came out with the same outcome.

How could they have blocked my router? Is it just this specific
router maybe, or a class of Linksys routers? Is that how the guy knew
I had one, because the morning it stopped working was the morning they
applied some upgrade?
Just some ideas that are running through my head.

I have a Linksys router, Model BEFSR41

Ken wrote:
They don't know anything except the MAC address of the device directly
connected to the cablemodem. Yes, they could have someone sit down and
research a list of which MAC addresses are assigned to which
manufacturer, and possibly they may be able to find out what products
some manufacturers assign which parts of their pool to. And then someone
could make judgments on which MAC addresses to block, BUT, that's a lot
of work, and MAC address spoofing negates anything they gain from it.
And since you *are* spoofing a MAC address, this whole imaginary
possibility is moot. It doesn't apply.

If the computer with MAC address XX XX XX XX XX XX works, but the router
doesn't work even when you're spoofing MAC address XX XX XX XX XX XX,
then something is wrong with the router, not the ISP.

If resetting the router to factory defaults, and then reconfiguring it
doesn't fix the problem, you could try updating the firmware to another
(newer or older) version.

--
Warren H.

==========
Disclaimer: My views reflect those of myself, and not my
employer, my friends, nor (as she often tells me) my wife.
Any resemblance to the views of anybody living or dead is
coincidental. No animals were hurt in the writing of this
response -- unless you count my dog who desperately wants
to go outside now.
Blatant Plug: Fahrenheit 9/11 ships 10/5. Order your copy now:
http://www.holzemville.com/mall/911.html

One other thing you might try after cloning the appropriate mac address is
the do a DHCP/release/renew on the router and then afterwards on each
computer. Check to see if the router grabs a DHCP address. If it toesn't
then try to set it manually and see if that makes a difference. You might
have to get all the manual info from the Win2K computer that works when it's
not behind the router. If that fails then perhaps the router either needs
to be reset or is bad.

On Wed, 06 Oct 2004 09:46:38 -0700, Ken wrote:


There are tools available that can fingerprint systems and routers.

Perhaps your cable company is spying on it's customers, trying to find out
what they are using?

The one I use sometimes is also capable of identifying specific models.


Your router may have an open port that allowed an outside connection.

Sometimes, all it takes is one open port to identify what kind of router
it is.

If you have to configure the router with a browser, that port may also be
open to the world. In that case, it is too obvious that you have a Linksys
router.

Additionally, if your computer--the one the router is spoofing--is
windoze, it is easy to tell whether it is actually connected to the
cablemodem.


If your cable company does not allow routers and only allows one computer
to be connected, it seems you may be well and royally screwed: Contract
stuff, and all that.

If you cable company does not care that you use a router, then something
may be wrong in your network, something that attracted their attention.

=-=

jdj wrote:
Paranoid fantasies of someone who doesn't understand how TCP/IP
communications actually work.

Yes. The money they'd have to spend to get anything substantial are well
worth it in conspiracy theory world. More paranoid fantasies of someone
who doesn't understand the concept that businesses are in the business
of spending less than they make.

Dream on. At best, you have something that is making guesses based on
communication initiated by software behind a NAT router. It is not going
to be able to tell these things solely from the outside. It would also
be fooled by what is being reported by the software. For example, a
browser can identify itself as anything you want it to identify itself
as. It doesn't have to tell the truth.

Not by default.

Sometimes an open port can be a clue to possible services being run
through a firewall, but those would still be guesses.

Only if you enable remote administration. What's open to the inside is
not open to the outside unless one chooses to open it up.


Of course it's possible to tell if a device is connected to the
cablemodem. What that device is, however, is not necessarily exposed.
The CMTS is only looking at MAC addresses.


If the contract specifically excludes NAT routing, legally he could be
violating it. However, the questions have been technical, not legal.
There is no technical way to tell exactly what is connected, unless you
count stoping by for a visual, hands-on inspection.


There's no reason to believe that anything has "attracted their
attention".

--
Warren H.

==========
Disclaimer: My views reflect those of myself, and not my
employer, my friends, nor (as she often tells me) my wife.
Any resemblance to the views of anybody living or dead is
coincidental. No animals were hurt in the writing of this
response -- unless you count my dog who desperately wants
to go outside now.
Blatant Plug: Fahrenheit 9/11 ships 10/5. Order your copy now:
http://www.holzemville.com/mall/911.html

"Warren" <wholzem@hotmail.com> wrote:
While I generally agree with what you write, this here is not exactly true.

There are methods and tricks to get a lot of information. You need to
invest quite some effort and knowledge to use the data that can be gained,
but it is not impossible. I seriously doubt that any ISP is doing that but
it *can* be done.

For example, Windows systems generally start at a random IP ID value and
then increase it linearly by +1 for every new outgoing connection. So if
you just observe the connection and see some ID sequence like:

5, 6, 44, 7, 8, 45, 9, 46

then you know that there are at least 2 different systems working behind
that IP. There's more data you can use, like initial windows size (only
different between different OS, generally) and different default TTL value.
Also the TTL value itself can be used to see how many hops the packet
already traversed. And don't forget TCP options. Nowadays SACK is generally
turned on even on Windows, but it wasn't always so. So if you have some
older and some newer boxes behind one single IP, there's more to
differentiate between them.

And this method works passively, by only snooping on the line, without ever
sending one single packet to probe. However it is of course quite some
effort involved to sniff on one user when you have houndreds of them on one
fiber or so. But technically very possible.

If you want to know a bit about what also can be done by perusing the
IPIDs, read here: http://www.insecure.org/nmap/idlescan.html

<snip>

It requires some effort and snooping an entire IP for such information is
probably about or more difficult than stopping by. But it *is* possible
remotely. It is also possible to further hide those informations when you
use for example an unix box with some advanced networking tricks that
normalizes outgoing TTL values and uses proxies to randomize the IPID
sequence, etc.

Yes. However if they really forbid NAT devices, you shouldn't do it.
There's a lot of data that can be gotten just from the DHCP packet the
device sends out to fetch an IP. vendor class id string, for one. I don't
know if that one is "linksys" on a linksys router but it certainly isn't
the same thing that your windows box is sending. Sometimes DHCP servers
react upon these values and give a different IP, despite the sending MAC
address being the same. This then can cause to trigger the CPE limit of the
CM and thus no IP being given to the router.

On my unix box, I can fetch up to the allowed number of CPE IPs using the
same MAC address but just changing the identifier string. I then end up
with n IPs where some can be forwarded to different hosts. However I'm in
europe at an entirely different ISP, things may work differently here.

CU

René

--
-------------------- http://NewsReader.Com/ --------------------
Usenet Newsgroup Service $9.95/Month 30GB

Rene wrote:
The methods you describe can help you make educated guesses. Fairly good
guesses, but still guesses. And as you point out, it takes a lot of time
and effort to get these guesses.

These days those guesses may be enough to get someone thrown into a
secret prison after a secret court issues a secret warrant that you
can't defend against, but prior to the Patriot Act, those guesses
wouldn't make it into court. They're less accurate than, and can be
fooled easier than the infamous polygraph.

Now despite that statement that appears fairly paranoid, I'd have to say
that the ISP has no financial incentive to do any of this, and the
government, while not concerned with costs, still needs some
provocation. And they'd be less concerned with whether it's a Windows
box than what data is being sent. They'd only be counting machines so
they'll know the minimum number they're looking for when they finally
kick the door in.

But let's not ever forget that those are still guesses, and those
guesses were not made without a lot of time and effort.

--
Warren H.

==========
Disclaimer: My views reflect those of myself, and not my
employer, my friends, nor (as she often tells me) my wife.
Any resemblance to the views of anybody living or dead is
coincidental. No animals were hurt in the writing of this
response -- unless you count my dog who desperately wants
to go outside now.
Blatant Plug: Fahrenheit 9/11 ships 10/5. Order your copy now:
http://www.holzemville.com/mall/911.html

jdj wrote:

If a cable company prohibits them, then perhaps the customer should hold the
cable company responsible for protecting the computer against intruders.
After all, that is one of the key selling points of those boxes.

--

(This space intentionally left blank)

Warren wrote:
I reset the router to the factory defaults and then reconfigured and
it did the trick, and now I'm back up and running. Thank you so much
for all your responses.

"Warren" <wholzem@hotmail.com> wrote:
Nah it's rather an observation. The behaviour is known, you just watch for
the pattern to appear. It is very difficult to switch the TCP/IP stack and
they just have their intrinsic behaviours that can be spotted and
distinguished. It is, however very tiresome but calling it a guess is
makeing it sound like it is very imprecise. But it is not. I believe
netcraft uses it to notice when a server they monitor reboots. They have
those fun statistics about any arbitrary server where they notice OS
changes and other downtimes.

How can they be fooled? It is rather hard to fake another TCP/IP stack's
behaviour and most people don't even have the tools required to do so. But
for the entire paragraph, I hope it's not that extreme yet.

ISPs won't do it. It's just not worth it. If they really want to be rid of
you, they have easier methods. As for the government, it is also far easier
to just walk into the house and count.

As I said, I wouldn't call it guesses and I haven't even given a full list
of such patterns that can be observed that is known to me (and I don't know
all of them) but I think we both agree that in no way is this being done by
ISPs to search and find users of (non-allowed) routers.

CU

René

--
-------------------- http://NewsReader.Com/ --------------------
Usenet Newsgroup Service $9.95/Month 30GB