being attacked? by friend

[avenger_jcc]

Turn your "friend" into the ISP next time. Plain and simple. Warn him, if he continues, turn him in. If he is your friend Im sure you have his name, address, etc. The cable co can search his MAC out and fix the problem. If you have his IP address well this is obviously better. start logging times, dates, etc and let his ISP know.

[avenger_jcc]

Turn your "friend" into the ISP next time. Plain and simple. Warn him, if he continues, turn him in. If he is your friend Im sure you have his name, address, etc. The cable co can search his MAC out and fix the problem. If you have his IP address well this is obviously better. start logging times, dates, etc and let his ISP know.

[SodaMoca5]

You have received some very good advice here. Let's try to boil it down.

1. The firewall on your system isn't really effective because you are sharing a connection through an entry location. Either a cable/dsl router or your parent's computer. Figure out which. If it is a cable/dsl router with a h/w firewall then a firewall on your parent's computer will not really be very effective either. If your parents connect directly to the cable/dsl modem then it should help considerably at least in tracking down and logging his ip and mac.

2. Warn your friend. What he is doing is illegal. Let him know that if he continues you will pursue him through his ISP. If he desists fine, if not please realize that stopping him now with this minor incident is much better than if he continues as a script kiddie and breaks into or causes damage to a company who really presses full charges. What he is doing is not funny, it is not cute, it is not friendly. He is attacking you and his ability to do so is, as you stated, harassment and is now a felony. I only suggest the warning because you say he is a friend. Truthfully I think he needs a boot to the head.

3. Re-assess what you consider a friend. Whether my friends can harass me is immaterial because they won't harass me. I do not call people with that small minded, mean spirited attitude friends. Of course I no longer have to pick and choose my friends from among a group of immature adolescents but even within that group are a lot of "good" friends you can choose over this mini-tyrant.

[SodaMoca5]

You have received some very good advice here. Let's try to boil it down.

1. The firewall on your system isn't really effective because you are sharing a connection through an entry location. Either a cable/dsl router or your parent's computer. Figure out which. If it is a cable/dsl router with a h/w firewall then a firewall on your parent's computer will not really be very effective either. If your parents connect directly to the cable/dsl modem then it should help considerably at least in tracking down and logging his ip and mac.

2. Warn your friend. What he is doing is illegal. Let him know that if he continues you will pursue him through his ISP. If he desists fine, if not please realize that stopping him now with this minor incident is much better than if he continues as a script kiddie and breaks into or causes damage to a company who really presses full charges. What he is doing is not funny, it is not cute, it is not friendly. He is attacking you and his ability to do so is, as you stated, harassment and is now a felony. I only suggest the warning because you say he is a friend. Truthfully I think he needs a boot to the head.

3. Re-assess what you consider a friend. Whether my friends can harass me is immaterial because they won't harass me. I do not call people with that small minded, mean spirited attitude friends. Of course I no longer have to pick and choose my friends from among a group of immature adolescents but even within that group are a lot of "good" friends you can choose over this mini-tyrant.

[Tiger Shark]

Spyder32: Run that by me again...... A SYN flood is where he synch's the packets so he can send more?????? Am I understanding you right or did you mis-speak.

A SYN flood is a DOS attack based on the way TCP/IP works. To make a connection between 2 PC's requires a three way handshake. SYN - SYN/ACK - ACK. So when a computer receives a SYN it has to set aside space on the stack for the ensuing connection.

A SYN flood takes advantage of this by sending multiple SYN's at the target computer. The target sends back the SYN/ACK's, (which it should do), and sets aside space on the stack for the completed connection when the ACK arrives. And there's the catch - The ACK never comes so the target is sat there with all this space taken up on it's stack with what is known as "half open" connections. There comes a point where there is no space left on the stack for new connections which therefore is denial of service to the subsequent legitimate connection attempts.

Many OS's have now been fixed to avoid this problem to a large degree by giving the half open connections a timeout value if the ACK is never received.

If srfgollum was playing counterstrike when a SYN flood attack came in his connection would be unaffected in terms of DOS to him since he already has his 3 way handshake complete and has his space on the stack. However, the sudden increase in traffic would tend to slow down the connection. What is a problem though is that srfgollum is on broadband and even at peak periods should be able to get 40-60kbps transfers but counterstrike only consumes about 3.5-5kbps in it's transfers. That means that his "dear" friend has to eat 35-55kbps of his bandwidth all on his own. That's not likely as it would DOS the whole network.

I would speculate that his friend lives close by - like on the same subnet..... - Then he sets up a sniffer like snort to sniff any packet from XXX.XXX.XXX.XXX, (srfgollum's IP), that is directed at any IP on port 27015-20 and if it finds one it is to send a RST, (reset). On a busy network that would take less bandwidth, would not attract any attention to yourself as the "attacker" though it would suffer from missing some packets on a less than optimal machine. The effect would be to slow srfgollum and lag him out no end while his machine keeps retrying.... if the RST only went to srfgollum and not the server the connection should stay up, assuming the client software tries to reconnect under difficult conditions rather then dropping altogether.

Anyone want to poke holes in that theory?

[Tiger Shark]

Spyder32: Run that by me again...... A SYN flood is where he synch's the packets so he can send more?????? Am I understanding you right or did you mis-speak.

A SYN flood is a DOS attack based on the way TCP/IP works. To make a connection between 2 PC's requires a three way handshake. SYN - SYN/ACK - ACK. So when a computer receives a SYN it has to set aside space on the stack for the ensuing connection.

A SYN flood takes advantage of this by sending multiple SYN's at the target computer. The target sends back the SYN/ACK's, (which it should do), and sets aside space on the stack for the completed connection when the ACK arrives. And there's the catch - The ACK never comes so the target is sat there with all this space taken up on it's stack with what is known as "half open" connections. There comes a point where there is no space left on the stack for new connections which therefore is denial of service to the subsequent legitimate connection attempts.

Many OS's have now been fixed to avoid this problem to a large degree by giving the half open connections a timeout value if the ACK is never received.

If srfgollum was playing counterstrike when a SYN flood attack came in his connection would be unaffected in terms of DOS to him since he already has his 3 way handshake complete and has his space on the stack. However, the sudden increase in traffic would tend to slow down the connection. What is a problem though is that srfgollum is on broadband and even at peak periods should be able to get 40-60kbps transfers but counterstrike only consumes about 3.5-5kbps in it's transfers. That means that his "dear" friend has to eat 35-55kbps of his bandwidth all on his own. That's not likely as it would DOS the whole network.

I would speculate that his friend lives close by - like on the same subnet..... - Then he sets up a sniffer like snort to sniff any packet from XXX.XXX.XXX.XXX, (srfgollum's IP), that is directed at any IP on port 27015-20 and if it finds one it is to send a RST, (reset). On a busy network that would take less bandwidth, would not attract any attention to yourself as the "attacker" though it would suffer from missing some packets on a less than optimal machine. The effect would be to slow srfgollum and lag him out no end while his machine keeps retrying.... if the RST only went to srfgollum and not the server the connection should stay up, assuming the client software tries to reconnect under difficult conditions rather then dropping altogether.

Anyone want to poke holes in that theory?

[xid]

Very informative, Tiger Shark! Thanks for the info, it sounds like you could write a great tutorial on TCP/IP!

Yeah, I know there are many already out... but it's so well explained...

[xid]

Very informative, Tiger Shark! Thanks for the info, it sounds like you could write a great tutorial on TCP/IP!

Yeah, I know there are many already out... but it's so well explained...

[KissCool]

I totally agree with avenger_jcc, send a mail to his ISP with the logs of his attacks (ZoneAlarm must stock the logs somewhere). I guess he will never search to attack you again after a such reaction (the problem is that he will also probably never want to play again with you at CS).

[KissCool]

I totally agree with avenger_jcc, send a mail to his ISP with the logs of his attacks (ZoneAlarm must stock the logs somewhere). I guess he will never search to attack you again after a such reaction (the problem is that he will also probably never want to play again with you at CS).