dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7995
Anon
1 edit
Anon

Anon

Anon

[Business] ARP Packets from Comcast are Flooding My LOCAL Networ

About two weeks ago, I noticed that my switch's lights began constantly blinking with lots of traffic. At first, I feared that a wireless device had managed its way onto my network, so I disconnected the WAP, with no change in the blinking of the activity lights. After unplugging all computers and switches, except one, the blinking continued. I ran Wireshark, and discovered that a lot of ARP packets from the WAN are being broadcast to all of my internal network -- about 50 ARP packets per second. Shouldn't my modem/router (SMCD3G-CCR) be dropping these, instead of broadcasting them to the LAN?
broadcaster_t
join:2012-05-06

broadcaster_t

Member

Re: [Business] ARP Packets from Comcast are Flooding My LOCAL Ne

Good question - I'm experiencing the same "constant barrage" of packets (presumably ARP packets - destination 255.255.255.255), though thankfully in my case they ARE being dropped by a separate router. Not sure what's up with the Comcast gateway passing these through, but hopefully someone can chime in with an answer. (I'm in the Nashville TN market by the way)
Anon
Anon

Anon

Anon

Thanks for the reply -- my market is Walnut Creek, CA (east SF Bay Area).
broadcaster_t
join:2012-05-06

2 edits

broadcaster_t to

Member

to
Well, it's 10:30 at night, the Comcast tech just left my house...

I called tech support shortly after posting earlier to get a definitive answer as to what all the packets were about, and could they stop it. I was told it related to a new firmware they had released for the SMC D3G and they could force the new firmware to my modem and it would all be fine. I see my modem reset itself, and I no longer have internet connectivity. I wait. After a couple of hours - and the support tech calling me back 3 times (all on my cell phone as my VOIP PBX system is obviously down as well) - he tells me that now he and his supervisor can't get into my modem, it must be damaged from the attempt to load the new firmware and they will send a tech between 5 and 9 pm. Shortly before 9pm I get a call from a 'scheduling supervisor' wanting to know if this is something they could deal with tomorrow? I didn't tell her what I really thought, but politely replied that I had service when I first called, and since I was a business class customer and THEY had taken me offline, that yes, it WOULD need to be addressed tonight!

The tech finally gets here (just after 9), finds my modem is actually online, but in DHCP mode, the earlier 'update' having blasted out my static IP settings. He tells me he can't get static IP support at this hour at night, so I can call in the morning to get that resolved. He leaves me surfing with a DHCP address (I of course had to completely re-configure my router), but this renders my PBX system useless. I decide to call support myself to see if they can fix the issue tonight....

Now on MULTIPLE pages of the Comcast Business Class website it PLAINLY states "24/7 Business Class Support" (and I've utilized it in the past), but the phone tree tells me that the office hours for support are now 8am to 7pm Monday -Friday, 8am to 4pm Sat. and Sun.

So, Comcast has saved themselves 13 hours of support costs every weekday, 16 hours each weekend day, but.....
Having been in the advertising business for almost 35 years, this is the most blatant case of false advertising I've ever seen. They should have changed that website AND informed their existing customers, because those savings could get VERY costly!! I'm thinking Class Action on behalf of all Comcast Business class customers who signed long term contracts based upon the 'promise' of 24/7 support.

Am I pissed off? - Yes I am! I went from perfectly usable internet with an annoying anomaly, to no service for almost 8 hours and close to an hour total time on the phone, waiting on a tech visit for over 5 hours, plus having a tech in my home from 9pm to after 10pm (I have young children trying to sleep), all because some phone support guy hosed my static IP address'. I then find out that "Business Class" apparently means 'normal business hours' ONLY! What the hey am I paying extra for? Oh yea, so Comcast can throw off over a billion dollars in PROFIT every quarter!

The phone tech screwing up - that didn't make me this angry - mistakes happen, even though they should have seen the static IP's noted in my customer records.

The on-site tech not getting there until just after 9 - that didn't make me this angry - he did show up and sincerely tried to fix the issues (and did in a sense).

The 'scheduling supervisor' calling to see if it could wait until tomorrow - that didn't make me this angry - though it was a step over the line!

Comcast deciding that paying a few folks (barely over minimum wage I'm sure) to man the support phones for BUSINESS CUSTOMERS during the night time hours was too much expense to justify (heaven forbid Brian Roberts should have to give up any of his annual bonus) - THAT MAKES ME EXTREMELY ANGRY - because you claimed when I signed a 3 year contract, and CONTINUE TO CLAIM TODAY, that you have "24/7 Business Class Support"!!

And the packets from the Comcast IP address? - still flowing briskly!
If I ran my company this well I'd be homeless and hungry...
ah, the joys of a duopoly.
Anon
Anon

Anon

Anon

Wow! What a nightmare. I was hoping to read a happy ending -- that the pain of dealing with Comcast's customer service would at least result in the same performance that you had before all this started. As for the diagnosis that it is a firmware issue: that totally makes sense. My network has performed flawlessly for the last 18 months that I have had service. Given that my internal network topology is unchanged, I attributed the ARP packet flood to a change in Comcast's system.

Over the years, I have grudgingly come to accept that Comcast support only happens between business hours (other than tier 1 tech support which has me reboot my modem and computer). I always cringe when problems crop up on nights and weekends.

Please let us all know how this works out, as I will be reaching out to Comcast to resolve this, as well.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to

Premium Member

to
255.255.255.255 is going to be a broadcast address and is likely not ARP related. Although it is possible proxy arp got enabled somehow.

Can you provide some output of tcpdump or a pcap file. None of us are going to be able to provide any assistance without any information.

This is also not something a dispatched tech is going to be able to figure out.
Anon
Anon

Anon

Anon

ARP_Flood.pcap.zip
6,876 bytes
15 seconds of Wireshark capture
whfsdude: Thanks for your interest. I have attached a .pcap file to my reply, but basically, each packet is from 96.98.112.1 to Broadcast (ff:ff:ff:ff:ff:ff) and contains "Who has X.X.X.X? Tell Y.Y.Y.Y"

EG
The wings of love
Premium Member
join:2006-11-18
Union, NJ

EG

Premium Member

It's the CMTS. Don't worry about it. It's a function of a shared cable system. A cable segment is basically one big LAN.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer

Premium Member

said by EG:

It's the CMTS. Don't worry about it. It's a function of a shared cable system. A cable segment is basically one big LAN.

I think that the question the OP is asking is how is this ARP traffic getting though the SMCD3G-CCR router to the LAN? Normally ARP traffic such as this is not passed from the WAN interface of a router to the LAN. I know that my SMCD3G-CCR does not do this.
Anon
Anon

Anon to EG

Anon

to EG
While I understand that I am part of "one big LAN", I disagree that this is trivial. First, in the past dozen or so years that I have had cable service provided Internet, those packets have never made their way past my router. I believe that their presence is not normal activity, but rather an error in my router's configuration. Second, I have devices, such as my wireless access point (WAP), on whose activity lights I rely, to detect traffic. This new behavior means that I will have to monitor them differently.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro

NetFixer to

Premium Member

to
What is the firmware version in your SMCD3G-CCR?
         
Perhaps you have gotten a new IPv6 compatible firmware pushed to your SMCD3G-CCR, and this is an unintended new "feature" of that firmware?

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to EG

Premium Member

to EG
said by EG:

It's the CMTS. Don't worry about it. It's a function of a shared cable system. A cable segment is basically one big LAN.

If you look at his pcap, you'll see he's using RFC 1918 address ranges which means the OP probably has a router (or the modem acting as one).

If the OP were plugged directly into a modem without a router, he should see this traffic as it's normal.

But with a router, this is not normal. Looks like proxy arp is enabled on the router to me.

OP. Mind giving us a quick topology?

My guess is Cable Modem (Router running NAT enabled > Switch.
whfsdude

whfsdude to

Premium Member

to
Cloudsharked pcap for anyone else who wants to chime in.

»www.cloudshark.org/captu ··· 94f8fe8c
Anon
Anon

Anon

Anon

Thank you for converting that to the Cloudshark version.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to whfsdude

Premium Member

to whfsdude
said by whfsdude:

OP. Mind giving us a quick topology?

My guess is Cable Modem (Router running NAT enabled > Switch.

Actually, the OP already provided that information. The "modem" is the Comcast Business class SMCD3G-CCR gateway.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude

Premium Member

said by NetFixer:

Actually, the OP already provided that information. The "modem" is the Comcast Business class SMCD3G-CCR gateway.

Which can be in either bridge or routing mode.
whfsdude

whfsdude to

Premium Member

to
Let me put it this way,

If the modem is acting a router, then he should contact Comcast (probably best bet is via twitter) and ask that they disable proxy arp on the LAN interface.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to whfsdude

Premium Member

to whfsdude
said by whfsdude:

said by NetFixer:

Actually, the OP already provided that information. The "modem" is the Comcast Business class SMCD3G-CCR gateway.

Which can be in either bridge or routing mode.

I don't know of anyone who has an SMCD3G-CCR running as a bridge since Comcast does not officially support that mode, and the end-user does not have the authentication credentials to be able to get into the telnet cli to set that mode.
Anon
Anon

Anon to whfsdude

Anon

to whfsdude
whfsdude: I'm happy to clarify. The SMC D3G-CCR provided to me by Comcast is a combined modem/router, which Comcast told me that they would not be able to set to "bridge mode". So, I used the 10.10.10.1 address as the router's local address, and plugged three switches into the SMC's LAN ports. Other than turning on DHCP for a range of 50 IP addresses, on the SMC, none of the firewall's functions are disabled or modified. From there, many of my computers are statically assigned 10.10.10.X addresses, and I use 255.255.255.0 for the subnet. I have about 15 computers, network attached servers, and printers. I have probably about 10 wireless devices that get their IP addresses from the DHCP pool.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude

Premium Member

said by :

whfsdude: I'm happy to clarify. The SMC D3G-CCR provided to me by Comcast is a combined modem/router, which Comcast told me that they would not be able to set to "bridge mode". So, I used the 10.10.10.1 address as the router's local address, and plugged three switches into the SMC's LAN ports. Other than turning on DHCP for a range of 50 IP addresses, on the SMC, none of the firewall's functions are disabled or modified.

Yeah it's clear they enabled proxy arp on router's settings. I'd ping comcastcares.
Anon
Anon

Anon to whfsdude

Anon

to whfsdude
said by whfsdude:

If the modem is acting a router, then he should contact Comcast (probably best bet is via twitter) and ask that they disable proxy arp on the LAN interface.

Thank you! One of the reasons I am using this forum, rather than contact Comcast, yet, is that the users here have the patience to help me articulate what I need to ask Comcast to do for me. Too often, I call Comcast, I describe the behavior, and I am told something along the lines of "so what?", or "that is normal".
broadcaster_t
join:2012-05-06

broadcaster_t to whfsdude

Member

to whfsdude
As stated in the OP's original post,

"Shouldn't my modem/router (SMCD3G-CCR) be dropping these, instead of broadcasting them to the LAN?"

So apparently he is using the router feature of the device...
Anon
Anon

Anon

Anon

said by whfsdude:

If the modem is acting a router, then he should contact Comcast (probably best bet is via twitter) and ask that they disable proxy arp on the LAN interface.

Thank you -- I just sent a message to Bill at ComcastCares. I will post when I receive a reply.
broadcaster_t
join:2012-05-06

broadcaster_t to

Member

to
Hey all,

I hope this isn't seen as me hijacking this thread, but I wanted to update after my novel / rant earlier.

I was so upset about losing 24/7 support for business class that I called the Comcast billing department. The rep I spoke to was quite surprised, and after placing me on hold to speak to his supervisor came back to tell me that neither he nor his superior were aware of any change in business class support policy. He gave me a number to contact Comcast corporate (I almost fell out of my chair). They actually answered "Comcast corporation, how may I direct your call?" so I assume I actually was speaking to the folks in Philly.

The lady I spoke to in customer relations took notes and placed me on hold, then returned to assure me that Biz class is still supported 24/7 and that apparently I had suffered through a major snafu in their phone system. She promised that the system would be tested after hours and that everything possible would be done to prevent this happening again in the future. I intend to give them a few days and test it out myself, but for now I'll assume they are taking action.

It seems all the Comcast planets aligned against me yesterday! At least they gave me a month's service credit - it doesn't make up for what I went through, but it's something. My contract is up in just over a month, and my choice for ISP going forward will depend on the final resolution to this event.

Now, if someone could tell me why those packets keep coming from 96.64.18.1 addressed to 255.255.255.255, and then stop them from passing from the gateway into my router (after all, that's what started this whole ordeal) I'd be a bit happier, but I wouldn't dream of calling support about it for fear of losing several more days of work...

Thanks whfsdude for the info on 'proxy ARP' - at some point, I'll inquire about that being a possible solution.

Thanks for reading - we now return to our originally scheduled poster!
(Best of luck jtcasas - hope it gets straightened out for you)

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude

Premium Member

said by broadcaster_t:

Thanks whfsdude for the info on 'proxy ARP' - at some point, I'll inquire about that being a possible solution.

The solution is to disable proxy arp. The traffic you are seeing is likely related to proxy arp being enabled on the modem/router.

jbeckva
join:2004-06-09
Powhatan, VA

jbeckva to

Member

to
I got "hit" with this early morning last Friday. Had no signal for about an hour starting at 1am, then a directed "reboot", then when it all came back up (of course) I went to sleep (as it was pretty late.. heh)

So Friday evening I noticed a lot of activity on the LAN segment. All "activity" lights on the LAN switch blinking in sequence. I did a quick check with Wireshark, and yes.. same thing... tons and tons of arp broadcasts coming from the WAN side, which as previously indicated should NOT be happening.

I called the biz class customer support line, and after hearing the 1st rep not know what an "arp broadcast" was, asked for a supervisor. At that point since the speed was (still is) reasonable, the supervisor said there was nothing that can be done.

I've left a message in the CC Direct forum here (and another.. ), but I have yet to hear anything back.

Whfsdude has it nailed more than likely.. in the new "config" they must have proxyarp enabled. I agree to a point that it's an annoyance - broadcasts still cause unneeded waste of bandwidth, even if not at storm levels.

Now.. who's going to take bets on how long it takes for (a) the issue to "reach the right person", (b) the CR/RFC to make it through all the red tape, then (c) get it fixed?

Bah.. til then.. dragged a soho router out of the closet and put it between the SMC and my LAN. All those blinky lights that have since stopped blinking so much...
Anon
Anon

Anon

Anon

It's so maddening that the supervisor's reaction was to say that it isn't a big enough malfunction to deal with. I also find it ridiculous, that to block those packets, we need to supply our own router, in addition to the forced (and charged a $7 monthly rental fee for) router.

I have not yet heard back from my inquiry at ComcastCares.
Anon
1 edit
Anon

Anon to broadcaster_t

Anon

to broadcaster_t
I have to say one thing. "broadcaster" no matter how "upset" you are at a company because you were routed incorrectly and ended up at a closed department does not give you the right to belittle people "(barely over minimum wage I'm sure)". This remark was not needed, just because you think you make more money then the person on the other side of the phone does, does not make you a better person. I would love to try to educate you a little bit here, Business class is paid higher then minimum wage.
Anon
Anon

Anon

Anon

Hey joejoe20 -- you're right: the minimum wage comment wasn't fair or accurate.

I believe that the point that was being made, is that the person who initially answers calls for Comcast technical support tends not to be very helpful. In my experience, those who initially answer the phone are only helpful when they are confirming an outage in my area, suggesting that I reboot equipment to see if the problem goes away, or dispatching or escalating the call to someone else. For example, earlier in this thread, jbeckva reported that the person initially answering the call didn't know what an ARP packet was.

I come to DSLReports, so that I can figure out the best way to ask Comcast for help, to avoid simply being turned away by "gatekeepers".
Anon
Anon

Anon to

Anon

to
That is true when dealing with a huge company that does do a fair amount of outsourcing the great tech support agents are overlooked and all you hear about it are the agents that did not pay attention in training or do not wish to give the a little extra for their clients that call in. I' am sorry for taking the this thread off topic and this will be my last reply since i can not help you guys. I just couldn't leave with out saying something about that.