dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7253
share rss forum feed

Anon
reply to whfsdude

Re: [Business] ARP Packets from Comcast are Flooding My LOCAL Ne

said by whfsdude:

If the modem is acting a router, then he should contact Comcast (probably best bet is via twitter) and ask that they disable proxy arp on the LAN interface.

Thank you! One of the reasons I am using this forum, rather than contact Comcast, yet, is that the users here have the patience to help me articulate what I need to ask Comcast to do for me. Too often, I call Comcast, I describe the behavior, and I am told something along the lines of "so what?", or "that is normal".

broadcaster_t

join:2012-05-06
reply to whfsdude
As stated in the OP's original post,

"Shouldn't my modem/router (SMCD3G-CCR) be dropping these, instead of broadcasting them to the LAN?"

So apparently he is using the router feature of the device...

Anon
said by whfsdude:

If the modem is acting a router, then he should contact Comcast (probably best bet is via twitter) and ask that they disable proxy arp on the LAN interface.

Thank you -- I just sent a message to Bill at ComcastCares. I will post when I receive a reply.

broadcaster_t

join:2012-05-06
Hey all,

I hope this isn't seen as me hijacking this thread, but I wanted to update after my novel / rant earlier.

I was so upset about losing 24/7 support for business class that I called the Comcast billing department. The rep I spoke to was quite surprised, and after placing me on hold to speak to his supervisor came back to tell me that neither he nor his superior were aware of any change in business class support policy. He gave me a number to contact Comcast corporate (I almost fell out of my chair). They actually answered "Comcast corporation, how may I direct your call?" so I assume I actually was speaking to the folks in Philly.

The lady I spoke to in customer relations took notes and placed me on hold, then returned to assure me that Biz class is still supported 24/7 and that apparently I had suffered through a major snafu in their phone system. She promised that the system would be tested after hours and that everything possible would be done to prevent this happening again in the future. I intend to give them a few days and test it out myself, but for now I'll assume they are taking action.

It seems all the Comcast planets aligned against me yesterday! At least they gave me a month's service credit - it doesn't make up for what I went through, but it's something. My contract is up in just over a month, and my choice for ISP going forward will depend on the final resolution to this event.

Now, if someone could tell me why those packets keep coming from 96.64.18.1 addressed to 255.255.255.255, and then stop them from passing from the gateway into my router (after all, that's what started this whole ordeal) I'd be a bit happier, but I wouldn't dream of calling support about it for fear of losing several more days of work...

Thanks whfsdude for the info on 'proxy ARP' - at some point, I'll inquire about that being a possible solution.

Thanks for reading - we now return to our originally scheduled poster!
(Best of luck jtcasas - hope it gets straightened out for you)


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by broadcaster_t:

Thanks whfsdude for the info on 'proxy ARP' - at some point, I'll inquire about that being a possible solution.

The solution is to disable proxy arp. The traffic you are seeing is likely related to proxy arp being enabled on the modem/router.


jbeckva

join:2004-06-09
Powhatan, VA
I got "hit" with this early morning last Friday. Had no signal for about an hour starting at 1am, then a directed "reboot", then when it all came back up (of course) I went to sleep (as it was pretty late.. heh)

So Friday evening I noticed a lot of activity on the LAN segment. All "activity" lights on the LAN switch blinking in sequence. I did a quick check with Wireshark, and yes.. same thing... tons and tons of arp broadcasts coming from the WAN side, which as previously indicated should NOT be happening.

I called the biz class customer support line, and after hearing the 1st rep not know what an "arp broadcast" was, asked for a supervisor. At that point since the speed was (still is) reasonable, the supervisor said there was nothing that can be done.

I've left a message in the CC Direct forum here (and another.. ), but I have yet to hear anything back.

Whfsdude has it nailed more than likely.. in the new "config" they must have proxyarp enabled. I agree to a point that it's an annoyance - broadcasts still cause unneeded waste of bandwidth, even if not at storm levels.

Now.. who's going to take bets on how long it takes for (a) the issue to "reach the right person", (b) the CR/RFC to make it through all the red tape, then (c) get it fixed?

Bah.. til then.. dragged a soho router out of the closet and put it between the SMC and my LAN. All those blinky lights that have since stopped blinking so much...

Anon
It's so maddening that the supervisor's reaction was to say that it isn't a big enough malfunction to deal with. I also find it ridiculous, that to block those packets, we need to supply our own router, in addition to the forced (and charged a $7 monthly rental fee for) router.

I have not yet heard back from my inquiry at ComcastCares.

Anon
1 edit
reply to broadcaster_t
I have to say one thing. "broadcaster" no matter how "upset" you are at a company because you were routed incorrectly and ended up at a closed department does not give you the right to belittle people "(barely over minimum wage I'm sure)". This remark was not needed, just because you think you make more money then the person on the other side of the phone does, does not make you a better person. I would love to try to educate you a little bit here, Business class is paid higher then minimum wage.

Anon
Hey joejoe20 -- you're right: the minimum wage comment wasn't fair or accurate.

I believe that the point that was being made, is that the person who initially answers calls for Comcast technical support tends not to be very helpful. In my experience, those who initially answer the phone are only helpful when they are confirming an outage in my area, suggesting that I reboot equipment to see if the problem goes away, or dispatching or escalating the call to someone else. For example, earlier in this thread, jbeckva reported that the person initially answering the call didn't know what an ARP packet was.

I come to DSLReports, so that I can figure out the best way to ask Comcast for help, to avoid simply being turned away by "gatekeepers".

Anon
That is true when dealing with a huge company that does do a fair amount of outsourcing the great tech support agents are overlooked and all you hear about it are the agents that did not pay attention in training or do not wish to give the a little extra for their clients that call in. I' am sorry for taking the this thread off topic and this will be my last reply since i can not help you guys. I just couldn't leave with out saying something about that.

broadcaster_t

join:2012-05-06
The point of my comment was that I'm sure Comcast doesn't pay anywhere NEAR what these people deserve for their support function, NOT to belittle them. In other words, it wouldn't be any great savings in wages by cutting that staff. I certainly don't think I "make more money then the person on the other side of the phone does". Likely less, as I don't make what I deserve for what I do either, but many of us are suffering in this economy. Seriously, as a "Mom & Pop" operation, there have been months where I actually made less than half minimum wage for the hours I worked. Having worked tech support in my past, I really feel for these folks. I sincerely apologize to anyone who was offended - it absolutely was not meant that way. It was Comcast policy (at least the impression of their policy as their phone system conveyed it that night) that I was attempting - however poorly - to 'belittle'.

jreiter

join:2004-01-29
Arvada, CO
I am seeing the same behavior on my network as well. On the phone with Comcast Biz support right now and they are basically blaming me for the traffic. The rep tried to tell me that 96.98.112.1 was not a Comcast IP and that I was generating the traffic. Unbelievable.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by jreiter:

I am seeing the same behavior on my network as well. On the phone with Comcast Biz support right now and they are basically blaming me for the traffic. The rep tried to tell me that 96.98.112.1 was not a Comcast IP and that I was generating the traffic. Unbelievable.

Aside from the well known fact that Comcast tier one CSRs (even Business Class CSRs) are generally network ignorant (and even those who are network savvy, are not allowed to stray from their scripts), I suspect that they are being blindsided by a new firmware for the SMCD3G boxes, and since this has not been a "feature" of previous firmware versions, it is not yet a part of their scripts.

Can you tell us your firmware version? I asked the OP, but I never got a reply. My guess is that in some areas Comcast has pushed their first attempt at an IPv6 compatible firmware for the SMCD3G boxes, and this may be a side effect of its DHCPv6 implementation.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

jreiter

join:2004-01-29
Arvada, CO
said by NetFixer:

said by jreiter:

I am seeing the same behavior on my network as well. On the phone with Comcast Biz support right now and they are basically blaming me for the traffic. The rep tried to tell me that 96.98.112.1 was not a Comcast IP and that I was generating the traffic. Unbelievable.

Aside from the well known fact that Comcast tier one CSRs (even Business Class CSRs) are generally network ignorant (and even those who are network savvy, are not allowed to stray from their scripts), I suspect that they are being blindsided by a new firmware for the SMCD3G boxes, and since this has not been a "feature" of previous firmware versions, it is not yet a part of their scripts.

Can you tell us your firmware version? I asked the OP, but I never got a reply. My guess is that in some areas Comcast has pushed their first attempt at an IPv6 compatible firmware for the SMCD3G boxes, and this may be a side effect of its DHCPv6 implementation.

My firmware is: 3.1.4.51.1

I made the mistake of reboot the modem last Friday night and that released the flood.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by jreiter:

My firmware is: 3.1.4.51.1

I made the mistake of reboot the modem last Friday night and that released the flood.

That is quite a jump in firmware version from the 1.4.0.49.7-CCR that I have had for at least the past ~6 months.

Being a glutton for punishment, I just rebooted my SMCD3G and I now also have the 3.1.4.51.1 firmware and the constant barrage of ARP traffic on the SMC's LAN interface. Interestingly, I still don't see any new menu items for IPv6, but perhaps Comcast has decided to not allow the customer access to that information (like much other information that they hide).

One new thing (other than the ARP traffic) that I see is that even though I have a /29 static IP block, I now also have a DHCP WAN IP address and gateway that is outside my static IP block (previously that showed up as 0.0.0.0). I also note that the DHCP lease started at 1 hour (and is decrementing), whereas previously it showed up as a very large number that never decremented.

Other than the somewhat annoying light show on the SMC LAN interface, and on my SamKnows box (the only device that is actually directly connected to my SMCD3G), I don't really notice any problems with the ARP packets being forwarded to the SMC's LAN interface.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

jreiter

join:2004-01-29
Arvada, CO
So I guess I finally rang enough bells with Comcast that they referred me to the Abuse department to investigate their own network and why the modems are getting/generating ARP traffic now. I will be sending them a Wireshark capture tonight of the traffic. My network is actually seeing a slow down from the traffic. My Juniper firewall is none to happy with the traffic and keeps alerting that it is under attack.

jtcasas

join:2012-05-10
reply to NetFixer
said by NetFixer:

What is the firmware version in your SMCD3G-CCR?
         
Perhaps you have gotten a new IPv6 compatible firmware pushed to your SMCD3G-CCR, and this is an unintended new "feature" of that firmware?

My firmware version is 3.1.4.51.1


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
Guess I'll power cycle my SMC and see if I see any changes (tonight)


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
said by DarkLogix:

Guess I'll power cycle my SMC and see if I see any changes (tonight)

Ditto... my smc is up 90+ days no reboot, no arp traffic here. Of course it's just going to send arps to my router which will drop them, if it happens...
--
My place : »www.schettino.us


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
said by JohnInSJ:

said by DarkLogix:

Guess I'll power cycle my SMC and see if I see any changes (tonight)

Ditto... my smc is up 90+ days no reboot, no arp traffic here. Of course it's just going to send arps to my router which will drop them, if it happens...

Same here
my 3745 will just drop them too.

though I'll do a speed test before and after just to see, though the link from SMC to 3745 is gig so I doubt it'll have any impact on the available bandwidth as the traffic would be using the cable side interface anyway and this at worst might add it to the intermediate link between the two devices thus cutting into the gig speed which would likely not even notice.

although maybe it could have an impact on the SMC's CPU load.


whfsdude
Premium
join:2003-04-05
Washington, DC
It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.

If you had the modem in bridge mode, your router would always see it.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
said by whfsdude:

It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.

If you had the modem in bridge mode, your router would always see it.

If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by NetFixer:

If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.

No I don't sadly. I however know some users in meatspace with SB6120's in on business class service.

My point was though that the ARP traffic is totally normal for cable modems so it wouldn't change your WAN speeds.

However, generally people don't use proxy arp for their LANs. I'd argue it's a minor security issue in fact. But it will not effect speeds.

noisefloor

join:2010-05-09
reply to NetFixer
said by NetFixer:

said by whfsdude:

It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.

If you had the modem in bridge mode, your router would always see it.

If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.

If you can talk someone in support into running a telnet session into your D3G the command is > ven RG 0 (1 enables gateway)
In the D3g you need to be in cable mode (default), 8014 would be main mode.

My D3G is running happy in bridge mode


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
Business Class 12/2, 5 statics, SMC in "true static" mode

Before reboot:
Firmware Version 1.4.0.49.7-CCR
No ARP packets coming in from modem to FW/Router (linux box)

shaperprobe:

Checking for traffic shapers:

Upstream: Burst size: 1708-2163 KB; Shaping rate: 2128 Kbps.
Downstream: Burst size: 6735-7900 KB; Shaping rate: 11816 Kbps.

Reboot:
Firmware Version 3.1.4.51.1

shaperprobe:
Checking for traffic shapers:

Upstream: Burst size: 1829-2312 KB; Shaping rate: 2128 Kbps.

Downstream: Burst size: 7961-8523 KB; Shaping rate: 12768 Kbps.

No changes there,

tcpdump from firewall, on, interface facing the cable modem...

ARP, Request who-has 73.70.119.169 tell 73.70.118.1, length 46
ARP

tcpdump, side facing my lan:

no ARP packets from comcast...

So, yep, ARP packets from Comcast are being forwarded to the other side, even with statics.
--
My place : »www.schettino.us

jtcasas

join:2012-05-10
JohnInSJ: Thanks for the detailed notes on your experiment!

Nalez

join:2011-01-14

1 edit
Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.

What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.

Details can be found here:
»forums.smartertools.com/showthre···DRESSES!


ropeguru
Premium
join:2001-01-25
Mechanicsville, VA
Interesting post you linked to. So essentially, if it is a small business that is sitting behind their own router with no dns server on their network, they need to expose all their equipment to the internet directly because Comcast is FORCING the DNSSEC servers on all business customers which do not work behind NAT.

Additionally, since the DNSSEC would require a real internet address, this sounds like Comcast is pushing this in order to force business customers to have to have more than one IP. This would require the purchase of a block of 5 IP's and generate a large amount of revenue.

Glad I don't use their dns for anything and run my own. Yes, I know the ramifications of possibly not getting the closest goole, netflix, hulu, etc. server.


NetFixer
Bah Humbug
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Nalez
said by Nalez:

Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.

What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.

Details can be found here:
»forums.smartertools.com/showthre···DRESSES!

said by chicagonettech :

As of this month, Comcast is officially rolling out DNSSEC to all of their DOCSIS ROUTERS on their digital circuits for Business Class Customers. This means that a FIRMWARE UPDATE is being pushed to all COMCAST DOCSIS modems and, as part of that process, the DNS SERVERS in those modems are being LOCKED onto 75.75.75.75 and 75.75.76.76, the two COMCAST DNSSEC DNS servers. This means that Business Class end users who have had their DOCSIS modem firmware updated will NOT be able to change the internal DNS of the COMCAST ROUTER to any other DNS SERVER IP address. [The firmware update also installs the ability for IPV6, but it is not yet enabled unless an account is specifically engineered for IPV6.]

Interesting that my SMCD3G with the 3.1.4.51.1 firmware does not seem to be using the 75.75.75.75 and 75.75.76.76 DNS servers:


Gateway Status
Initilization Procedure
Vendor Name SMC Networks
Hardware Version 1A
Serial Number H21039056789
Firmware Version 3.1.4.51.1
Operating Mode RG
System Uptime 001 days 01h:41m:11s
Date May-11-2012
Time 10:58:21

Network
Internet Settings
Gateway MAC Address 00:26:F3:XX:YY:Z1
WAN MAC Address 00:26:F3:XX:YY:Z2
WAN DHCP IP Address 107.3.237.186
WAN DHCP Subnet Mask 255.255.254.0
WAN DHCP Default Gateway 107.3.236.1
WAN Internet IP Address 75.146.8.46
DNS (primary) 68.87.68.162
DNS (secondary) 68.87.74.162
DHCP Time Remaining 70h:54m:08s
Date May-11-2012
Static IP Block 75.146.8.46/29

Local Settings
Gateway IP Address 192.168.10.254
Subnet Mask 255.255.255.0
DHCP Server Enabled
IP Range (start) 192.168.10.20
IP Range (end) 192.168.10.20


FWIW, my local DNS server worked just fine (for both internal and external queries) with Comcast's DNSSEC even before this latest firmware update that now floods my servers with Comcast's ARP traffic.

It is nice to see at least a backdoor acknowledgement that this latest firmware update is related to IPv6 functionality. I wonder if anyone in one of Comcast's IPv6 test areas with this firmware is now seeing IPv6 functionality using this router?

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

noisefloor

join:2010-05-09
The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.