dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7116
share rss forum feed


whfsdude
Premium
join:2003-04-05
Washington, DC

Re: [Business] ARP Packets from Comcast are Flooding My LOCAL Ne

It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.

If you had the modem in bridge mode, your router would always see it.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

said by whfsdude:

It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.

If you had the modem in bridge mode, your router would always see it.

If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

said by NetFixer:

If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.

No I don't sadly. I however know some users in meatspace with SB6120's in on business class service.

My point was though that the ARP traffic is totally normal for cable modems so it wouldn't change your WAN speeds.

However, generally people don't use proxy arp for their LANs. I'd argue it's a minor security issue in fact. But it will not effect speeds.

noisefloor

join:2010-05-09
reply to NetFixer

said by NetFixer:

said by whfsdude:

It should not cause any change in your WAN bandwidth as that ARP traffic always reaches your CM.

If you had the modem in bridge mode, your router would always see it.

If you know a way that the customer can put an SMCD3G-CCR into bridge mode, you would probably gain a few new friends in this forum if you shared your knowledge.

If you can talk someone in support into running a telnet session into your D3G the command is > ven RG 0 (1 enables gateway)
In the D3g you need to be in cable mode (default), 8014 would be main mode.

My D3G is running happy in bridge mode


JohnInSJ
Premium
join:2003-09-22
Aptos, CA

Business Class 12/2, 5 statics, SMC in "true static" mode

Before reboot:
Firmware Version 1.4.0.49.7-CCR
No ARP packets coming in from modem to FW/Router (linux box)

shaperprobe:

Checking for traffic shapers:

Upstream: Burst size: 1708-2163 KB; Shaping rate: 2128 Kbps.
Downstream: Burst size: 6735-7900 KB; Shaping rate: 11816 Kbps.

Reboot:
Firmware Version 3.1.4.51.1

shaperprobe:
Checking for traffic shapers:

Upstream: Burst size: 1829-2312 KB; Shaping rate: 2128 Kbps.

Downstream: Burst size: 7961-8523 KB; Shaping rate: 12768 Kbps.

No changes there,

tcpdump from firewall, on, interface facing the cable modem...

ARP, Request who-has 73.70.119.169 tell 73.70.118.1, length 46
ARP

tcpdump, side facing my lan:

no ARP packets from comcast...

So, yep, ARP packets from Comcast are being forwarded to the other side, even with statics.
--
My place : »www.schettino.us


jtcasas

join:2012-05-10

JohnInSJ: Thanks for the detailed notes on your experiment!


Nalez

join:2011-01-14

1 edit

Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.

What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.

Details can be found here:
»forums.smartertools.com/showthre···DRESSES!



ropeguru
Premium
join:2001-01-25
Mechanicsville, VA

Interesting post you linked to. So essentially, if it is a small business that is sitting behind their own router with no dns server on their network, they need to expose all their equipment to the internet directly because Comcast is FORCING the DNSSEC servers on all business customers which do not work behind NAT.

Additionally, since the DNSSEC would require a real internet address, this sounds like Comcast is pushing this in order to force business customers to have to have more than one IP. This would require the purchase of a block of 5 IP's and generate a large amount of revenue.

Glad I don't use their dns for anything and run my own. Yes, I know the ramifications of possibly not getting the closest goole, netflix, hulu, etc. server.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to Nalez

said by Nalez:

Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.

What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.

Details can be found here:
»forums.smartertools.com/showthre···DRESSES!

said by chicagonettech :

As of this month, Comcast is officially rolling out DNSSEC to all of their DOCSIS ROUTERS on their digital circuits for Business Class Customers. This means that a FIRMWARE UPDATE is being pushed to all COMCAST DOCSIS modems and, as part of that process, the DNS SERVERS in those modems are being LOCKED onto 75.75.75.75 and 75.75.76.76, the two COMCAST DNSSEC DNS servers. This means that Business Class end users who have had their DOCSIS modem firmware updated will NOT be able to change the internal DNS of the COMCAST ROUTER to any other DNS SERVER IP address. [The firmware update also installs the ability for IPV6, but it is not yet enabled unless an account is specifically engineered for IPV6.]

Interesting that my SMCD3G with the 3.1.4.51.1 firmware does not seem to be using the 75.75.75.75 and 75.75.76.76 DNS servers:


Gateway Status
Initilization Procedure
Vendor Name SMC Networks
Hardware Version 1A
Serial Number H21039056789
Firmware Version 3.1.4.51.1
Operating Mode RG
System Uptime 001 days 01h:41m:11s
Date May-11-2012
Time 10:58:21

Network
Internet Settings
Gateway MAC Address 00:26:F3:XX:YY:Z1
WAN MAC Address 00:26:F3:XX:YY:Z2
WAN DHCP IP Address 107.3.237.186
WAN DHCP Subnet Mask 255.255.254.0
WAN DHCP Default Gateway 107.3.236.1
WAN Internet IP Address 75.146.8.46
DNS (primary) 68.87.68.162
DNS (secondary) 68.87.74.162
DHCP Time Remaining 70h:54m:08s
Date May-11-2012
Static IP Block 75.146.8.46/29

Local Settings
Gateway IP Address 192.168.10.254
Subnet Mask 255.255.255.0
DHCP Server Enabled
IP Range (start) 192.168.10.20
IP Range (end) 192.168.10.20


FWIW, my local DNS server worked just fine (for both internal and external queries) with Comcast's DNSSEC even before this latest firmware update that now floods my servers with Comcast's ARP traffic.

It is nice to see at least a backdoor acknowledgement that this latest firmware update is related to IPv6 functionality. I wonder if anyone in one of Comcast's IPv6 test areas with this firmware is now seeing IPv6 functionality using this router?

--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

noisefloor

join:2010-05-09

The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.



ropeguru
Premium
join:2001-01-25
Mechanicsville, VA

said by noisefloor:

The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.

Static as in static ip's or static routes for his ip's.

If static ip's, then he has those:

Static IP Block 75.146.8.46/29

noisefloor

join:2010-05-09

Oh that's crazy he's still running the 68.87.x.x servers with his static block. It must be something they are pushing out by market because when I was with the company last year every D3G (only D3G's) that were deployed had be set to 75.x.x.x for the statics to function. I believe we sent a macro that made this change on the back end to everyone's cfg as well. The gateway could still function with a DHCP WAN address though with any previous 68.x.x.x DNS.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to noisefloor

said by noisefloor:

The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.

I have no control over that setting. That setting, like many other configurable settings in the SMCD3G-CCR, can only be set by Comcast. The only DNS server setting in the SMCD3G-CCR that the customer can change is the two DNS servers that the SMC's DHCP server assigns to its DHCP clients (that setting does not change the DNS servers that the SMCD3G-CCR uses internally).

FWIW, I do have a /29 static IP block (as is shown in my previous post), but I can't see why that would make any difference. I do know for a fact that I am able to use the 75.75.75.75 and 75.75.76.76 IP addresses because my local DNS server uses those IP addresses for forwarding. And the ICSI Netalyzr test shows that my local DNS is/was DNSSEC compliant whether I forward to the 75.75.75.75 and 75.75.76.76 IP addresses or to the 68.87.68.162 and 68.87.74.162 IP addresses, or to the SMCD3G's IP address (this is both before and after the new 3.1.4.51.1 firmware was loaded).

My previous post was just to point out that the new 3.1.4.51.1 firmware does not automatically assign the 75.75.75.75 and 75.75.76.76 IP addresses, nor are those specific IP addresses required to use Comcast's DNSSEC servers (the 68.87.68.162 and 68.87.74.162 IP addresses that my SMCD3G gets from Comcast are also Comcast DNSSEC servers, and they work properly as DNSSEC servers).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to noisefloor

said by noisefloor:

Oh that's crazy he's still running the 68.87.x.x servers with his static block. It must be something they are pushing out by market because when I was with the company last year every D3G (only D3G's) that were deployed had be set to 75.x.x.x for the statics to function. I believe we sent a macro that made this change on the back end to everyone's cfg as well. The gateway could still function with a DHCP WAN address though with any previous 68.x.x.x DNS.

I don't know anything about Comcast macros, but I do know that my /29 static IP block (including my public facing web and email servers) is working just fine with the SMCD3G configured with the 68.87.68.162 and 68.87.74.162 DNS server addresses.

FWIW, I do recall that my SMCD3G was originally configured with the 75.75.75.75 and 75.75.76.76 DNS servers, but that changed at some point after another firmware upgrade was pushed to my box.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3
reply to JohnInSJ

said by JohnInSJ:

said by DarkLogix:

Guess I'll power cycle my SMC and see if I see any changes (tonight)

Ditto... my smc is up 90+ days no reboot, no arp traffic here. Of course it's just going to send arps to my router which will drop them, if it happens...

Arrg I power cycled it today and heres what happened

the CM oddly didn't make the switch port active which caused more power cyceling and also my ASP page that fetches the rf stats is now broken


JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by DarkLogix:

said by JohnInSJ:

said by DarkLogix:

Guess I'll power cycle my SMC and see if I see any changes (tonight)

Ditto... my smc is up 90+ days no reboot, no arp traffic here. Of course it's just going to send arps to my router which will drop them, if it happens...

Arrg I power cycled it today and heres what happened

the CM oddly didn't make the switch port active which caused more power cyceling and also my ASP page that fetches the rf stats is now broken

I saw that too - oddity on the switch side - I was on LAN 4, which came up dead... LAN 1 was working, which I found by jacking in a laptop on each port until I got das blinkenlites.

Weird.
--
My place : »www.schettino.us


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

well now I'm trying to troubleshoot my ASP page (btw I'm not a programer)

and it involves some array manipulation
if you're a programer feel free to help I made a thread in the webmasters forum

I wish I know what has changed with the formatting of the html page I'm pulling the data from



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to JohnInSJ

said by JohnInSJ:

I saw that too - oddity on the switch side - I was on LAN 4, which came up dead... LAN 1 was working, which I found by jacking in a laptop on each port until I got das blinkenlites.

Weird.

I did not see that symptom because I normally only have one device connected to my SMCD3G's LAN (my SamKnows box on SMC port 1). After seeing DarkLogix's post and your followup, I moved my Vonage RTP300's WAN connection to the SMC LAN ports 2-4 in sequence, and all of the SMC switch ports were active as soon as I connected the cable.

Perhaps the new SMCD3G firmware expects that the SMC LAN port 1 will always have an active connection, and if it doesn't find one, it doesn't bother to enable any other switch ports? Later this evening I plan to check to see if the USB port has perhaps been activated with the new firmware. I will move my SamKnows box to port 4 on the SMC at that time to see if it works immediately after an SMC reboot.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Well I initialy had it plugged into port 2 then moved to port 1 (also dead) then port 3 then they all came up



JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to DarkLogix

said by DarkLogix:

well now I'm trying to troubleshoot my ASP page (btw I'm not a programer)

and it involves some array manipulation
if you're a programer feel free to help I made a thread in the webmasters forum

I wish I know what has changed with the formatting of the html page I'm pulling the data from

My munin script survived the new formatting, I'll take a look
--
My place : »www.schettino.us


JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to DarkLogix

said by DarkLogix:

well now I'm trying to troubleshoot my ASP page (btw I'm not a programer)

and it involves some array manipulation
if you're a programer feel free to help I made a thread in the webmasters forum

I wish I know what has changed with the formatting of the html page I'm pulling the data from

Can you link to the thread or PM it to me, I can't find/not subscribed to that forum...
--
My place : »www.schettino.us


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

»Need help updating an ASP page to work again

wow just noticed a typo in the thread title
I think its an issue with the split function that splits the 4 numbers into differant parts of an array so that the numbers can be easily displays by my display function



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by DarkLogix:

»Need help updating an ASP page to work again

wow just noticed a typo in the thread title
I think its an issue with the split function that splits the 4 numbers into differant parts of an array so that the numbers can be easily displays by my display function

Yep I posted the fix...

The new firmware has an extra | at the end of the data sets (no idea why) which you need to lop off to avoid an invalid double. See your other thread.
--
My place : »www.schettino.us


DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Thanks that worked



DarkLogix
Texan and Proud
Premium
join:2008-10-23
Baytown, TX
kudos:3

Well I forgot to do a speed test before but per PRTG my ping time to level3 and to HurricaneElectric have improved

well average hasn't but max has


Nalez

join:2011-01-14
reply to JohnInSJ

Yep, I had that too. but for me, it was LAN1 that went dead (which was the port I was using). Moving to LAN4; I could access the stupid router again.


Nalez

join:2011-01-14

Well, I found kind of a work-around to comcasts stupidity, to at least get this arp traffic off of my network.

First I determined the MAC address that the packets are coming from via wireshark, then I applied the below access to the switch port that my cable router is connected to:
mac access-list extended drop_comcast_arp
deny host 001b.d5ff.0ae2 any 0x806 0x0
permit any any

interface GigabitEthernet0/22
description cable-gw
mac access-group drop_comcast_arp in
end



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

Early this morning I discovered another problem with the new 3.1.4.51.1 firmware; you can't create static IP firewall rules.

My rules that were already in place before the 3.1.4.51.1 firmware was installed originally seemed to be working with no problems. But this morning I needed to edit one of those rules, and as soon as I applied the change all of the rules disappeared, and my servers were no longer visible (I was using the "Block all ports and allow exceptions below" rule set). I was unable to create any new block or allow rules.

The only way to get my servers back on-line was to either select the "Open all ports but block exceptions below", or check the "Disable all rules and allow all inbound traffic through" option.

Comcast support was not able to get the rules to work either (even using the the mso credentials and the telnet CLI). Oh well, I have all of the rules duplicated in the server firewalls anyway, but it was nice to have an extra layer of protection before the traffic could even reach the servers. I have a ticket open with Comcast support, but I suspect that this will not be fixed (at least not anytime soon).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.



NetFixer
Snarl For The Camera Please
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage
reply to NetFixer

said by NetFixer:

Perhaps the new SMCD3G firmware expects that the SMC LAN port 1 will always have an active connection, and if it doesn't find one, it doesn't bother to enable any other switch ports? Later this evening I plan to check to see if the USB port has perhaps been activated with the new firmware. I will move my SamKnows box to port 4 on the SMC at that time to see if it works immediately after an SMC reboot.

1. I tested rebooting with my SamKnows box on port 4, and I did not see a problem. This appears to be an intermittent symptom (or possibly one that only appeared after the first reboot when the new firmware was installed).

2. The USB active LED now illuminates if either a USB flashdrive or a USB printer is connected (a new behavior), but I could see nothing in the SMC menu to indicate an attached USB device, nor any additional active TCP ports to indicate that either USB storage or printing is supported.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

veryfunny7

join:2011-07-04
Detroit, MI

Regarding the locked DNS settings, though the modem is showing that it's set to use the Comcast DNSSEC servers, in my case, it seems that manually inputted DNS servers *are* being forwarded to DHCP devices on my network.