dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4684
share rss forum feed

scottj

join:2012-08-16
Wilmington, DE

Verizon Router Multicasting To My Home Network

All-

I am experiencing a verizon router l100.­phlapa-vfttp-83.­verizon-gni.­net IP address 98.114.203.1 attempting to connect to my home network. The firewall logs show this device attempting to connect on 224.0.0.1 every 2 minutes. Contacting the Verizon help desk did not yeild positive results. There was no help emailing verizon abuse. Multicast is completely blocked on my system both WAN/LAN. At this point I think I may be out of options. This is very unusual, I am getting about 500 plus hits from this device per day. Hopefully someon can provide some direction.....Jim


nycdave
Premium,MVM
join:1999-11-16
Melville, NY
kudos:17
If you have FiOS TV, your router is pulling down multicast IMG guide data for the STB's - which is normal in your VHO.

What is the issue you are having?

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS
reply to scottj
A few questions.

Where are you seeing these attempts? IE: where is the firewall that is reporting these? Is it at your external-facing router or firewall, or is it on a host internal to your lan using a private network?

What type of "connect"ions are these? IE: what type of IGMP message?

Do you have any hosts that join a multicast group with a publisher outside of your LAN?

How/where (specifically) do you have multicast blocked?

224.0.0.1 is the all-hosts address, used for IGMP group membership queries, among others. If these are being seen on the external (ISP-facing) interface that would be entirely normal, especially if you have anything internal that subscribes to an external multicast group.

scottj

join:2012-08-16
Wilmington, DE
reply to nycdave
I was to understand that the boxes do not use multicast. They work correctly with multicast blocked. Multicast is used on the DVR to do remote access. I don't have any DVR 's here, I have QIP 7100 P2 boxes. Jim

scottj

join:2012-08-16
Wilmington, DE
reply to nycdave
I missed one point. The verizon router is hammering my firewall greater than 500 times per day. This started happenning about 1.5 weeks ago. Happens every 2 minutes.... Jim

scottj

join:2012-08-16
Wilmington, DE
reply to Shady Bimmer
Shady,

I am seeing the attempts on the external facing router WAN(eth0). There are no devices using multicast internally. Unsubscribed in bound trasffic is blocked by default. The packet filter blacks all multicast traffic LAN/WAN. This started about 1.5 weeks ago, previously I have never seen this type of activity. This action is unrequested as I have no LAN hosts that join a multicast group. The windows 7 PC has LLMR disabled to prevent multicast activity. In addition to the packet filter blocking IGMP traffic there should not be any IGMP traffic. Below are two lines from the log. Jim

2012:08:16-18:35:18 OASIS ulogd[4320]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="0:90:1a:a1:41:27" dstmac="0:24:7e:0:c1:82" srcip="98.114.203.1" dstip="224.0.0.1" proto="2" length="36" tos="0x00" prec="0xc0" ttl="1"
2012:08:16-18:37:23 OASIS ulogd[4320]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="0:90:1a:a1:41:27" dstmac="0:24:7e:0:c1:82" srcip="98.114.203.1" dstip="224.0.0.1" proto="2" length="36" tos="0x00" prec="0xc0" ttl="1"

Shady Bimmer
Premium
join:2001-12-03
Northport, NY
Reviews:
·Verizon FiOS

1 edit
If you see these on your ISP-facing (external) interface then this would not be unexpected. IP proto "2" is IGMP, which would be expected given the destination IP.

500 hits per day would certainly not be considered "hammering", and seeing these every two minutes would also not be unexpected for IGMP group membership queries. It really is an inconsequential amount of traffic. If it is a concern over filling logs, perhaps there is a way to filter these or to not log these at all?

If you can identify when these started, perhaps you can identify if anything else changed around that time.

Edit: If these messages continue endlessly, you may want to verify that your firewall itself is not sending IGMP traffic outbound, and that it is properly blocking all of this traffic from the inside.

scottj

join:2012-08-16
Wilmington, DE
Shady,

Thanks for following up. These hits are on the ISP facing WAN(external) interface. The only change that was made around the time this started was the DNS forwarders we changed to Open DNS. They were later changed back after this behavior began. The logging is not the issue. The change of behavior is. What I am seeing is very unusual. I will verify the device is not sending any IGMP traffic as this is continuing endlessly. Thanks for your help! Jim


nycdave
Premium,MVM
join:1999-11-16
Melville, NY
kudos:17
reply to scottj
said by scottj:

I was to understand that the boxes do not use multicast. They work correctly with multicast blocked. Multicast is used on the DVR to do remote access. I don't have any DVR 's here, I have QIP 7100 P2 boxes. Jim

No, once IMG Multicast is enabled in a VHO, all the STB's will use it, not just the DVR's.

scottj

join:2012-08-16
Wilmington, DE
Nycdave,

Thanks, your statement indicates verizon is making changes on the back end. This would account for the behavior change I am seeing at my firewall. Do you know why this would be needed for the cable boxes?

Regards,
Jim


nycdave
Premium,MVM
join:1999-11-16
Melville, NY
kudos:17
Unicast IMG guide data is inefficient when millions of boxes request guide data when they boot up, and it really taxes the network. Multicast helps to offload this network drain for IMG guide data.

kes601

join:2007-04-14
Virginia Beach, VA
kudos:2

1 edit
reply to scottj
So, this update apparently got pushed out to my router in VHO9a at some point and it broke the ability for my iTunes to see my old Airport Express base stations (I stream music to them). I had to go in and turn off the IGMP Proxy and now all works.

Edit: Also discovered it prevented all Bonjour traffic on my network.