dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
579
jotapero
join:2013-08-19
Huntley, IL

jotapero

Member

[Connectivity] Flooded with Non-Standard Packets

I noticed my internet connection has dropped to 10% capacity yesterday after working fine for 9 months. I have a linux machine acting as my router so I ran tcpdump and I'm being flooded with weird packets.

The MAC addresses involved aren't valid/registered.

I didn't see any obvious problems in the modem log (SB6121). So is this broken Comcast routing infrastructure?

08:22:26.076942 IP x.x.x.x.41435 > y.y.y.y.80: Flags [.], ack 188240, win 1109, options [nop,nop,TS val 550649051 ecr 2144839052], length 0
08:22:26.077069 IP y.y.y.y.80 > x.x.x.x.41435: Flags [.], seq 191136:192584, ack 1, win 122, options [nop,nop,TS val 2144839052 ecr 550649043], length 1448
08:22:26.077071 98:29:4f:db:00:01 > ea:05:15:fa:00:e0, ethertype Unknown (0x5c33), length 1518: 
0x0000:  6b81 0800 4520 05dc aaff 4000 3606 5f09  k...E.....@.6._.
0x0010:  3274 3f41 3281 90bd 0050 a1db 4901 5d84  2t?A2....P..I.].
0x0020:  9094 0d04 8010 007a e220 0000 0101 080a  .......z........
0x0030:  7fd7 a58c 20d2 3cd3 d0de f6e6 a644 d95c  ......<......D.\
0x0040:  b981 ed38 8d8a d920 0860 b4c2 77d5 d850  ...8.....`..w..P
0x0050:  5bbc 7411 e03f 7f85 843e 6888 ecef 881a  [.t..?...>h.....
0x0060:  236c 12ed cd58 8d1a 4c4d 61b9 c8bd 0564  #l...X..LMa....d
0x0070:  7b81 4ff3 ac37 1834 d777 6924 1dd4 a2ac  {.O..7.4.wi$....
0x0080:  392d ea0a 37c2 cbb1 83dc 137f 88ae a53e  9-..7..........>
0x0090:  0f7d 6c71 19df 9cd0 5ac9 d844 4449 4fe1  .}lq....Z..DDIO.
0x00a0:  79cd 141f a583 fb10 6669 19fd f069 08d1  y.......fi...i..
0x00b0:  33bd 4c8a 6f16 2248 4397 9e54 60c2 2c08  3.L.o."HC..T`.,.
0x00c0:  7835 42f4 387c fcc2 3a99 bf5e 75eb b2b8  x5B.8|..:..^u...
0x00d0:  9060 8d17 4330 ae09 6f24 c0a0 8e31 8fad  .`..C0..o$...1..
0x00e0:  1596 cd62 74f5 a3d3 66da abbb f29f 69c1  ...bt...f.....i.
0x00f0:  190b ceff 5ce6 732f 93be 9ebc 27b9 8993  ....\.s/....'...
0x0100:  bea3 0ae0 f7c6 5f92 9fae 0a80 8516 0712  ......_.........
0x0110:  6f20 f5e4 b7e4 f750 19fb f306 0085 f72e  o......P........
0x0120:  4715 4a6e 1393 e8a1 8405 64c7 7a5e 32a2  G.Jn......d.z^2.
0x0130:  56af 04ed a4cb 89f1 c299 cecd 5998 3058  V...........Y.0X
0x0140:  dafd 8d0a 6c0c 9b22 16f5 be89 40b3 f024  ....l.."....@..$
0x0150:  7e36 75d6 8561 6762 474b d1ae 276b c052  ~6u..agbGK..'k.R
0x0160:  43b5 4ec1 e32c 2131 175d 6ee0 4644 fe24  C.N..,!1.]n.FD.$
0x0170:  038f 7104 ef68 55ba 93db 5434 6ea0 3037  ..q..hU...T4n.07
0x0180:  8767 b8a7 aba0 48c5 bf63 6756 2ab2 5099  .g....H..cgV*.P.
0x0190:  6e68 89e8 1dd7 e9c7 069c 40ab d326 f794  nh........@..&..
0x01a0:  8958 398f d311 9f43 b19a 1bcb c686 d697  .X9....C........
0x01b0:  11d3 f10e fe7c 7663 c076 aacc 7ad1 53c5  .....|vc.v..z.S.
0x01c0:  d3dc 6913 df0b 28a7 109c a6c2 241d cdfb  ..i...(.....$...
0x01d0:  7f2f c5fc 9985 3d35 18fc 669d 74a8 3745  ./....=5..f.t.7E
0x01e0:  e7fb 7459 4bc3 0056 69b2 755c 24bf a4ad  ..tYK..Vi.u\$...
0x01f0:  9a57 ea73 aa4b 6331 7f2a d483 19c3 2a8e  .W.s.Kc1.*....*.
0x0200:  f4ef 5966 22cb bf99 0666 87c1 38ed bc43  ..Yf"....f..8..C
0x0210:  4a8c 432e 995d fe6e c270 711a d6b0 4fbd  J.C..].n.pq...O.
0x0220:  b279 df5b f29b fc9e 6eda 2226 33ae 9b9c  .y.[....n."&3...
0x0230:  d626 a604 578a 40ac 7753 eee4 3346 0549  .&..W.@.wS..3F.I
0x0240:  f0c9 b04e 94d5 2b70 1ae4 815c d406 25e8  ...N..+p...\..%.
0x0250:  8db5 3896 7fd0 d200 b8a1 e86a 7136 2694  ..8........jq6&.
0x0260:  8d0c dc47 76a4 9d2a 10cd fabe 705a 1800  ...Gv..*....pZ..
0x0270:  e8b8 e694 4e56 5054 8eaf 1178 cee4 388a  ....NVPT...x..8.
0x0280:  6210 3325 b229 e03e cd45 79f4 8c19 e1d9  b.3%.).>.Ey.....
0x0290:  9e4e da1a bbbd 0d45 d196 7ac7 2dd5 1cee  .N.....E..z.-...
0x02a0:  6b7d 5e6f 3862 91c2 1ea2 99a0 c0cb 73a0  k}^o8b........s.
0x02b0:  1618 6bf6 1f10 f32d 47d6 f78e ad07 e506  ..k....-G.......
0x02c0:  504c 60dd b18e c624 1584 4720 06b5 b3cb  PL`....$..G.....
0x02d0:  7fbe b92e 3aae 8769 aff3 7801 1776 2588  ....:..i..x..v%.
0x02e0:  a484 20ef 97c6 bb57 033b f06f ae24 a300  .......W.;.o.$..
0x02f0:  d68c 064d 2e97 1dd8 8468 af07 64ef 5f57  ...M.....h..d._W
0x0300:  cf14 878f 1933 8c48 195c b576 2b92 1cd9  .....3.H.\.v+...
0x0310:  4d82 29b7 891a 0107 8ec5 cca2 6b85 8468  M.).........k..h
0x0320:  4e37 d7cb bff3 de36 288d 07bb 328a eb04  N7.....6(...2...
0x0330:  5eb1 b546 177a ca45 3613 02fc 45b9 e867  ^..F.z.E6...E..g
0x0340:  018e afcc bce3 a82f 240e 58a5 da1a 946e  ......./$.X....n
0x0350:  7df9 c764 e882 34d7 e199 cb2f f13b fdb7  }..d..4..../.;..
0x0360:  c8be 9582 9bfa 8189 337d 5801 7377 024a  ........3}X.sw.J
0x0370:  66ab 4fd1 707d 0902 663e 1cb1 2829 1c52  f.O.p}..f>..().R
0x0380:  655b 0587 d4a4 52d7 aa27 4742 4871 a49e  e[....R..'GBHq..
0x0390:  1834 8c18 5993 bf79 f950 0d72 5c69 a13f  .4..Y..y.P.r\i.?
0x03a0:  06ed 721f e6fa b576 9634 9218 f564 c621  ..r....v.4...d.!
0x03b0:  2f12 e4c2 ff6e f886 7795 5dbb aeeb 5958  /....n..w.]...YX
0x03c0:  a81f 1821 2bd8 a996 5e77 74e9 6546 ab89  ...!+...^wt.eF..
0x03d0:  dccf 7219 a098 2771 7a93 7238 6345 5104  ..r...'qz.r8cEQ.
0x03e0:  e894 e04f 58ab 244f 8c63 3403 fd84 cf9f  ...OX.$O.c4.....
0x03f0:  9588 b416 e7e8 eead c25e 8eeb e025 4ce5  .........^...%L.
0x0400:  7eeb 8b41 da97 9f45 938c 5977 c446 88bc  ~..A...E..Yw.F..
0x0410:  f0c9 db38 b178 24fc 130c e5e0 93f0 4d67  ...8.x$.......Mg
0x0420:  f04c 53d1 8586 7045 e485 e005 24aa f0ee  .LS...pE....$...
0x0430:  7364 3118 84a7 d416 39de f453 d142 5ce5  sd1.....9..S.B\.
0x0440:  e047 e086 e8e2 25e1 7c8c bc2f 92fd 497e  .G....%.|../..I~
0x0450:  b4bf 5a5f ad2f d6f6 56c2 77ec ad59 fb2b  ..Z_./..V.w..Y.+
0x0460:  5e77 083c 9aa9 ee5a 34e7 f395 f99e a62c  ^w.<...Z4......,
0x0470:  87ec 98bd 9631 5243 8246 7179 6180 bbf3  .....1RC.Fqya...
0x0480:  db7f 8149 ebe6 48c0 816a 1823 eda3 5b5d  ...I..H..j.#..[]
0x0490:  8c1c 53f5 f562 cd20 4adf 7dd7 6503 b695  ..S..b..J.}.e...
0x04a0:  6e5e d8a4 0cb7 d6ad bea5 9ea4 500c bfab  n^..........P...
0x04b0:  4aad d648 1d5a 15f8 f237 1483 616a c64c  J..H.Z...7..aj.L
0x04c0:  eedc ae30 7214 d08f 9229 4adf 6125 0853  ...0r....)J.a%.S
0x04d0:  cdf4 4873 7430 ed5d 09a1 c668 648f a367  ..Hst0.]...hd..g
0x04e0:  ccb4 b7ec e6f0 2409 3330 ae02 42ca f99e  ......$.30..B...
0x04f0:  dc4c 33ce 8ce2 c4b6 b34c 0ed3 d0d2 b3a1  .L3......L......
0x0500:  66b4 17fc 9474 db10 4a65 714f 1c96 1538  f....t..JeqO...8
0x0510:  538a db55 6a9c 4e20 453d a592 0219 8949  S..Uj.N.E=.....I
0x0520:  74a1 d665 3b49 cf0e 06b2 983b 9eea 5ea7  t..e;I.....;..^.
0x0530:  0d91 f17f 4b4c 20bc 635e f493 16aa 06d4  ....KL..c^......
0x0540:  a00b c9b8 8fca aba8 5629 0271 7ae3 5d53  ........V).qz.]S
0x0550:  4fb5 77ab 53d2 f409 a59b 880e 2e84 cfb1  O.w.S...........
0x0560:  fa60 21ab f156 6d66 e0c2 2f59 7537 58d2  .`!..Vmf../Yu7X.
0x0570:  1d0e b17b 3285 90f5 2469 14ea cec6 a026  ...{2...$i.....&
0x0580:  7909 61cc 26a2 344a 355e 1cd2 f963 b9e2  y.a.&.4J5^...c..
0x0590:  e6c8 7f78 4f10 7ec2 4def 06e2 80e5 8c20  ...xO.~.M.......
0x05a0:  e599 4bc0 445e 93aa 5ac3 0784 a483 efac  ..K.D^..Z.......
0x05b0:  cd2c 8d88 c537 66cc 1f1a a0df c266 2164  .,...7f......f!d
0x05c0:  b98a 2a2d 13ae 17e5 c46c 8e93 21ab 2f0c  ..*-.....l..!./.
0x05d0:  7a4a 0db9 3339 a765 6756 737a 4f24 991c  zJ..39.egVszO$..
08:22:26.077150 IP x.x.x.x.41435 > y.y.y.y.80: Flags [.], ack 191136, win 1109, options [nop,nop,TS val 550649051 ecr 2144839052], length 0
08:22:26.077437 IP y.y.y.y.61076 > x.x.x.x.22: Flags [.], ack 109672, win 408, options [nop,nop,TS val 208760027 ecr 107862672], length 0
08:22:26.077438 98:29:4f:db:00:01 > 42:00:bd:ff:00:e0, ethertype Unknown (0x5c33), length 70: 
0x0000:  6b81 0800 4520 0034 c228 4000 3306 cf7b  k...E..4.(@.3..{
0x0010:  4a07 a8ba 3281 90bd ee94 0016 349b 429a  J...2.......4.B.
0x0020:  762b ee00 8010 0198 9ace 0000 0101 080a  v+..............
0x0030:  0c71 6cdb 066d da90                      .ql..m..
 
 

cp
Premium Member
join:2004-05-14
Wheaton, IL

cp

Premium Member

The ports being used in the IP packets would make me a bit nervous. Are you sure you don't have a compromised device on your network?
jotapero
join:2013-08-19
Huntley, IL

jotapero

Member

said by cp:

The ports being used in the IP packets would make me a bit nervous. Are you sure you don't have a compromised device on your network?

No compromised hosts. That is normal HTTP/SSH traffic from another one of my Linux machines.

If I unplug the modem, the packets stop so I doubt it is something being generated internally.
jotapero

jotapero

Member

Update:

DOCSIS packets are 1518 bytes. So either my modem is corrupting the packets and then passing them on to my Linux router or they are coming in corrupt.

I contacted online support and they sort of followed what I was saying. They were able to reset my modem but they don't seem to have the ability to do any sort of analysis. I am still being flooded with corrupted/untranslated packets but now they're mostly 70/118 bytes instead of 1518 so now I can at least use most of my connection capacity.

11:29:34.653766 98:29:4f:db:00:01 > 42:00:bd:ff:00:e0, ethertype Unknown (0x5c33), length 70: 
        0x0000:  6b81 0800 4520 0034 133a 4000 3306 7e6a  k...E..4.:@.3.~j
        0x0010:  4a07 a8ba 3281 90bd ee94 0016 349b dc7a  J...2.......4..z
        0x0020:  7722 3868 8010 0374 0861 0000 0101 080a  w"8h...t.a......
        0x0030:  0c9c 4251 0698 b017                      ..BQ....
11:29:34.654638 98:29:4f:db:00:01 > 72:00:8d:ff:00:e0, ethertype Unknown (0x5c33), length 118: 
        0x0000:  6b81 0800 4520 0064 133b 4000 3306 7e39  k...E..d.;@.3.~9
        0x0010:  4a07 a8ba 3281 90bd ee94 0016 349b dc7a  J...2.......4..z
        0x0020:  7722 3868 8018 0374 b280 0000 0101 080a  w"8h...t........
        0x0030:  0c9c 4251 0698 b017 46f1 cdc2 137e b856  ..BQ....F....~.V
        0x0040:  a2e1 861c 8405 0cac 5292 b788 f9de 935b  ........R......[
        0x0050:  a80d b22d c98d 8907 b240 7241 c2a4 6737  ...-.....@rA..g7
        0x0060:  c067 36c0 5fdc d1e6                      .g6._...