Time Warner Cable - Legacy → Hitting 10.60.70.x - why?

In troubleshooting a system running on a 10.60.70.x network I noticed devices showing pingable that I did not connect. Doing a quick scan of the 10.60.70.x network and looking at the hosts showing port 80 open all seem to be Motorola surfboard cable modems in the NYC area. Why could this be? I thought the whole 10.x.x.x subnet wasn't supposed to be publicly accessible.

That's very normal. The modem IPs aren't publicly accessible, they're "private" to TWC's network. In some cases you can even see those IPs on traceroutes.

You can still use 10.x.x.x for your own purposes, under normal circumstances you shouldn't ever need to direct traffic at the internal IP of your modem.

The 10.x.x.x subnet is not to be routable. It is accessible if your IP is part of the 10. subnet.

All IPs are routable to a degree, just not all of them past the edge of a organizations network.

In this case TWC is using 10.60.70.x within their network. The cable modem is part of their network, so it will pass the IP. You won't be able to get to that IP if it's on any other network though.

Most home routers (and combo router/modems) aren't configured to block RFC1918 addresses from leaving their private network like they should, like commercial networks have to. Home routers really shouldn't allow that sort of traffic to pass their WAN ports.

I used to see those as well and if they were Moto units I could bring up the diagnostic pages and even reboot the modem. Not sure why that was ever allowed to happen. Not sure if this still works though.

That would be the HFC (network) side of the cablemodem. You aren't supposed be able to talk to those, but people do make mistakes. Around here, the modems are in 10.118.192.0/19.

(if you watch the broadcast traffic from your modem (not combo-router), you can see the DHCP answers for everything.)

They have finally fixed that in my area Western Ohio

Same here. You can still access your modem's diag page from the HFC IP but not any other modem or other TWC device on the same subnet. 2600 mag had an article about this very issue a few years ago. Maybe that prompted them to apply appropriate filters to the HFC or eth side of the modem.

Yeah I remember years ago before ACL's were put on that portion of the network you could access a lot of that stuff customer side, including the docsis tftp server.

Now most area's have ACL's (Access Control Lists) in place that prevent that kind of traffic routing. It closes up a big security hole too doing tftp transfers of the config file, altering it and tftping it (or jtaging it) back to the modem.

(and the modems have been "fixed" as well... they cannot be tricked into loading anything from the ethernet side anymore)

Cool. Were going on 13 years now since I last tried that (with great success).

Back then they also had firmware without the -NOSH (you could do a lot with a shell)