jonazen
Be Like Water My Friend
Premium
join:2004-02-18
Princeton Junction, NJ
 ·T-Mobile VoIP
|  Comcast DoS Attack - Belkin firewall log-help pls!
I posted the bulk of this in the Comcast forum - but so far nobody has commented. Since I've NEVER seen this kind of firewall log message before, and I've just switched to a Belkin router (F5D8230-4), maybe it's the firewall - maybe it's more sensitve to traffic like this than my DLink di-624 was??? That's why I'm reposting in this forum. Also: I've seen some network-savvy people here, and hoping that *someone* will have some constructive thoughts about this.
I've been seeing symptoms of what appears to be a Denial of Service attack in my router's firewall.
One address, which SHOULD be non-routable, shows as 10.125.72.1, and has been hitting my IP an average of 4 to 5 times a second for over a week.
The other address, 68.38.224.1, resolves to a Comcast "head end" router" - cdnt01-a-rtr.ewndsr01.nj.comcast.net
My firewall log look like this:
Tue Nov 23 13:52:55 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:52:55 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:52:55 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:52:55 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:52:56 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:52:56 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:52:56 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:53:00 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:53:00 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:53:01 2004 1 Blocked by DoS protection 192.168.100.1
Tue Nov 23 13:53:08 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:53:08 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:53:08 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:53:09 2004 1 Blocked by DoS protection 68.38.224.1
Tue Nov 23 13:53:10 2004 1 Blocked by DoS protection 10.125.72.1
Tue Nov 23 13:53:10 2004 1 Blocked by DoS protection 10.125.72.1
If I run a tracert to either of these addresses, it appears that they're only 2 hops away (just down the street from me???):
Tracing route to 10.125.72.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 192.168.2.1
2 9 ms 13 ms 9 ms 10.125.72.1
Trace complete.
...and
Tracing route to cdnt01-a-rtr.ewndsr01.nj.comcast.net [68.38.224.1]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.2.1
2 8 ms 8 ms 8 ms cdnt01-a-rtr.ewndsr01.nj.comcast.net [68.38.224.1]
Trace complete.
I wrote to "abuse@comcast.net" several times over the last week. So far, nothing but automated replies.
I called customer support twice over three days. They opened two tickets, but admitted that they would have to refer the problem to somebody else, because they had no idea what to do.
I finally dig some digging, and found the name and phone number of the head of network abuse. I caught him on the phone this morning and relayed the whole story. He seemed concerned, and immediately noted the address that appeared to be a head end router, and suspected that the router itself might be infected. He asked if I would be home to take a call directly from a tech he would put on it immediately.
Within half an hour, I received a phone call, and was given a direct email address to send the details to. I did so, and an hour later, he called me back to tell me not to worry - "it's all perfectly normal".
He claimed the head end router would be sending info to me every time I did anything that reached out to the Internet. Well...my log doesn't stop filling up - even when my entire LAN is quiet for hours at a time.
He also told me that the 10.125.71.1 address is "one of their routers" also, and not to worry. Huh? Comcast is broadcasting non-routable addresses to customer IP's?
??? Does this make ANY sense ???
I've NEVER seen anything like this before, in the several years that I've had Comcast as a cable internet provider. All happened in just the last week.
Any ideas? If I need to escalate this, I will. Just looking for some ideas and input.
--
Jon
Jonathan Strong
The Strong Group, Inc.
|
|
tquade
join:2000-10-14
Regina, SK | You might want to consider taking this up with Belkin also.
Ted Quade |
|
jonazen
Be Like Water My Friend
Premium
join:2004-02-18
Princeton Junction, NJ
·T-Mobile VoIP
| Re: Comcast DoS Attack - Belkin firewall log-help
Thanks Ted - I'll certainly check with them as well - maybe tomorrow (tired now!). Good idea.
I guess the issue here is: if Comcast is being honest with me (or simply correct), then this has probably been going on for years, and it's just my Belkin firwewall that treats this as a DoS attack.
BUT: having the bulk of it come from a non-routable address -- and having the Comcast tech tell me that it's NORMAL for Comcast to use an IP, on their customer network, that's in the non-routable range defined by IANA, is pretty weird. It's also incredibly weird that this would come to me 4 to 5 times a second - around the clock -- for over a week now...
--
Jon
Jonathan Strong
The Strong Group, Inc.
|
|
jpg366
join:2004-04-09
Humble, TX
 ·RoadRunner Cable
·Mediacom
 ·AT&T Southeast
| reply to jonazen
Is that 10.x.x.x address your cable modem? That would be the next hop from your router. Did you clone your prior router's mac address to the belkin router? Is your cable modem trying to provide DHCP service to your network? Have you disabled ping replies on your router? Your cable modem might need it.
Any such problems with your dlink? Did you configure the belkin the same way? Can you change back for a brief test? |
|
jonazen
Be Like Water My Friend
Premium
join:2004-02-18
Princeton Junction, NJ
·T-Mobile VoIP
| said by jpg366  :Is that 10.x.x.x address your cable modem? That would be the next hop from your router. Did you clone your prior router's mac address to the belkin router? Is your cable modem trying to provide DHCP service to your network? Have you disabled ping replies on your router? Your cable modem might need it. Any such problems with your dlink? Did you configure the belkin the same way? Can you change back for a brief test? The 10.x.x.x address is NOT the same one as my cable modem's HFC address (althought that is antother 10.x.x.x address).
I tried using the default router MAC address for a week, and then cloned my pc's MAC to the router. No difference. From what I've read, Comcast looks at the Cable Modem's MAC address for authentication - doesn't care about the pc or router MAC.
I have ping replies disabled right now -- as I did with the DLink router for close to a year.
I might be able to dig out the di-624 again - that's a possibility...might be a good way to narrow down the possibilities here. Since I NEVER saw this kind of error logging in the di-624 -- if I pop it back in, and the errors now show in the di-624, I'll know for a fact that this is something new...
--
Jon
Jonathan Strong
The Strong Group, Inc.
|
|
hwa9
join:2004-07-19
| I've seen the 10.x.x.x range before, when I do a tracert to somewhere the second hop is 10.x.x.x. I'm not surprised to see it, a lot of large companies use private ranges to (a) have some form of security and (b) save on IP addresses.
And especially on cable networks there's a lot of scanning going on because they know they'll find unprotected machines. And maybe a little address spoofing...
So personally I'm not alarmed (or surprised) to see this going on.
BTW I'm on Comcast to. |
|
jonazen
Be Like Water My Friend
Premium
join:2004-02-18
Princeton Junction, NJ
·T-Mobile VoIP
| Thanks hwa...
I've had a number of comments in the last few hours about this. The consensus seems to be coming together along the lines of what you posted:
1) the 10.x.x.x range is apparently used by the cable companies to handle the routers between their "head end" routers and customers. The devices in these subnets apparently don't need published domain names. Security is improved, as each of these subnets becomes something of a private cell that people can't reach from outside it, and as you noted, it also lets the cable companies save routable IP addresses.
2) the volume of hits I'm seeing: 5 a second from one router, and a short 5-ping burst once a minute from another, are apparently normal router traffic (e.g., ARP broadcast, port scans, etc.).
3) the fact that the Belkin firewall sees this as an attack is apparently just the firewall being a bit overzealous in blocking outside traffic. I did some searching, and saw others complaining about earlier Belkin models doing the exact same thing - filling up the logs with normal WAN / ISP traffic when there was no problem.
So - conclusion seems to be that there is no problem from the outside. If I can live with the fact that my logs fill and flush any meaningful entry every few minutes (which means I couldn't trace a REAL attack unless I happened to catch it when it happened and save the log really quickly), then everything is working just fine.
Thanks again...
--
Jon
Jonathan Strong
The Strong Group, Inc.
|
|
