dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
59
Nalez
join:2011-01-14

1 edit

Nalez to

Member

to

Re: [Business] ARP Packets from Comcast are Flooding My LOCAL Ne

Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.

What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.

Details can be found here:
»forums.smartertools.com/ ··· DRESSES!

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru

Premium Member

Interesting post you linked to. So essentially, if it is a small business that is sitting behind their own router with no dns server on their network, they need to expose all their equipment to the internet directly because Comcast is FORCING the DNSSEC servers on all business customers which do not work behind NAT.

Additionally, since the DNSSEC would require a real internet address, this sounds like Comcast is pushing this in order to force business customers to have to have more than one IP. This would require the purchase of a block of 5 IP's and generate a large amount of revenue.

Glad I don't use their dns for anything and run my own. Yes, I know the ramifications of possibly not getting the closest goole, netflix, hulu, etc. server.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

NetFixer to Nalez

Premium Member

to Nalez
said by Nalez:

Wow, look at that, I am getting ARP packets as well, with a routed /28 network. This opens up all kinds of security issues; such as ARP poising; ARP flooding and getting detailed information about the networks for other Comcast customers. This also means that my arp packets may be going out to the greater comcast network.

What is interesting, is this update is being pushed out to resolve security issues; mainly the password that leaked out as well as requirement for use with DNSSEC.

Details can be found here:
»forums.smartertools.com/ ··· DRESSES!

said by chicagonettech :

As of this month, Comcast is officially rolling out DNSSEC to all of their DOCSIS ROUTERS on their digital circuits for Business Class Customers. This means that a FIRMWARE UPDATE is being pushed to all COMCAST DOCSIS modems and, as part of that process, the DNS SERVERS in those modems are being LOCKED onto 75.75.75.75 and 75.75.76.76, the two COMCAST DNSSEC DNS servers. This means that Business Class end users who have had their DOCSIS modem firmware updated will NOT be able to change the internal DNS of the COMCAST ROUTER to any other DNS SERVER IP address. [The firmware update also installs the ability for IPV6, but it is not yet enabled unless an account is specifically engineered for IPV6.]

Interesting that my SMCD3G with the 3.1.4.51.1 firmware does not seem to be using the 75.75.75.75 and 75.75.76.76 DNS servers:


Gateway Status
Initilization Procedure
Vendor Name SMC Networks
Hardware Version 1A
Serial Number H21039056789
Firmware Version 3.1.4.51.1
Operating Mode RG
System Uptime 001 days 01h:41m:11s
Date May-11-2012
Time 10:58:21

Network
Internet Settings
Gateway MAC Address 00:26:F3:XX:YY:Z1
WAN MAC Address 00:26:F3:XX:YY:Z2
WAN DHCP IP Address 107.3.237.186
WAN DHCP Subnet Mask 255.255.254.0
WAN DHCP Default Gateway 107.3.236.1
WAN Internet IP Address 75.146.8.46
DNS (primary) 68.87.68.162
DNS (secondary) 68.87.74.162
DHCP Time Remaining 70h:54m:08s
Date May-11-2012
Static IP Block 75.146.8.46/29

Local Settings
Gateway IP Address 192.168.10.254
Subnet Mask 255.255.255.0
DHCP Server Enabled
IP Range (start) 192.168.10.20
IP Range (end) 192.168.10.20


FWIW, my local DNS server worked just fine (for both internal and external queries) with Comcast's DNSSEC even before this latest firmware update that now floods my servers with Comcast's ARP traffic.

It is nice to see at least a backdoor acknowledgement that this latest firmware update is related to IPv6 functionality. I wonder if anyone in one of Comcast's IPv6 test areas with this firmware is now seeing IPv6 functionality using this router?
noisefloor
join:2010-05-09

noisefloor

Member

The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.

ropeguru
Premium Member
join:2001-01-25
Mechanicsville, VA

ropeguru

Premium Member

said by noisefloor:

The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.

Static as in static ip's or static routes for his ip's.

If static ip's, then he has those:

Static IP Block 75.146.8.46/29
noisefloor
join:2010-05-09

noisefloor

Member

Oh that's crazy he's still running the 68.87.x.x servers with his static block. It must be something they are pushing out by market because when I was with the company last year every D3G (only D3G's) that were deployed had be set to 75.x.x.x for the statics to function. I believe we sent a macro that made this change on the back end to everyone's cfg as well. The gateway could still function with a DHCP WAN address though with any previous 68.x.x.x DNS.

NetFixer
From My Cold Dead Hands
Premium Member
join:2004-06-24
The Boro
Netgear CM500
Pace 5268AC
TRENDnet TEW-829DRU

1 edit

NetFixer to noisefloor

Premium Member

to noisefloor
said by noisefloor:

The CFG file deployed for the D3G in the last year had to be set to 75.75.75.75 for static routing to work right.
Unless you have statics configured I don't see a reason the gateway would have those servers present.

I have no control over that setting. That setting, like many other configurable settings in the SMCD3G-CCR, can only be set by Comcast. The only DNS server setting in the SMCD3G-CCR that the customer can change is the two DNS servers that the SMC's DHCP server assigns to its DHCP clients (that setting does not change the DNS servers that the SMCD3G-CCR uses internally).

FWIW, I do have a /29 static IP block (as is shown in my previous post), but I can't see why that would make any difference. I do know for a fact that I am able to use the 75.75.75.75 and 75.75.76.76 IP addresses because my local DNS server uses those IP addresses for forwarding. And the ICSI Netalyzr test shows that my local DNS is/was DNSSEC compliant whether I forward to the 75.75.75.75 and 75.75.76.76 IP addresses or to the 68.87.68.162 and 68.87.74.162 IP addresses, or to the SMCD3G's IP address (this is both before and after the new 3.1.4.51.1 firmware was loaded).

My previous post was just to point out that the new 3.1.4.51.1 firmware does not automatically assign the 75.75.75.75 and 75.75.76.76 IP addresses, nor are those specific IP addresses required to use Comcast's DNSSEC servers (the 68.87.68.162 and 68.87.74.162 IP addresses that my SMCD3G gets from Comcast are also Comcast DNSSEC servers, and they work properly as DNSSEC servers).
NetFixer

NetFixer to noisefloor

Premium Member

to noisefloor
said by noisefloor:

Oh that's crazy he's still running the 68.87.x.x servers with his static block. It must be something they are pushing out by market because when I was with the company last year every D3G (only D3G's) that were deployed had be set to 75.x.x.x for the statics to function. I believe we sent a macro that made this change on the back end to everyone's cfg as well. The gateway could still function with a DHCP WAN address though with any previous 68.x.x.x DNS.

I don't know anything about Comcast macros, but I do know that my /29 static IP block (including my public facing web and email servers) is working just fine with the SMCD3G configured with the 68.87.68.162 and 68.87.74.162 DNS server addresses.

FWIW, I do recall that my SMCD3G was originally configured with the 75.75.75.75 and 75.75.76.76 DNS servers, but that changed at some point after another firmware upgrade was pushed to my box.