dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
663

LFoot
@rogers.com

LFoot

Anon

[Modem/Router] Help with network issue

Hi, I’m looking for a little network help. On the morning of Thursday April 21 before turning on my computer, I noticed the activity light on my Motorola SB5100 modem and the WAN (Internet) light on my Asus router flashing constantly. Checking the Traffic Monitor on the router I could see a 3-5 KB/s of incoming traffic none of which was making it to my computer. This has been happening 24/7 since Thursday.

I called Rogers and was told the flashing was normal but my modem (which I own) was very old and it had likely failed. I have a friend on the other side of town with a similar modem, so I asked him to check his and it is doing the same thing.

This morning I removed the router and connected my computer directly to the modem. When the computer was boot the modem flashing started again. I ran Wireshark and did a quick capture which showed I was getting 40-50 ARP requests per second.

They are all similar to this, each one with different seemingly random IPs:
Source Dest Prot Size Info
Casa_91:68:1F Broadcast ARP 60 Who has 24.166.173.159? Tell 24.166.172.1

I’m wondering if it has anything to do with Roger’s implementation of IPv6. Maybe trying to assign an IPv6 IP to an IPv4 only device.

Any help would be appreciated.
dallas1
join:2014-04-16
Oshawa

dallas1

Member

Hopefully someone can help you out
gcerullo
join:2015-10-31
Toronto, ON

2 recommendations

gcerullo to LFoot

Member

to LFoot
Interesting!

ARP is used by IPv4. It stands for Address Resolution Protocol.

Wikipedia article about ARP: »en.wikipedia.org/wiki/Ad ··· Protocol

Wireshark article: »wiki.wireshark.org/Addre ··· Protocol

The 24.160.0.0 - 24.170.127.255 IP range belongs to Time Warner in the US so I doubt this has anything to do with Rogers deploying IPv6.

NetRange:       24.160.0.0 - 24.170.127.255
CIDR:           24.168.0.0/15, 24.170.0.0/17, 24.160.0.0/13
NetName:        ROAD-RUNNER-5
NetHandle:      NET-24-160-0-0-1
Parent:         NET24 (NET-24-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Time Warner Cable Internet LLC (RRMA)
RegDate:        2000-06-09
Updated:        2011-07-06
Ref:            https://whois.arin.net/rest/net/NET-24-160-0-0-1
 
OrgName:        Time Warner Cable Internet LLC
OrgId:          RRMA
Address:        13820 Sunrise Valley Dr
City:           Herndon
StateProv:      VA
PostalCode:     20171
Country:        US
RegDate:
Updated:        2013-04-25
Comment:        Allocations for this OrgID serve Road Runner residential customers out of the Columbus, OH, Herndon, VA and Raleigh, NC RDCs.
Ref:            https://whois.arin.net/rest/org/RRMA
 

The IP numbers 24.166.173.159 and 24.166.172.1 seem to be assigned to their residential IP pool.

Lookup has started...
 
24.166.173.159 -> cpe-24-166-173-159.kc.res.rr.com
 

Lookup has started...
 
24.166.172.1 -> cpe-24-166-172-1.kc.res.rr.com
 

Doing a Google search for "Broadcast ARP 60 Who has 24.166.173.159? Tell 24.166.172.1" will give you some explanations for these type of ARP requests.

LFoot
@rogers.com

LFoot

Anon

Click for full size
gcerullo,

Thanks for the reply. I think you missed the part of my original post that every ARP request is for a different IP. I'm having requests at a rate or 40-50 per second 24/7. From what I've read I might be experiencing an "ARP Broadcast Storm or Flood". I'd like to know how to stop it. I'll try to attach a small image of a capture that is less then a second.
bobnoxe
join:2015-03-30
fiji

bobnoxe

Member

ARP Flood Attack

»www.trendmicro.com/vinfo ··· 20attack

LFoot
@rogers.com

LFoot

Anon

bobnoxe,

My ARP cash was flushed (it only has 1 address in it). Since the flood is 24/7 with my computer on or off, I don't believe it's a virus etc. at my end. Also since a friend at the other end of town is having the exact issue, I believe it's either Rogers doing something or a malfunctioning device somewhere on their system. In the capture the source address is listed as "Casa_91:68:1F" which I cannot find any info on. It may just be a coincident, but my or my friends usage has not been updated since this started. I'm going to try and explain this to Rogers, but we all know how difficult that can be.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

1 recommendation

Napsterbater to LFoot

MVM

to LFoot
This is Normal, It probably has always happened, except either a firmware update or config file change is having the activity light flash for ARPs where it didn't before.

You will always see ARPs for other IPs on the same node. Thats is just how a DOCSIS network works.

There is nothing wrong.

LFoot
@rogers.com

LFoot

Anon

If I look at the IPs and since they are all over the place, I don't see how they an be on the same node. Are you sure 40-50 per second is normal? I can measure the overhead at my router that was never there before.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

1 recommendation

Napsterbater

MVM

said by LFoot :

If I look at the IPs and since they are all over the place, I don't see how they an be on the same node.

Define "all over the place", plus there can be more then one subnet on the same CMTS. And I should have said CMTS not Node before.
said by LFoot :

Are you sure 40-50 per second is normal?

Depending on the number of users the CMTS serves, yes.
said by LFoot :

I can measure the overhead at my router that was never there before.

There is some tricks some CMTS's plus config files can do to limit the traffic. So that could have changed but its not wrong or bad if its not filtered, its purely an engineering decision, and no one you will talk to on the phone would have an answer or really be able to escalate it.

lFoot
@rogers.com

lFoot

Anon

Thanks for the detailed response. I guess for now I'll just try to ignore the flashing lights.
Jelllo
join:2013-12-29

1 edit

2 recommendations

Jelllo to LFoot

Member

to LFoot
said by LFoot :

They are all similar to this, each one with different seemingly random IPs:
Source Dest Prot Size Info
Casa_91:68:1F Broadcast ARP 60 Who has 24.166.173.159? Tell 24.166.172.1

I’m wondering if it has anything to do with Roger’s implementation of IPv6. Maybe trying to assign an IPv6 IP to an IPv4 only device.

Any help would be appreciated.

This just started happening to me too, about 100 per second. I ran wireshark and the source was 99.250.160.1 which belongs to Rogers. The flashing lights are annoying, but if it is normal then I won't worry about it.

LFoot
@rogers.com

1 recommendation

LFoot

Anon

Rogers has opened a ticket on this issue for me and has asked a couple of times for a copy of my wireshark capture. Since my usage summary has not been updated since this started (8 days now), I have not been able to determine if this traffic is part of my usage. I've always told people if your doing nothing on your computer and your modem is flashing like crazy, their might be something malicious going on. So much for that theory.

I started a thread on the Rogers Community forum, but most of my interaction with Rogers has been in private email.

»communityforums.rogers.c ··· id/32417
Jelllo
join:2013-12-29

Jelllo

Member

Click for full size
Any word yet? I got nothing from the Rogers site. I would think over 170 arp broadcasts a second would be significant.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

2 recommendations

Napsterbater

MVM

said by Jelllo:

Any word yet? I got nothing from the Rogers site. I would think over 170 arp broadcasts a second would be significant.

Sure, If you had no idea how a DOCSIS network works..
Jelllo
join:2013-12-29

1 edit

Jelllo

Member

Wow...thanks for all your help....yes I know how it works and see ARP on my home network, but I don't see anything from someone across the street, yet now I am seeing Arp broadcasts from nodes that Rogers peers with.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

2 recommendations

Napsterbater

MVM

said by Jelllo:

Wow...thanks for all your help....yes I know how it works and see ARP on my home network, but I don't see anything from someone across the street, yet now I am seeing Arp broadcasts from nodes that Rogers peers with.

If you are seeing ARP from the Rogers network on your LAN, then you have malfunctioning router, or a bad setup using a switch or somthing.

If you are seeing on 170+ ARPs on your WAN, then there is nothing wrong, and you are seeing other Customers on the same CMTS as you.
Jelllo
join:2013-12-29

1 edit

Jelllo

Member

In the past they were all filtered...they installed new equipment and now I see Cogent, Execulink, Tek Savvy etc...didn't think it was normal for a residential customer. Seems like a waste of bandwidth to me.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

1 edit

Napsterbater

MVM

said by Jelllo:

and now I see Cogent, Execulink, Tek Savvy

Ummm, again, you are only seeing ARPs for equipment on the same CMTS, you are not seeing anything beyond that.

You are not seeing equipment used for peering or anything like that.

And those ARP have ALWAYS beens there, they just used to get stopped at the modem, but they have always been "on the wire".
said by Jelllo:

Seems like a waste of bandwidth to me.

About 108kbps, for the whole CMTS downstream... Out of 491.5mbps (assuming 16 Channels), heck even with 1 that would be out of 30.72mbps.
wayner92
join:2006-01-17
Toronto, ON

1 recommendation

wayner92 to LFoot

Member

to LFoot
I am getting a little OT here, but I wonder how many SB5100s are still in use? I have one but it has been sitting in my bin of "where electronics stuff goes to die" for about 8 years or so.

Does DOCSIS 2.0 get shut down at some point in the near future? Not unlike analog cable.