It is NATed. The destination shows up as 192.168.0.12 (my Toshiba). My
Netgear drops it and logs it. Yes the SRC port is 080 on 204.176.49.2
I don't know which protocol is being used because the filter rule I have for
the two ports that have been being tickled denies access "from any to any
for any protocol." It's a rule late in the filter process after any local
addresses (i.e. on the LAN) would have been forwarded if they were trying to
speak to each other. Since the Netgear separates filters for LAN->LAN,
WAN->LAN, LAN->WAN, I can tell this is coming from outside trying to get in
to the Toshiba. I thought it might be a response to a request from my TiVo
to TiVo central for update, but the address does not seen to be one of
theirs, and updates seem to be coming through fine. TiVo doesn't mention
those ports as being used by them. Their block is both in the lower < 1024
and upper range (> 8000).
Yes I got the TR 20 with 120GB drive and a DVD recorder. So far it has been
good. I record on highest quality, and the signal through the Toshiba is
better than the one I used to get when the Sony VCR was between the box and
the TV. It may be just my imagination, but I think the quality is a bit
better when I use the RF signal input on the DVR rather than using the Cable
box RCA outputs. Wish the Motorola's serial port was active. But going way
off topic for this group, here.

In adelphia.security-issues - article
<***@4ax.com>, on Tue, 08 Mar 2005
10:48:31 -0700, W. Mark Herrick, Jr. says...
You have a point but while I'm probably not representative of most
consumers, I don't use any of the consumer oriented IM clients and
stuff like that, the only thing I show registering outbound on UDP in
1024-1029 are queries by some of my NTP clients. Out of 700 entries
over the last 6 months, 15 weren't originated from port 1024.
Any applications using UDP aren't too concerned about transport, the
kicker is a potential for DNS lookups to falter for a moment as they
skip over those ports.

So, it's a trade-off between a bazillion ARPs and an occasional
delay'd DNS lookup. But... one could either exclude Adelphia's DNS
servers from the rule or apply only at the borders.

In case this is not representative of what you're seeing in the glass
tower, here's a view from here. I have placed 5000 records of a
tcpdump on my web page.
http://users.adelphia.net/~mcwatson/watch.txt .
It is unretouched and contains a couple of internal packets.

You'll note that 5000 records were obtained in something just under
1.5 minutes, somewhere around 55/second. It's been like this since
the weekend, where before I rarely if ever saw any modem traffic that
wasn't initiated here. An occasional virus probe but not the steady
flow. It's possible that the messenger spammers updated their
netblock lists coinciding with the outage/changes noted here in
Mooresville NC.

That's 55 (packets/second)
x60 (3300/minute)
x60 (198,000/hour)
x24 (4,752,000/day)
x7 (33,264,000/week)
x4.3(143,035,200/month)
x365(1,729,728,000/year)
At ~1500 bytes/packet, that 660kbs of broadcast download bandwidth
consumed by ARPs

You'll note the somewhat sequential nature and double entry of the
ARPs, indicating transmission to 2 ports sequentially for each IP
(which corresponds with the 1026/1027 messenger spam sequences I'm
seeing in my logs) at sequential IPs at these times :
17:52:33.311831
17:52:39.071831
these are definitely Windows Messenger spammers and the list goes on
and on.

If your CMTS/routers with IDS/IPS could identify and partition the
sources, you'd help us recoup some of the bandwidth and traffic on
your backbone.

I think a good starting point would be to block UDP/1026-1029 from
APNIC netblocks at the border routers. Give that a try and see what
you end up blocking. China's hosts has been heavily compromised by
the Sql worms and are probably the biggest source of the messenger
spams, quite possibly not even forged IPs but one would have to do a
MAC trace to determine that, a tool I don't have in my arsenal.

You can see from the tcpdump would appear to contain several
neblocks, spanning more than my 69.164.0.0/18, more than
69.164.0.0/16
ie. 69.164.0.0 - 69.174.255.0.
not quite the 69.160.0.0/12 netblock and the 69.174.0.0 seems to be
small in number whereas 69.164.0.0/18 seems to be appropriately
represented.

Maybe the scope of the IPs is attributable to a typo in a
configuration. If Adelphia made some CMTS changes over the weekend,
I figured there would be some kinks to work out and it may take a
little while. Is the scope of these ARPs typical?

This rings as odd:
17:52:33.981831 arp who-has 67.21.36.246 tell 67.21.36.245
17:52:33.981831 arp who-has 67.21.36.246 tell 67.21.36.245
It would appear to be a router in Atlanta with an identity crisis.
Yes. My use of headend is a generic MSO-end equipment word. I'll
start using the correct terminology.

Back to the meat of the question then, they are capable of
identifying an offending source based on rules or input from a
honeypot type device and either blocking or rate-limiting?
Not at a MAC level, IP level. Certainly the CMTSs are IP smart, ie.
CMTS 123 manages 24.48.32.0/21 (and/or other netblocks). Giving it
the ability to reject any traffic initiated on the modem side with a
source IP != 24.48.32.0/21?? If it's not at the CMTS level then
surely at the next router level up.

While it's less significant and I can't say that I've seen it on
Adelphia but I recall an incident on RR where I was seeing traffic
from 1.2.3.4, an obviously invalid IP, one that ARIN had not and will
not delegated. Those packets should never have been seen, blocked at
the border routers, CMTS or other MSO equipment.
Good to hear they are proactively working at cleaning up what has
become a big mess over the last 10 years. With what I expect to be a
fair amount of processing power available on the modem, I'd think
they would be looking a pushing some of the IDS/IPS functionality
down to the modem level, via something like a configuration file.

Thanks for your attention and feedback, it certainly facilitates
learning for all participants.

On Tue, 15 Mar 2005 01:31:31 -0500, Murray Watson
I think I said previously that I wouldn't weight MNW reports as
urgent, as they once were. We still use them, accept them, and act
upon them.

Best,
-MH


W. Mark Herrick, Jr.
Director - Data and Network Security
Adelphia Communications
5619 DTC Parkway
Greenwood Village, CO 80111