Community Forum

Data Harvesting (Wifi signal drops)

New Poster

Data Harvesting (Wifi signal drops)

Hello (also to @ComcastKen  ) I've been researching an issue we've experienced the last several months:

Online forums cover some similar topics however I haven't been able to link with anybody able to take action. I saw your comments on Data Harvesting in June just now.

 

We've had the modem replaced and field technicians out to check without luck.

I took advice from somebody in our neighborhood going thru same, and checked the router logs. There is some suspicious activity around the time when our wifi signal drops.

 

When the signal drops I can no longer connect with our corporate headquarters while working remotely.

The outages seem to arrive at predictable or repeatable times.

 

On today's log we saw:

[Harvester][926]: Harvester StartRadioTrafficHarvesting Starting Thread to start RadioTraffic Data Harvesting

 

Also concerning though I'm not sure if related, I've been seeing this on the logs as well:

Firewall[552]: DoS Attack - TCP SYN Flooding IN=erouter0 OUT= MAC=48:f7:c0:ba:7c:93:2c:86:d2:88:c4:22:08:00 src=110.249.212.46 DST=73.19.126.24 LEN=52 TOS=00 PREC=0x20 TTL=241 ID=0 PROTO=TCP SPT=55555 DPT=37564 SEQ=0 ACK=0 WIND

 

My neighbor friend was able to reach a solution when he posted on the forum, resulting in the issue being escalated (general phone support wasn't able to connect).

 

They found that during each of the outages one of our upstream data branches was showing a high signal value. The outages seem to come around noon and midnight almost daily.

 

The analyst was able to toggle a value within the xfinity system which resulted in the outage stopping for him. Our logs and symptoms seem to be almost exact, we both live on Bainbridge Island WA The suspicion was that temperature changes at midday were causing some equipment to go out.

 

The only other odd thing I wonder about is our IP address appears to be 73.19.126.24 while our understanding is that the routher should be at address 10.0.0.1 which it says within the actual router config screen.

Thanks for your time!
Sean
<Edited>

Screen Shot 2019-09-03 at 13.13.53.png

New Poster

Re: Data Harvesting (Wifi signal drops)

Logs:

 

[Harvester][926]: Harvester StartRadioTrafficHarvesting Starting Thread to start RadioTraffic Data Harvesting 2019/9/03 11:12:23 Notice
[Harvester][926]: Harvester StartAssociatedDeviceHarvesting : Started Thread to start DeviceData Harvesting 2019/9/03 11:12:23 Notice
[Dhcpc][2122]: erouter0 got new IP 73.19.126.24 2019/9/03 11:12:15 Notice
[Docsis][1042]: No Ranging Response received - T3 time-out 2019/9/03 11:11:40 Critical
[Docsis][1042]: No Ranging Response received - T3 time-out 2019/9/03 11:11:40 Critical
[Docsis][1042]: Started Unicast Maintenance Ranging - No Response received - T3 time-out 2019/9/03 11:11:39 Critical
[Docsis][1042]: No Ranging Response received - T3 time-out 2019/9/03 11:11:39 Critical
Firewall[552]: DoS Attack - TCP SYN Flooding IN=erouter0 OUT= MAC=48:f7:c0:ba:7c:93:2c:86:d2:88:c4:22:08:00 src=110.249.212.46 DST=73.19.126.24 LEN=52 TOS=00 PREC=0x20 TTL=241 ID=0 PROTO=TCP SPT=55555 DPT=37564 SEQ=0 ACK=0 WIND 2019/9/03 04:52:49 Notice
[Dhcpc][2243]: erouter0 T1 Expired, Enter Renew State 2019/9/02 02:17:07 Notice
[Docsis][1031]: No Ranging Response received - T3 time-out 2019/9/02 00:43:06 Critical
[Docsis][1031]: No Ranging Response received - T3 time-out 2019/9/01 09:29:56 Critical
Firewall[552]: DoS Attack - TCP SYN Flooding IN=erouter0 OUT= MAC=48:f7:c0:ba:7c:93:2c:86:d2:88:c4:22:08:00 src=110.249.212.46 DST=73.19.126.24 LEN=52 TOS=00 PREC=0x20 TTL=241 ID=0 PROTO=TCP SPT=55555 DPT=9090 SEQ=0 ACK=0 WINDO 2019/8/31 23:44:00 Notice
[Docsis][1031]: No Ranging Response received - T3 time-out 2019/8/31 21:24:26 Critical
[Dhcpc][27140]: erouter0 got new IP 73.19.126.24 2019/6/30 11:02:01 Notice
[Dhcpc][31560]: erouter0 got new IP 73.19.126.24 2019/6/28 19:50:05 Notice
[Docsis][1033]: Unicast Ranging Received Abort Response - initializing MAC 2019/6/28 19:38:28 Critical
[Docsis][1033]: No Ranging Response received - T3 time-out 2019/6/28 19:38:28 Critical
[Docsis][1033]: Unicast Ranging Received Abort Response - initializing MAC 2019/6/28 19:38:12 Critical
[Docsis][1033]: No Ranging Response received - T3 time-out 2019/6/28 19:38:12 Critical
[Docsis][1033]: No Ranging Response received - T3 time-out 2019/6/28 19:38:11 Critical
New Poster

Data Harvesting

Hi is anybody seeing Data Harvesting activities on router logs around the time of Wifi outages?

 

I've been having this happening regularly the last several months. The outages are almost like clockwork. Late night and middle of day near lunch. General phone support can't find anything wrong with my setup.

 

My neighbors have had exact same issue, one was able to resolve with a forum post. A setting was toggled on his upstream data branches. One of four was showing a high signal for some reason.

 

Logs:

[Harvester][926]: Harvester StartRadioTrafficHarvesting Starting Thread to start RadioTraffic Data Harvesting

 

Also concerning though I'm not sure if related, I've been seeing this on the logs as well on the same day:

Firewall[552]: DoS Attack - TCP SYN Flooding IN=erouter0 OUT=

 

Lastly, not sure if it's an issue but my IP address does not seem to be the standard 10.0.0.1 which is configured. I actually have a very different IP adress, nonstandard.

 

Thanks for any advice!

Regular Visitor

Re: Data Harvesting

I too have been experiencing wifi issues. Tonight my wifi was connected and able to access the internet, but when trying to access the admin page, it said it did not exist. So this is where i am now, my sonos couldn't work until i unplugged the modem to reset it because the admin page was hardlocked out. After it booted i was able to get admin access and checked the logs to see both wan attacks and input drops and Harvester][1161. Can someone please explain this to me and why is my modem being attacked?.... Log thread to follow.


All Firewall logs from Last WeekFW.IPv6 FORWARD drop , 52 Attempts, 2019/10/11 20:15:25Firewall BlockedFW.IPv6 INPUT drop , 278 Attempts, 2019/10/11 20:09:13Firewall BlockedFW.IPv6 INPUT drop , 1055 Attempts, 2019/10/11 17:16:11Firewall BlockedFW.IPv6 FORWARD drop , 610 Attempts, 2019/10/11 16:21:49Firewall BlockedFW.WANATTACK DROP , 16 Attempts, 2019/10/11 00:39:17Firewall BlockedFW.IPv6 FORWARD drop , 578 Attempts, 2019/10/10 18:56:17Firewall BlockedFW.IPv6 INPUT drop , 1010 Attempts, 2019/10/10 18:49:56Firewall BlockedFW.IPv6 FORWARD drop , 628 Attempts, 2019/10/09 18:25:35Firewall BlockedFW.IPv6 INPUT drop , 1855 Attempts, 2019/10/09 14:16:50Firewall BlockedFW.IPv6 INPUT drop , 1117 Attempts, 2019/10/08 18:58:00Firewall BlockedFW.IPv6 FORWARD drop , 776 Attempts, 2019/10/08 18:50:06Firewall BlockedFW.IPv6 FORWARD drop , 658 Attempts, 2019/10/07 18:57:14Firewall BlockedFW.IPv6 INPUT drop , 1218 Attempts, 2019/10/07 18:47:46Firewall BlockedFW.WANATTACK DROP , 13 Attempts, 2019/10/07 00:17:23


All Event logs from Last Week[Harvester][1161]: Harvester StartRadioTrafficHarvesting Starting Thread to start RadioTraffic Data Harvesting2019/10/11 19:24:39Notice[Harvester][1161]: Harvester StartAssociatedDeviceHarvesting : Started Thread to start DeviceData Harvesting2019/10/11 19:24:38Notice[Dhcpc][1660]: erouter0 got new IP 68.XXX.XXX.165
IPaddress redacted for security purposes.
New Poster

Re: Data Harvesting

I'm going to do a test. Format my Dell XPS 13 and see how long it takes to re-infect.

Regular Contributor

Re: Data Harvesting

 Harvester StartRadioTrafficHarvesting is a normal thing for an xFI router.  Probably populating the data we see here: https://internet.xfinity.com/devices  which can only come from your router.