Community Forum

Router is being attacked from apparent comcast equipment

Frequent Visitor

Router is being attacked from apparent comcast equipment

Since Thanksgiving, I have seen up to 2 or 3 logs in my router's IPS logs of various exploits blocked from the WAN side. All of the outside IPs logged have been identified as known hacker IPs. All of the attack attempts have come from the same MAC address that is only a few LSB bits different from the comcast router that my modem is attached to.

 

I have logged all dropped and accepted packets and there are dropped packets every few minutes from this same "comcast" MAC. All from different IPs. There have been no accepted packets.

 

Is comcast trying to hack me or has comcast been hacked? After spending over an hour on the phone trying to find someone at comcast that even understood the difference between an IP and a MAC(I did find 2/5 people from tech support that knew what I even said), they finally told me they didn't care. They couldn't be hacked and didn't care that someone was trying to hack into me. Lovely tech support!

 

Anyone have any ideas on how to stop this and where it is coming from? Anybody else seeing this?

Dan

Expert

Re: Router is being attacked from apparent comcast equipment

Provide a bit more details please. Don’t see your problem at all.
Regular Contributor

Re: Router is being attacked from apparent comcast equipment

What makes you think a MAC ID with only a few different digits than a Comcast router IS a Comcast device?  Have the hack attempts come FROM or THRU that MAC ID, how can you tell?

Joe V
(not a Comcast employee, just another paying customer)
Diamond Problem Solver

Re: Router is being attacked from apparent comcast equipment


@dan21 wrote:

There have been no accepted packets.

 

Anyone have any ideas on how to stop this and where it is coming from? Anybody else seeing this?

Dan


Seems that your firewall is doing its job. This type of random stuff / background noise from the internet can never be fully "stopped". What port / ports are you seeing these on ?

Frequent Visitor

Re: Router is being attacked from apparent comcast equipment

I guess there is no problem. It is just that a hardware ID very close to the comcast CMTS is trying to get into my router. Different IP most times. All from a known hacker threat. It is from the same type of equipment, just off by a few LSB bits. It means one of three things:

1) Just the normal web attack that is spoofing the comcast hardware ID.

2) A comcast CMTS has been taken over by some hacker.

3) Comcast is trying to hack into my router.

 

Apparently Comcast doesn't care about any of the above scenarios. It took many hours just to find a Comcast tech who even knew what I was talking about. Complete waste of time, even with the person that knew the difference between CMTS, hardware ID and IP.

I guess you don't see a problem here either. So there must not be a problem...

Frequent Visitor

Re: Router is being attacked from apparent comcast equipment

JoeV,

Yes the router is doing it's job(not a comcast router, my own). It is telling me the IP and hardware ID of the attack. The only problem is what is it not catching? I had assumed that Comcast might be concerned over #2, couldn't do anything about #1 and completely ignore #3. I doen;t think they even understood the problem. They just kept telling me to "restart" my router, since they couldn't do it. (I really should use one of their routers you know....they have much better control then....yeah right!)

Contributor

Re: Router is being attacked from apparent comcast equipment

Routing 101:

Any incoming traffic should have the source IP of the originating device, and the source MAC of the _last_router_that_forwarded_it to you.

 

Frequent Visitor

Re: Router is being attacked from apparent comcast equipment

Reading 101:

Except it doesn't come from my CMTS. As I said it is a similar MAC. It comes from some other one that I don't normally get any traffic from. Hence #2 & #3

Contributor

Re: Router is being attacked from apparent comcast equipment

I've never worked hands-on with a CMTS, so I don't know what kind of redundancy they might be using.

But MACs with similar prefixes and varying suffixes sound like some gateway redundancy protocols I've set up.

Examples ('x' are the variable bits):

HSRP 0000.0c07.acxx

VRRP 0000.5e00.01xx

GLBP 0007.b4xx.xxxx