Strange traffic from my DSL router - Networking

This is a discussion on Strange traffic from my DSL router - Networking ; My home computing setup consists of a single multiboot PC (primarily running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router (supplied by Verizon). I've observed a bizarre pattern of packets being issued by the Westell 6100. Can someone here ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Strange traffic from my DSL router

  1. Strange traffic from my DSL router

    My home computing setup consists of a single multiboot PC (primarily
    running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    (supplied by Verizon).

    I've observed a bizarre pattern of packets being issued by the Westell
    6100. Can someone here hazard a guess as to what the router is trying to do?

    Roughly every 20 seconds the router issues an HTTP connection request to
    Port 80 on my PC. The first request after boot logged by iptables in
    /var/log/messages has a source port of 1032. The source port increases
    by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
    each connection request, the router issues an NBNS NBSTAT packet
    (NetBIOS), plus some other packets. This goes on continuously for as
    long as the PC is up and regardless of whether I'm doing anything on the PC.

    My observation of this traffic is based on the following evidence:

    1. Viewing eth0 activity displayed by gkrellm

    2. Daily logwatch report shows iptables trapping several thousand
    packets to port 80 from 192.168.1.1

    3. Viewing of iptables logging in /var/log/messages

    4. I've captured snapshots of this activity using Wireshark

    This activity happens every time I'm online, and has been going on ever
    since I started using DSL 13 months ago.

    I don't run a server. I have only a minimum set of Linux daemons
    running. I run Fedora 99% of the time, but when I run Ubuntu on my
    multiboot PC, gkrellm displays the same pattern of activity on eth0.

  2. Re: Strange traffic from my DSL router

    Allen Weiner wrote:
    > My home computing setup consists of a single multiboot PC (primarily
    > running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    > (supplied by Verizon).
    >
    > I've observed a bizarre pattern of packets being issued by the Westell
    > 6100. Can someone here hazard a guess as to what the router is trying to
    > do?
    >
    > Roughly every 20 seconds the router issues an HTTP connection request to
    > Port 80 on my PC. The first request after boot logged by iptables in
    > /var/log/messages has a source port of 1032. The source port increases
    > by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
    > each connection request, the router issues an NBNS NBSTAT packet
    > (NetBIOS), plus some other packets. This goes on continuously for as
    > long as the PC is up and regardless of whether I'm doing anything on the
    > PC.
    >
    > [snip]


    My Efficient/Siemens 5100b (supplied by SBC/AT&T) does a similar thing.
    It pings my PC every minute and attempts to connect on udp/137 (NBNS)
    every hour. I allow the ping, but block the NBNS (although there's
    nothing that would answer, anyway).

    I figure the modem just wants to know the PC is still alive.

    The udp source port numbers increase because each connection attempt is
    a unique connection, and that's how ports work for just about any
    protocol (although random is better).

  3. Re: Strange traffic from my DSL router

    Allen Weiner wrote:
    > My home computing setup consists of a single multiboot PC (primarily
    > running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    > (supplied by Verizon).


    > I've observed a bizarre pattern of packets being issued by the Westell
    > 6100. Can someone here hazard a guess as to what the router is trying to do?


    I suspect that's the wrong question, the question should probably be
    "What's Verizon trying to do?" The answer to that is almost certainly
    "It's trying to detect any server you might be operating."
    ...

    > I don't run a server.


    And Verizon wants to make sure you don't ever do so.

    --
    Clifford Kite
    /* The wealth of a nation is created by the productive labor of its
    * citizens. */

  4. Re: Strange traffic from my DSL router

    Clifford Kite wrote:
    > Allen Weiner wrote:
    >> My home computing setup consists of a single multiboot PC (primarily
    >> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    >> (supplied by Verizon).

    >
    >> I've observed a bizarre pattern of packets being issued by the Westell
    >> 6100. Can someone here hazard a guess as to what the router is trying to do?

    >
    > I suspect that's the wrong question, the question should probably be
    > "What's Verizon trying to do?" The answer to that is almost certainly
    > "It's trying to detect any server you might be operating."
    > ...
    >
    >> I don't run a server.

    >
    > And Verizon wants to make sure you don't ever do so.
    >

    Your explanation would make sense to me if the packets were coming from
    the Internet (say, from Verizon ).

    Is your explanation consistent with the fact that the packets are coming
    from the router itself? (Source IP address is 192.168.1.1). If I was
    running a server, would my Westell 6100 "phone home"?

    FWIW, I "hardened" the Westell 6100 firewall by installing a set of
    rules I picked up from a forum on dslreports.com. These rules include
    dropping all unsolicited inbound requests. This made no difference
    whatsoever in the traffic I'm seeing.

  5. Re: Strange traffic from my DSL router

    Clifford Kite wrote:
    > Allen Weiner wrote:
    >> My home computing setup consists of a single multiboot PC (primarily
    >> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    >> (supplied by Verizon).

    >
    >> I've observed a bizarre pattern of packets being issued by the Westell
    >> 6100. Can someone here hazard a guess as to what the router is trying to do?

    >
    > I suspect that's the wrong question, the question should probably be
    > "What's Verizon trying to do?" The answer to that is almost certainly
    > "It's trying to detect any server you might be operating."
    > ..


    Unlike cable "modems," DSL modems don't have a separate (management)
    address that only the ISP can access, so the ISP isn't doing anything.
    It's all in the modem and whatever it's ROM tells it to do.

    >> I don't run a server.

    >
    > And Verizon wants to make sure you don't ever do so.


  6. Re: Strange traffic from my DSL router

    Allen Kistler wrote:
    > Unlike cable "modems," DSL modems don't have a separate (management)
    > address that only the ISP can access, so the ISP isn't doing anything.
    > It's all in the modem and whatever it's ROM tells it to do.


    Not in my experience. Maybe the USA is different to the UK in this
    respect.

    Chris

  7. Re: Strange traffic from my DSL router

    Allen Kistler wrote:

    > Unlike cable "modems," DSL modems don't have a separate (management)
    > address that only the ISP can access, so the ISP isn't doing anything.
    > It's all in the modem and whatever it's ROM tells it to do.


    This is an except from a pdf for a 2wire 5100 DSL modem which I researched
    but never followed through with a purchase:

    Advanced - Configure Services Page

    Note: To access this page, your organization must have the Remote
    Management feature enabled. If the feature is not enabled, an error
    message will display when you click the link to access this page.

    I would expect the same thing to apply to most DSL modems and their
    providers, aka "organizations," perhaps even with some things that
    are well-hidden. It may just be that I have an overly suspicious mind
    although I don't believe that to be the case - until proven wrong of
    course.

    Cheers-
    --
    Clifford Kite
    /* I gave up on politics when no matter who I voted for, I regretted it.
    * -- Pepper...and Salt, WSJ */

  8. Re: Strange traffic from my DSL router

    alweiner7@hotmail.com wrote:
    > My home computing setup consists of a single multiboot PC (primarily
    > running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    > (supplied by Verizon).
    >
    > I've observed a bizarre pattern of packets being issued by the Westell
    > 6100. Can someone here hazard a guess as to what the router is trying to do?
    >
    > Roughly every 20 seconds the router issues an HTTP connection request to
    > Port 80 on my PC. The first request after boot logged by iptables in
    > /var/log/messages has a source port of 1032. The source port increases
    > by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
    > each connection request, the router issues an NBNS NBSTAT packet
    > (NetBIOS), plus some other packets. This goes on continuously for as
    > long as the PC is up and regardless of whether I'm doing anything on the PC.
    > ...


    Same modem, same thing. More actually. The modem/router does a slow "sweep"
    through the private IP address space. It does an ARP request on each
    address. If it is set to 10.0.0.1, it does "Who has 10.0.0.2?", then "Who
    has 10.0.0.3?", etc all the way up to 254. It does one address every 1.2
    seconds, in groups of 10. Whenever it finds a live box it probes it with
    HTTP and NBSTAT, multiple times - it keeps returning to that system between
    ARP'ing other addresses. As far as I can tell, this is Westell's idea of a
    good way to "auto-discover" the local network. The HTTP and NBTSTAT probes
    are apparently trying to determine the PC name, perhaps operating system
    type. I don't see that it gets used, except to display the "My Network"
    thing in the modem's management page.

    I think it is harmless, annoying, and pointless, and I see no way to turn
    it off.

  9. Re: Strange traffic from my DSL router

    ljb wrote:
    > alweiner7@hotmail.com wrote:
    >> My home computing setup consists of a single multiboot PC (primarily
    >> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
    >> (supplied by Verizon).
    >>
    >> I've observed a bizarre pattern of packets being issued by the Westell
    >> 6100. Can someone here hazard a guess as to what the router is trying to do?
    >>
    >> Roughly every 20 seconds the router issues an HTTP connection request to
    >> Port 80 on my PC. The first request after boot logged by iptables in
    >> /var/log/messages has a source port of 1032. The source port increases
    >> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
    >> each connection request, the router issues an NBNS NBSTAT packet
    >> (NetBIOS), plus some other packets. This goes on continuously for as
    >> long as the PC is up and regardless of whether I'm doing anything on the PC.
    >> ...

    >
    > Same modem, same thing. More actually. The modem/router does a slow "sweep"
    > through the private IP address space. It does an ARP request on each
    > address. If it is set to 10.0.0.1, it does "Who has 10.0.0.2?", then "Who
    > has 10.0.0.3?", etc all the way up to 254. It does one address every 1.2
    > seconds, in groups of 10. Whenever it finds a live box it probes it with
    > HTTP and NBSTAT, multiple times - it keeps returning to that system between
    > ARP'ing other addresses. As far as I can tell, this is Westell's idea of a
    > good way to "auto-discover" the local network. The HTTP and NBTSTAT probes
    > are apparently trying to determine the PC name, perhaps operating system
    > type. I don't see that it gets used, except to display the "My Network"
    > thing in the modem's management page.
    >
    > I think it is harmless, annoying, and pointless, and I see no way to turn
    > it off.


    I had a similar thread in one of the forums at dslreports.com. A former
    telco tech conjectured that the traffic was from the router doing
    network mapping. But unlike your reply, he didn't explain how the http
    and nbstat packets fit in. Thanks very much for your explanation.

    I too saw ARP packets with an ascending address pattern in my Wireshark
    snapshots. I didn't analyze them in any where near the level of detail
    that you have done.

+ Reply to Thread