On Tuesday 28 February 2006 08:31, Craig FALCONER wrote: > I have to admit - I sat for about five minutes last night staring at the > orange Activity light on my cable modem. > > Not once in that ~5 mins did it go off for even a blink. Same here. Even during the wee hours of the morning. The activity LED around the back of the modem does wink occasionally, as does the one on the NIC on the firewall machine.
See other comments inline below. > Some serious traffic exists out there in cable-land.... I do know that > the modem drops dhcp requests (it has a rudimentry firewall) but why > can't TCNZ drop more traffic at that point. > > I also understand that part of the push for the new cable plans is > changing the equipment in the back... the many-ported box named Bertha > is to be replaced, which forces all the old plans to go. > > > -----Original Message----- > From: Craig Molloy [mailto:[EMAIL PROTECTED] > Sent: Monday, 27 February 2006 5:40 p.m. > To: [email protected] > Subject: Re: OT - 172.20.18.55 port 67 > > > Andy George wrote: > > Dear Andy, > > This traffic is generated by one of our servers on the cable modem > network I, as well as many others, would be very interested to know whether T/C or some other party installed the program which generates this traffic? > and is not malicious in anyway, Being of a normally suspicious nature, until we see some more detailed explanation I find this incredibly difficult to believe. > due to the shared nature of a cable network this activity is not > uncommon. In other words, there is a widely distributed exploited vulnerability in the server or modem software in the host numbered 172.20.18.55 on the private network. This vulnerability allows the installation of a probing robot which uses the BOOTP port to detect the presence of machines on the network. It uses port 67 because ICMP requests are frequently filtered out. I strongly suspect that the robot can also discover whether our machines are ripe for exploitation in some nefarious way. > The traffic itself isn't > routed and so it is not being counted as usage towards your allocated > datacap, I'm very relieved to hear that! > and I recommend you configure your firewall to ignore/drop and > not log this BOOTP traffic. > i got the same reply EXACTLY word for word sounds like a auto response. That proves quite conclusively that T/C know about this 'issue', but that they are unable to fix the problem. After all it's been going on for several months. > so now who do i send the bill for wasting my power logging this traffic > i dont need to see? That's a bit specious, because the actual incremental cost to you is so small as to be unmeasureable. As the man says you could install an iptables rule to drop the BOOTP traffic. Yes I do agree that they should fix the problem. The whole issue of this traffic would make for an interesting read in technology page of The Press would it not? -- CS
