Hello,

I recently moved to Asia and am having some severe problems with my ISP, which they apparently are unable to solve, so I decided to investigate on my own. My connection is DSL and my ISP uses DHCP without authentication or MAC registration (as an aside, in my personal experience, this is a management and security disaster).

My subnet is x.y.128.0/17 (255.255.128.0 netmask), my gateway being x.y.128.1. For the purpose of the scan, I am not behind my usual home router.

The first thing I do not get is their network topology. Every host I nmap in my subnet is showing the same MAC address: apparently the one of the gateway. The Zenmap topology output shows a perfect star with... me (localhost) in the center... For example:

with the MAC address always the same as that of x.y.128.1, the gateway, but the gateway's IP not showing in the route.

When I scan further, every host is showing different open ports and different OSes though, so they seem to all be real live hosts. For example:

... again always with the same MAC address.

Now the problem I have is that starting from about 10AM to 7PM, I hardly can access the internet. I have found by running tcpdump and looking at the output that at these times there are packet floods at my interface, which vary from SYN, SYN/ACK and UDP packets. However these packets have a source and destination IP distinct from mine. Mostly they are SYN packets aimed at port 445 or SYN/ACK packets aimed at port 7170 and often the same IPs are involved. The source MAC is always the usual 00:21:A0:a:b:c, but the destination MAC is also not mine!! So I have no idea how and why these packets make it to my interface to start with!? All I can think of is that they have some crossed wires or short circuits in their junction boxes!

I scanned the source and destination hosts most often mentioned in the SYN/ACK flood and here is what I got:

Any idea, thought or  insight from people more experienced than I am would be most welcome.

Yes for the purpose of this scan I did connect my scanning box straight to the internet. One of the reasons is that I was interested in neighbouring MAC addresses, which I can only get at if  my scan box is directly on the same subnet as the machines of interest. In this config my scan box is the only host at home connected to the net, through my dsl modem configured as a bridge (not a router or DHCP server). In my normal setup, I have a Linksys router loaded with dd-wrt sitting between the modem and my local home network.

Yes the scan box does get a public IP (from the ISP's DHCP server) in the x.y.128.0/17 subnet mentioned in OP. To be clear here is what the vlan2 of my dd-wrt router looks like, and my scan box eth0 looks the same when it is connected directly:


I did not do the nmap scan with a different computer, however I did the tcpdump with both my scan box and also from the command line of my dd-wrt Linksys router. Results are the same: SYN, SYN/ACK or UDP packet flood with src and dst IP's and MAC's having nothing to do with me. See http://imageshack.us/photo/my-images/37/tcpdump.png/, screenshot of the pcap file in wireshark. It goes on like that for hours. In the packet flood, the MAC address of the dst machine is 00:23:69:a:b:c, but if I nmap that IP, it resolves again to 00:21:a0:d:e:f, just as every other IP on the subnet.

Outside the hours mentioned in OP, traffic is as normal: next to zero bandwidth when my computer is idle, and then I only see normal packets meant for my IP/MAC (or from my IP/MAC) at the interface.

I even tried to change the dsl modem for a different model and brand, same result. This thing only started happening when I came back from holiday one week ago. Before that everything was more or less normal apart from occasional intermittent connectivity issues and sluggish connection at rush hours.

Whichever way, I may lack experience but I can't understand how I can be only a single hop away from every host on the subnet, and how every IP on the subnet resolves to a single MAC!? Is this normal??

First, let's break down how you are a single hop away from everyone else on your network, then I will try to explain to you why no username/auth is not necessarily the end of days.

When you connect to your provider, just like everyone else you're likely connected to a DSLAM unless I misread a) DSL and or b) your provider is doing something strange. A DSLAM is nothing more than a layer 2 switch. It does no routing that is handled by BRAS (remote access servers).

Topology:


With the topology out of the way, take note you're in a similar set-up to a LAN. In this case, its a MAN/WAN depending on your ISP. What you're likely seeing is multicasted garbage. Networks talk a lot and often you'll see things that don't make sense (tons of ports opened, etc.) If you needed/wanted to you could put a tap to really figure out what is going on but depending on your TOS/SLA and legal bindings where you're located, you may or may not be able to do so. In order to TRULY see what it going on outside of the garbage you're seeing, a tap on a DSL environment would be configured as follows:


Your tap would be positioned at your dropoff before it interconnects with your home/apartment, etc. Neither here nor there, but you asked.

So in your initial comment: "My connection is DSL and my ISP uses DHCP without authentication or MAC registration (as an aside, in my personal experience, this is a management and security disaster)." Your personal experience and your understanding of what is going on are two different things. You "assume" there is no authentication going on.

Most ISPs that provide DSL will likely be using RADIUS for authentication (some *might* use DIAMETER). Some use PPP, some PPPoE and so on and so forth. RADIUS does not transmit passwords but hashes. It is likely that your provider is authenticating based on perhaps your CALLERID, your line card porton the DSLAM, modem identifier other than MAC, a hashed MAC, and or any combination of those. That information will be stored in RADIUS AVP types 1 and 2 however, you would never see that information clear text as its hashed. Could be an MD5 hash, SHA hash, could be just a hexcode hash.

Now on to your original problem: "starting from about 10AM to 7PM, I hardly can access the internet." This sounds like you're on a DSLAM that is oversubscribed. Period. Golf ball through the water hose effect. Nothing more, nothing less, nothing sinister. Depending on where in ASIA you are, you might also go through extreme filtering (Great Firewall). Think about the topology I explained (DSLAM) you're on a switch nothing more that connects elsewhere. WHAT that connects to is what's important. For example, imagine the following:


A DS3 will only get you 44.(5-7)Mb. If your provider didn't properly allocate/traffic shape those line cards, one person could be monopolizing the bandwidth OR, if they have too many people on the DSLAM, they're saturating it. If your provider states your download speed should be say 5Mb, then that should be your speed. However, you have to factor how many people would be told the same: "Well give you 5Mb downloads and 1.5 uploads" now they place 10 people on the circuit and when in use, traffic s 50Mb, much more than a 44Mb connection can handle.

When providers initially shaped/diagrammed many of these services (DSL in the 90s), the thinking was that no one would be online 24x7x365. Nowadays people don't shut down their networks/equipment. So if they filled up their DSLAM and circuit, you're screwed. Nothing nefarious about what you mentioned. Just seems like your provider is hosed.

I just tracerouted one of the most common target IP's of the packet flood while there was no flood at my interface, and I got some pretty crazy result:
112.201.130.84


I also tracerouted it earlier on while the flood was on at my interface, and I found my own IP in the route several times as well. Forgot to save the output though.

I don't know could it be that someone or some virus on the subnet is playing around and poisoning the arp cache of their router or whatever?

What do ISP's do to prevent this kind of attack if everyone is on the same giant switch (DSLAM)? I mean here they cannot be using static arp entries since they do not force the users to register their MAC, right?

One more thing and then I'll shut up.

I mentioned in another thread I'm reading up on wireless lan controllers because that's what companies seem to want WLAN engineers to know. Cisco uses LWAPP and now CAPWAP. I wanted to see what my new favorite product (UBNT's Unifi) uses- capwap or lwapp.

It turns out it's neither- it uses TR-069...the same protocol that DSL modems use. AHHHH! So now after I read these thousand pages from Cisco, I have to read up on yet-another-protocol (in addition to doing the SWSE at the same time and working with the networksims stuff and a full time job).

I'm already seeing crosseyed but I gotta admit, I'm an info junkie and it is a lot of fun....complicated as hell but a lotta fun. Oh yeah, maybe then I'll get to the VMware security course I won.

Anyway bob, maybe this will help.
http://www.breakingpointsystems.com/community/blog/protocol-reverse-engineering-with-the-breakingpoint-storm-ctm-custom-application-toolkit/