[nSLUG] Eastlink cable modem access

Aaron Spanik a.spanik at ns.sympatico.ca
Thu Jan 31 19:41:05 AST 2008


On Thu, 31 Jan 2008 13:40:32 -0400
"Matt Chamberlain" <chamberlain2007 at gmail.com> wrote:

> That would be quite unlikely.  Since the 10.x.x.x addresses are served by
> your router, they will give you correct DNS servers.  You shouldn't have a
> problem.
> 
> On Thu, Jan 31, 2008 at 1:38 PM, Gerald <linux at zdoit.airpost.net> wrote:
> 
> > Matt,
> >
> > I forgot to say: Is there a problem that my IP addresses are sometimes
> > issued by the 10.6.x.x address? My concern is it will give me a bad DNS
> > server which in turn will give me the wrong IP addresses for some
> > popular sites such as Paypal and my bank.
> >
> > Matt Chamberlain wrote:
> > > Well I'm not too clear what your issue is, but any 24.x.x.x address is
> > > likely to be Eastlink, or another web site. 10.x.x.x is going to be a
> > > local address.
> > >
> > > On Thu, Jan 31, 2008 at 1:27 PM, Gerald <linux at zdoit.airpost.net
> > > <mailto:linux at zdoit.airpost.net>> wrote:
> > >
> > >     I'm sorry it was not clear before the problem is the IP address of
> > the
> > >     DHCP server that is issuing my address, not with the address I
> > receive.
> > >
> > >     The IP address I am getting is a valid Eastlink address. The IP
> > address
> > >     issued is the same from both DHCP servers. No problems with getting
> > >     anywhere on the Internet.
> > >
> > >     I looked at my logs where I sometimes see:
> > >
> > >     Jan 28 16:22:21 x dhclient: DHCPREQUEST on eth0 to 24.x.x.x port 67
> > >     Jan 28 16:22:25 x dhclient: DHCPREQUEST on eth0 to 24.x.x.x port 67
> > >     Jan 28 16:22:25 x dhclient: DHCPACK from 24.x.x.x
> > >     Jan 28 16:22:25 x dhclient: bound to 24.y.y.y -- renewal in 68428
> > >     seconds.
> > >
> > >     And sometimes something similar to:
> > >
> > >     Jan 30 17:24:52 x dhclient: DHCPREQUEST on eth0 to 255.255.255.255
> > >     <http://255.255.255.255> port 67
> > >     Jan 30 17:24:57 x dhclient: DHCPREQUEST on eth0 to 255.255.255.255
> > >     <http://255.255.255.255> port 67
> > >     Jan 30 17:24:57 x dhclient: DHCPACK from 10.6.z.z
> > >     Jan 30 17:24:57 x NET: /sbin/dhclient-script : updated
> > /etc/resolv.conf
> > >     Jan 30 17:24:57 x dhclient: bound to 24.y.y.y -- renewal in 78329
> > >     seconds.
> > >
> > >     Jon wrote:
> > >      > A 10.6.x.x is a private network much like a 192.168 network. It
> > is
> > >      > unroutable which means that any packet on the Internet to or from
> > >     a 10.
> > >      > IP will be dropped. So, Matt is correct in that you are getting
> > an IP
> > >      > address from device which is issuing private IPs (and performing
> > >     NAT if
> > >      > you are able to get out onto the internet) and that is almost
> > >     always a
> > >      > router.
> > >      >
> > >      > While I'm relatively new to NS, I can't see a cable modem issuing
> > >     IPs.
> > >      > Assuming you can reach the outside world, try to traceroute
> > something
> > >      > like google.com <http://google.com> <http://google.com> and see
> > >     what you get. That should
> > >      > illuminate some of your internal network routing.
> > >      >
> > >      > Jon
> > >      >
> > >      >
> > >      >
> > >      > On Jan 31, 2008 12:36 PM, Matt Chamberlain
> > >     <chamberlain2007 at gmail.com <mailto:chamberlain2007 at gmail.com>
> > >      > <mailto:chamberlain2007 at gmail.com
> > >     <mailto:chamberlain2007 at gmail.com>>> wrote:
> > >      >
> > >      >     Have you started using a router? 10.x.x.x is often associated
> > >     with
> > >      >     routers, I believe.
> > >      >
> > >      >     On Thu, Jan 31, 2008 at 12:34 PM, Gerald
> > >     <linux at zdoit.airpost.net <mailto:linux at zdoit.airpost.net>
> > >      >     <mailto:linux at zdoit.airpost.net
> > >     <mailto:linux at zdoit.airpost.net>>> wrote:
> > >      >
> > >      >         How do I tell if a 10.6.x.x IP address is my Eastlink
> > >     cable modem?
> > >      >
> > >      >         My DHCP addresses now seem to be issued by that instead
> > >     of the
> > >      >         222.x.x.x
> > >      >         address.
> > >
> > >     --
> > >     Gerald
> >

What an interesting situation this all is, starting with a hijack of a
perfectly good thread, continuing with top post after top post, and
rounded out with a smattering of incomplete information and
speculation.  Hooray for teh Intarnets!!1!!!

It has been a while since I've been on Eastlink, but it strikes me that
Eastlink modems (the Motorola ones, anyway) generally have at least two
addresses; if I recall correctly, there's one that's something like
192.168.100.1 which you can reach via HTTP (http://192.168.100.1) from a
computer behind it.  The interface you see there will show you
information about the coaxial interface that generally, also if I recall
correctly, falls in a 10.x.x.x network.

Suffice it to say that there's almost certainly a large private network
to which all Eastlink cable modems and equipment belong and to which you
cannot normally communicate, mostly because the modem is likely
configured to drop most or all traffic to that network that happens to
come in on the internal side. It is perfectly normal (necessary, even)
for a Cable ISP to have such a large private network so that it can keep
track of and communicate directly with each of the cable modems on the
network, as well as for doing handy things like dealing with DHCP
traffic from devices that don't already have an IP.

From what you've said, either you're concerned about the DHCP that your
Linux-based router is getting, or you're worried about the DHCP you're
getting and it's not coming from your router.  In either case, that
means that the DHCP you are worried about is not being served by any
equipment on your network, so it must be hitting, and, judging by the
fact that you're getting a response, passing, in one form or another,
your cable modem.

Now, regardless of whether you're sending unicast DCHP REQUEST packets
to a particular server in order renew your lease on an existing IP
address or whether you're sending broadcast DHCP REQUEST packets, you're
sending them to Eastlink's network, NOT the Internet.  The chances of
someone being able to light up a rogue DHCP server on Eastlink's
network and serve you poisoned DNS Servers is slim enough to bring a
smile to my face just thinking about it.  The chance of your DHCP
packet finding its way out of Eastlink's network onto the Internet at
large where some other Internet-facing rogue DHCP server is responding
to it and somehow getting a DHCP OFFER packet back to you which will not
only provide you a valid address for your provisioning on Eastlink's
network, but will also pass you poisoned DNS information is, well,
completely absurd.

The only other possibility is that someone has lit a rogue DHCP server
on your network behind your cable modem or behind your router.  This
would also seem unlikely, but is theoretically possible.  Do you run
wireless?  Are there any strange cars in your neighborhood that haven't
moved in days?  Any signs that someone has broken into your house and
installed a small computer system?  Do you get along with your
neighbors?  Ping, traceroute, and your arp tables will likely rule this
out.

More likely, however, is that the reason you're seeing that 10.6.x.x
address in your logs is because that's the interface on Eastlink's DHCP
server that sees broadcast traffic.  Notice that the unicast lease
renew request went to (and were answered by a) 24.x.x.x address and
that the broadcast lease request went to 255.255.255.255 and was
answered by 10.6.z.z.  Those are most likely two interfaces on the same
machine. The two networks in question share transport (i.e. Eastlink's
cable modem network), but broadcast defaults to the 10. network.

Many modern DHCP implementations (dhcpcd comes with my distro, but I'm
sure dhclient is similar) log all of the relevant DHCP information for
your connection.  The manpage I've seen for dhclient suggests that it
might be in /var/state/dhcp/dhclient.leases.  dhcpcd
uses /var/lib/dhcpcd/dhcpcd-<interface>.info.  Note if there's a SIADDR
(or DHCPSIADDR) parameter as that will tell you what address your
system will next send a DHCP REQUEST to in order to renew the lease
(which implies, of course, that it doesn't necessarily have to be the
same address that you got the lease from this time). Note also if
there's a SNAME/DHCPSNAME, which is the hostnameof the DHCP server.
You might find it's the same regardless of whether the response came
from 10.6.z.z or 24.x.x.x (although in general, it's not set).

In short, I suspect you have nothing to worry about except the
possibility that you might be slightly more paranoid than the rest of
us.

Hope this helps,

/a

-- 
Aaron Spanik
a.spanik at ns.sympatico.ca



More information about the nSLUG mailing list