Weird subnets appearing on my LAN

MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
So, over the past few days my internet has been awful. I am a Cox communications customer - I called them after reviewing my firewall logs (appeared I was getting attacked - lots and lots of packets were being blocked. More than usual). Anyway, they ended up saying they couldn't do a thing about it and that I had to get in touch with the manufacturer of the device. The reason for checking my router is because my wife is a stay-at-home mom and was watching netflix while my son was taking a nap. She couldn't even watch a movie/tv show without it disconnecting constantly.

All I wanted them to do was change my WAN IP address. Since I'm not a business customer they told me that they couldn't release my IP address from my modem and let it grab a new IP. I understand that, sort of. However, I had them reset my modem and the attacks stopped after a while.

Now - this is the weirdest part. I have my local subnet for my home on Just your average local subnet. When I looked on my logs it shows trying to reach my router. So I start looking around at my devices since I used to use a subnet for my local subnet. I did a IP scan on, and 201 host were alive... WTF? I start doing more searching and found that was searchable with hosts alive. Although, I tried to get to each device, but it wouldn't let me. There were more subnets available for me to search, but you get the gist.

Anyone else ever heard of this or seen this happen?
2017 Certification Goals:


  • Options
    TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    Check for malware/root kits trying to call "home". 10.x.x.x is obviously internal and coming from a live device.
  • Options
    iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    What type of modem do you have from Cox? Is it just modem or a modem/router/wireless gateway? If it is just a modem you can log into your router and change the MAC address which should assign it a new IP address.

    Which side of the modem is the 10.x.x.x traffic coming from? (internal or external).
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • Options
    MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    I did check for malware by running SUPERAnti Spyware and Malware bytes. Nothing came up. My PC is the only Windows machine on the network. The rest are iPhones, iPads, MBP, and iMac - they were all turned off to eliminate any possibilities.

    The modem is an actual modem and it looks like Cox were able to change the IP address. Unfortunately I cannot tell which side of the modem it's coming from. Although, it looks and appears it's internal. When I do a trace route it comes up like this...

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.


    Pinging with 32 bytes of data:
    Reply from bytes=32 time=35ms TTL=253

    Ping statistics for
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 35ms, Average = 35ms

    Tracing route to over a maximum of 30 hops

    1 <1 ms <1 ms <1 ms router.asus.com []
    2 22 ms 21 ms 34 ms
    3 49 ms 31 ms 24 ms

    Trace complete.

    2017 Certification Goals:
    CCNP R/S
  • Options
    Dieg0MDieg0M Member Posts: 861
    Use nmap and check what those systems are. Looks like a bridged card running VM's to me.
    Follow my CCDE journey at www.routingnull0.com
  • Options
    wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    I would say it is nothing to be alarmed about. I am not an expert on Docsis networks but from what I can tell your cable modem is the one that provided the packet and the scan you did was scanning Cox's network. It would be the network local to your neighborhood consisting of the local cable modems. Now why you would be seeing packets from there I'm not sure. What is your asus router's public IP? Also, I would recommend not heavily scanning as Cox may not like that.
  • Options
    Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    Maybe try isolating the problem. Show wifi devices. Disconnect wifi.
    A lot of firewalls show connected devices. Anything there?
    Disconnect cable and repeat the pings.

    I don't know what the problem was but I know we had a malfunctioning NIC card in our shop once and it produced a crazy number of 10... address. Went away when we switched the nic card.
Sign In or Register to comment.