Options
Weird subnets appearing on my LAN
So, over the past few days my internet has been awful. I am a Cox communications customer - I called them after reviewing my firewall logs (appeared I was getting attacked - lots and lots of packets were being blocked. More than usual). Anyway, they ended up saying they couldn't do a thing about it and that I had to get in touch with the manufacturer of the device. The reason for checking my router is because my wife is a stay-at-home mom and was watching netflix while my son was taking a nap. She couldn't even watch a movie/tv show without it disconnecting constantly.
All I wanted them to do was change my WAN IP address. Since I'm not a business customer they told me that they couldn't release my IP address from my modem and let it grab a new IP. I understand that, sort of. However, I had them reset my modem and the attacks stopped after a while.
Now - this is the weirdest part. I have my local subnet for my home on 192.168.50.0/24. Just your average local subnet. When I looked on my logs it shows 10.10.10.1 trying to reach my router. So I start looking around at my devices since I used to use a 10.10.10.0/24 subnet for my local subnet. I did a IP scan on 10.10.10.0/24, and 201 host were alive... WTF? I start doing more searching and found that 10.10.1.0/24 was searchable with hosts alive. Although, I tried to get to each device, but it wouldn't let me. There were more subnets available for me to search, but you get the gist.
Anyone else ever heard of this or seen this happen?
All I wanted them to do was change my WAN IP address. Since I'm not a business customer they told me that they couldn't release my IP address from my modem and let it grab a new IP. I understand that, sort of. However, I had them reset my modem and the attacks stopped after a while.
Now - this is the weirdest part. I have my local subnet for my home on 192.168.50.0/24. Just your average local subnet. When I looked on my logs it shows 10.10.10.1 trying to reach my router. So I start looking around at my devices since I used to use a 10.10.10.0/24 subnet for my local subnet. I did a IP scan on 10.10.10.0/24, and 201 host were alive... WTF? I start doing more searching and found that 10.10.1.0/24 was searchable with hosts alive. Although, I tried to get to each device, but it wouldn't let me. There were more subnets available for me to search, but you get the gist.
Anyone else ever heard of this or seen this happen?
2017 Certification Goals:
CCNP R/S
CCNP R/S
Comments
-
Options
TechGuru80
Member Posts: 1,539 ■■■■■■□□□□
Check for malware/root kits trying to call "home". 10.x.x.x is obviously internal and coming from a live device. -
Options
iBrokeIT
Member Posts: 1,318 ■■■■■■■■■□
What type of modem do you have from Cox? Is it just modem or a modem/router/wireless gateway? If it is just a modem you can log into your router and change the MAC address which should assign it a new IP address.
Which side of the modem is the 10.x.x.x traffic coming from? (internal or external).2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
Options
MAC_Addy
Member Posts: 1,740 ■■■■□□□□□□
I did check for malware by running SUPERAnti Spyware and Malware bytes. Nothing came up. My PC is the only Windows machine on the network. The rest are iPhones, iPads, MBP, and iMac - they were all turned off to eliminate any possibilities.
The modem is an actual modem and it looks like Cox were able to change the IP address. Unfortunately I cannot tell which side of the modem it's coming from. Although, it looks and appears it's internal. When I do a trace route it comes up like this...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\(removed)>ping 10.10.10.1
Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time=35ms TTL=253
Ping statistics for 10.10.10.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 35ms, Maximum = 35ms, Average = 35ms
Control-C
^C
C:\Users\(removed)>tracert 10.10.10.1
Tracing route to 10.10.10.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms router.asus.com [192.168.50.1]
2 22 ms 21 ms 34 ms 10.10.0.1
3 49 ms 31 ms 24 ms 10.10.10.1
Trace complete.
C:\Users\(removed)>2017 Certification Goals:
CCNP R/S -
Options
Dieg0M
Member Posts: 861
Use nmap and check what those systems are. Looks like a bridged card running VM's to me.Follow my CCDE journey at www.routingnull0.com -
Optionswastedtime
Member Posts: 586 ■■■■□□□□□□
I would say it is nothing to be alarmed about. I am not an expert on Docsis networks but from what I can tell your cable modem is the one that provided the packet and the scan you did was scanning Cox's network. It would be the network local to your neighborhood consisting of the local cable modems. Now why you would be seeing packets from there I'm not sure. What is your asus router's public IP? Also, I would recommend not heavily scanning as Cox may not like that.
-
OptionsJon_Cisco
Member Posts: 1,772 ■■■■■■■■□□
Maybe try isolating the problem. Show wifi devices. Disconnect wifi.
A lot of firewalls show connected devices. Anything there?
Disconnect cable and repeat the pings.
I don't know what the problem was but I know we had a malfunctioning NIC card in our shop once and it produced a crazy number of 10... address. Went away when we switched the nic card.
