Rogue Traffic

Yesterday I received the infamous "Comcast Customer Security Assurance Notice." I did the research on these emails and found that some people do receive them legitimately and some don't. For those of you who don't know what it is, here you go:

**********
Dear Comcast Subscriber:

ACTION REQUIRED: Comcast has determined that your computer(s) have been used to send unsolicited email ("spam"), which is generally an indicator of a virus. For your own protection and that of other Comcast customers, we have taken steps to prevent further transmission of spam from your computer(s).

Comcast.Net WebMail Users
If you use a web browser to access your email, this change will not affect your service. However, it is important that you take steps to remove the virus and secure your computer(s). This can be done by using the FREE McAfee Antivirus and Firewall software available from Comcast on the Comcast Security Channel or by using other popular antivirus solutions that are widely available.

Third-Party Mail Client Users (Outlook, Outlook Express, etc.)
If you use Outlook Express, the steps we have taken to protect the Comcast network will not allow you to send email until you apply a simple one click fix available at http://www.comcastsupport.com/alternateport. While this will restore your ability to send mail it is still important to remove any possible viruses from your computer. This can be done by using the McAfee Antivirus and Firewall software (offered to Comcast.net subscribers at no additional charge) available from Comcast on the Comcast Security Channel or by using other popular antivirus solutions that are widely available.

Note: this one click fix currently only works with Internet Explorer. If you use a different browser, please click here for steps to manually change your port.

If you are using a third-party client other than Outlook Express (Outlook, Eudora, Thunderbird, etc.), please click here for instructions.

Comcast is focused on providing a secure internet experience for all of our customers. Please visit the Comcast Security Channel regularly to stay up to date with the latest security threats, products, and services.
**********

If you do a Google search on these emails you will find what most people are dealing with.

Here is the deal, I don't use a local mail client to access email. I use Yahoo and my web based work email. I have one laptop currently connected to the network. Ironically enough I use the crappy McAfee software they suggest I use and also use MalwareBytes and SpyBot. All are up to date. I have run several scans and can't find anything.

I hooked up my sniffer (Wireshark) to my homemade network tap in several different locations and can't find any outbound traffic using port 25. However, I do notice continuous ARPs. I only monitored outbound traffic because there wasn't any inbound unless I requested a web page. Currently I have the tap between my cable modem and WRT300N. This is where I am noticing the ARPs. I did all the scans...nothing, so I turned off the laptop and disconnected it from the network completely. Still ARPing. So I figure there is a wireless device somewhere connected to my network. I use MAC filtering and WEP for security and realize this is minimal security at best. I also live out in the sticks (yup and still get Comcast. I was surprised too) so the chance someone is hacking my WEP key and MAC filtering are slim to none. Regardless, I turn off the radio on the WRT300N. STILL ARPing! What gives? The only computer like device in my house is the laptop I am using to sniff with and all it's radios are turned off.

Next, I did some tracerts to the addresses that are being ARPed (71.63.2.6, 68.57.54.93, etc). These are one hops to Comcast equipment.

At this point, I am completely stumped so I try to isolate the problem even more so I set up this topology.

cable modem>WRT300N>network tap>CAT 2950

Before I get the laptop hooked up again I am picking up the outbound ARPs.

I have no flippin idea what is going on. Could the WRT300N be messed up?

Someone please tell me I am just doing something stupid so I can ease my mind

One thing is for sure. My network is NOT sending out SPAM, but none the less I do have an ARPing problem.[/quote]

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

sprkymrk

Can you copy and paste a few of the arp packets you are seeing?

dtlokee

You are on a broadcast network along with all of your neighbors, it may be thir arp requests that you see.

nanga

just as a precaution set ur router to give out only a single IP address this will make sure no one else can get on ur network.

boostinbadger

I understand that I am on a broadcast network and I know of at least one neighbor that has it, but why would I see this traffic between the router and the switch. The router should keep the ARPs out. I tried the tap before and after the router and had the same result.

I am getting ready to leave work now. I will post some ARP packets up when I get home.

I would set the router to only hand out one address, but I do use other PCs. There is only one currently hooked up. I limit the number to five for the same reason you are suggesting to hand out one.

boostinbadger

I think I have it figured out. I took everything down and rewired it. I had the tap in the wrong location when I said it was between my router and switch and still getting ARPs. After I re-wired I only had STP traffic between the router and switch.

On another note, why would there be continuous ARPs from neighbors? Once the address is resolved, wouldn't the ARPs stop?

I didn't get a chance last evening to post the trace. I will try to get it up tonight.

sprkymrk

boostinbadger wrote:

On another note, why would there be continuous ARPs from neighbors? Once the address is resolved, wouldn't the ARPs stop?

Arp cache timeout, or they are not getting replies, so they keep asking.

dtlokee

Some viruses will use arp to find hosts that are alive, if they are continually incrementing on the network then that could be a source. Arp sweeps are reliable than ping sweeps because personal firewalls don't block them.

boostinbadger

I am in a location that I would "assume" doesn't have a lot of high speed subscribers. Comcast just recently made it out here. The ARPs are continuous but aren't streaming so fast across the screen that I can't see them.

I am just happy to see only STP traffic

dtlokee

If you are a relitively new customer it is possible that the traffic that is setting off their IPS and anomoly detectors is not yours, but due to the way their databases update is from another subscriber.

Can you telnet to a random mail server on port 25? They may not even be blocking your IP address.

miller811

Have you checked for viruses on your laptop, or other attached users on your network (via your router?). I set up mine with mac filtering to make sure only wired or authorized wireless clients could gain access.

I am a comcast user, and received a similar message approx two years ago. I have a home network, and it turned out my daughter's computer was infected. We were using some free anti-virus program and thought all was well. Ended up run kaspersky on-line virus scan to determine what the virus was and removed it. Her machine was taken over and was sending millions of spam e-mails.

Since we have comcast I have not loaded mcafee (free for comcast subscribers) on all devices in the house, and do have any issues. Probably not the best protection, but it is working for me.

boostinbadger

If you refer to my initial post I did do scans of various types and use MAC filtering and WEP. MAC filtering and WEP are methods of security, but are very easily compromised.

I guess what it comes down to is...I don't care if port 25 is blocked

I was just curious as to why I was seeing all those ARPs and it was because my tap was in the wrong place.

It would be nice to keep the tap between the modem and the router so I could see the wireless traffic, but then I have to deal with all the ARP traffic. This usually wouldn't be a problem but Wireshark craps out after so many packets.

I heard they have a new version of Wireshark now though. I should try it out and see if it still crashes after so many packets.