Hi, I’m looking for a little network help. On the morning of Thursday April 21 before turning on my computer, I noticed the activity light on my Motorola SB5100 modem and the WAN (Internet) light on my Asus router flashing constantly. Checking the Traffic Monitor on the router I could see a 3-5 KB/s of incoming traffic none of which was making it to my computer. This has been happening 24/7 since Thursday.
I called Rogers and was told the flashing was normal but my modem (which I own) was very old and it had likely failed. I have a friend on the other side of town with a similar modem, so I asked him to check his and it is doing the same thing.
This morning I removed the router and connected my computer directly to the modem. When the computer was boot the modem flashing started again. I ran Wireshark and did a quick capture which showed I was getting 40-50 ARP requests per second.
They are all similar to this, each one with different seemingly random IPs:
Source Dest Prot Size Info
Casa_91:68:1F Broadcast ARP 60 Who has 184.108.40.206? Tell 220.127.116.11
I’m wondering if it has anything to do with Roger’s implementation of IPv6. Maybe trying to assign an IPv6 IP to an IPv4 only device.
Any help would be appreciated.
Solved! Solved! Go to Solution.
@Gdkitty and All;
I'm in touch with different support groups and I'll update the Community as more information becomes available.
Maybe its that the rogers D3 ones are on an 'exclude' list sort of thing..
@Jelllo has CGN3 modem and it is able to see those requests as well. So D3s are not excluded either. It seems like only some of the modems are responding to those requests.
Edited Post : Update
The visible ARP broadcasts are due to our network migrating from "Cisco CMTS" to "Casa CMTS". The broadcasts have zero operational impact on the modems. In technical terms, when traffic comes from the Internet destined to a particular modem, we need to find the MAC address for that modem. In Cisco world, the CMTS would ask the DHCP server first for that information. In casa world, the modem's IP is checked first before querying the DHCP server. So these ARP requests would be expected behaviour with the Casa systems.
As for the Internet data usage, the traffic which originates or terminates to a specific MAC address is counted as Internet usage. In the case of these ARP requests, the traffic does not originate or is not destined to a customer modem and therefore does not count towards Internet usage.
Thank you for very interesting post. Did the Internet work when you've bypassed the router? I mean, were you able to browse the Internet on the PC which was connected directly to the modem?
I believe even after the whole Rogers' network becomes IPv6 ready still IPv4 devices will be allocated IPv4 IPs. The 24 dot IP address seems to be from Time Warner Cable, were you downloading some file from them?
Yes, I was able to use the Internet with or without the router.
No, I was not downloading anything from Time Warner (never have).
My initial concern was the was the extra usage. I now have a 4KB/s download overhead 24/7. If you do the simple math that adds up to around 10GB per month (4,000x60x60x24x30). Since I'm on a 60GB of usage plan, I'm not happy if I'm loosing 10GB. My plan was to keep comparing my computer usage (monitored locally) with the numbers on MyRogers, but the data on MyRogers has not been updated since this started.
I'll continue to monitor. Remember my friend at the other end of town is experiencing the exact same issue.
I'll try to insert an image of a small (less then a second) capture.
This might be a case of a bot running somewhere, possibly on the Rogers network itelf. Did you report this Rogers previously? If not, and its still running, @RogersMoin should be able to phone the NOC and have them attempt to track it down as its hitting more than one customer on the Rogers network. In any event I would probably report this to Tech support, although you would probably have to speak with a Tier 2 tech as I'm not sure that a Tier 1 tech would understand what this is all about. Have the incident recorded on file. From there, call customer service, and look to have some statement recorded on file to the effect that your IP address is being bombarded with ARP requests (as indicated by the Tech statement) , which puts you in a position of breaking thru your monthly cap due to no fault of yours. That will hopefully provide some protection from any additional charges that might arise.
The screen capture shows as if some service is mapping IPv4 IPs and MAC addresses. It could be visible on IPv4 devices. The image was not approved for security reasons, however, I'll notify the appropriate department.
PS: Thank you @Datalink
My guess would be a bot possibly running on a corrupted router or modem somewhere. The source address doesn't make sense to me, "Casa_91:68:1F" given that the request is for an IPV4 address. Maybe someone with better knowledge of IP addressing can figure this out. @RogersMoin I suspect that you would need @LF1949's IP address in order for the NOC to start tracing this.
Thank Morin and Datalink,
Glad you can see that the issue is not confined the the 24.xxx.xxx.xxx IP.
When I contacted Rogers Internet Tech Support on the 21st, I knew I wasn't talking to the right department. Hopefully Moin's contact will be someone who understands the issue.
From what I've read they call this an "ARP Broadcast Flood or Storm".
Other then the extra overhead, my system is working normally.
Just a quick follow-up. I got some information from another forum that might make sense. I'm told the CMTS (Cable Modem Termination System) sends out ARP requests but most are usually filtered out. The sourse address of the requests is "Casa_91:68:1F" which made no sense until I discovered Casa Systems is a networking hardware supplier like Cisco and Arris. My guess now is that when Rogers implmented IPv6 in this area, the CMTS (mayber made by Casa) configuration was changed and they are no longer filtering the ARP requests.
Since I'm on a low usage package (60G) I still am trying to determine if this overhead is being added to my usage. I can monitor my usage at my computer and was planning on confirming it with the MyRogers numbers, but the online usage summary has not been updated since April 20th (5 days). I reported that to Rogers billing this morning who were unaware of any problem. Maybe Morin can look into this as well.
I appreciate you posting the findings, I believe your guess is correct though I'll update the thread once I get the response from the NOC department.
As for the usage not getting updated, I can have that investigated for you. I've sent a private message, please check your Inbox, thank you.
You can use wireshark to see the source address. As this issue is also happening with me I found it is coming from 18.104.22.168 Must be some new equipment they installed from http://www.casa-systems.com/product-cable.html