Tuesday, December 11, 2007

RCN Cable Internet: Fun while it lasted



I knew I should have learned more about Cable when I was at Cisco (although I vaguely remember trolling EDCS for one of my projects so the CMTS acronym sounds familiar) but my 2nd attempt at using Cable provider is coming to an end, anyway. After 10 months of nearly blip-free service (not bad for $29.95 a month) with RCN, things have gone to hell in the last week. God I miss Speakeasy, but a year after swearing never to give another dime to AT&T/SBC, signed up for AT&T Yahoo DSL and even bought one of their little gateways so I don't have to muck with PPPoE (I hope) over the weekend just in case. I don't look forward to dealing with AT&T but what can you do? Maybe two shitty $29.95 Internet Services are better than a single decent $55/month service. And we'll actually have a land line for a change.

Although working as first line support for a consumer Internet provider (even if you are offshore) must suck, it was a surreal experience dealing with them for 3 hours last night, but I did learn a little bit about these mysterious cable modems

Toshiba Cable Modem Diagnostics Page

CM Info: MODEL PCX2500 ; HW_REV 9.2.3 ; SW_REV 1.0.14
MAC Address 00-00-39-xx-xx-xx SerialNO. 3316470xxx Version Capability D1.0

CmStatus:todEstablished ServerBootState:waitingForTftp
sysUptime:0d:00h:02m:15s CMTS MAC Address:00-30-B8-C6-EB-90
Last CmStatus - prior reset:

Power Level:
Received: -13.1 dBmV Transmitted: 45.1 dBmV

Received SNR: 28.0 dB

Frequency:
Downstream: 735.000 MHz Upstream: 33.000 MHz

User Set Parameter:
Polling Time: No Polling

So besides the high packet loss, on all my devices (2 routers and 2 different laptops) I kept getting leases for 192.168.100.2 (the tech support folks said it must be a configuration error on my end) which reminded me AirLink Cellular Modems we used in the SCADA Honeynet, where the modem itself has a DHCP server which temporarily assigns you a private address before forwarding your DHCP requests and then turning into bridge mode (or whatever) and then your interface finally gets a public address. So I unplugged the coax and sure enough I got a private address (192.168.100.1 was the router) did a quick TCP scan and found the web server up (see the display above) Didn't bother with UDP, would probably find TFTP and some other stuff. Of course one of the bizarre things was that at some point during all my troubleshooting I saw the 172.30.88.1 (the tech said this was also the Cable modem) attempting to ping a 208.x.x.x address. But I saw that on the Ethernet side? Something clearly must not have been well on the modem. And try as I could, I ended up hanging up, because there was obviously going to be no resolution.

2 comments:

Landon Lewis said...

What you were experiencing with the 192.168.100.2 and 100.1 addresses are what the cable modem defaults (or all of the modems I've had anyway) to when it can not reach the node. You should get the same activity if you just unplugged the coax and waited for the DHCP client to timeout on the modem. This is where a lot of people will upload their own firmware on to their surfboards so that they can modify their own settings or even spoof another modem. We had a recent IndySec meeting where someone did a proof of concept using his own modem.

I would always call and report that I wasn't receiving an address and ask if others in my area were having the same problem. Sometimes I was the only goon up at 3am noticing so no one else would call in. Instead of going through the normal moronic questions they ask you, I just tell them I'll call back later. Generally when I woke up the next morning, it was working with no hassles, etc.

Sometimes major issues like fiber cuts dont even get reported up to the first line tech support people. They do this so that the techs dont blame every small problem on the one small pinpointed outage.

With every provider I've had it's happened about once or twice a year depending on where I lived. It seemed to be a lot more frequent in highly populated areas like downtown where fiber cuts occur more frequently.

Matt Franz said...

Yeah, was sort of working (could at least get a lease) this morning -- except for the 40-50% packet loss.