Strange traffic from my DSL router

My home computing setup consists of a single multiboot PC (primarily
running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
(supplied by Verizon).

I've observed a bizarre pattern of packets being issued by the Westell
6100. Can someone here hazard a guess as to what the router is trying to do?

Roughly every 20 seconds the router issues an HTTP connection request to
Port 80 on my PC. The first request after boot logged by iptables in
/var/log/messages has a source port of 1032. The source port increases
by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
each connection request, the router issues an NBNS NBSTAT packet
(NetBIOS), plus some other packets. This goes on continuously for as
long as the PC is up and regardless of whether I'm doing anything on the PC.

My observation of this traffic is based on the following evidence:

1. Viewing eth0 activity displayed by gkrellm

2. Daily logwatch report shows iptables trapping several thousand
packets to port 80 from 192.168.1.1

3. Viewing of iptables logging in /var/log/messages

4. I've captured snapshots of this activity using Wireshark

This activity happens every time I'm online, and has been going on ever
since I started using DSL 13 months ago.

I don't run a server. I have only a minimum set of Linux daemons
running. I run Fedora 99% of the time, but when I run Ubuntu on my
multiboot PC, gkrellm displays the same pattern of activity on eth0.

Allen Weiner wrote:
> My home computing setup consists of a single multiboot PC (primarily
> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
> (supplied by Verizon).
>
> I've observed a bizarre pattern of packets being issued by the Westell
> 6100. Can someone here hazard a guess as to what the router is trying to
> do?
>
> Roughly every 20 seconds the router issues an HTTP connection request to
> Port 80 on my PC. The first request after boot logged by iptables in
> /var/log/messages has a source port of 1032. The source port increases
> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
> each connection request, the router issues an NBNS NBSTAT packet
> (NetBIOS), plus some other packets. This goes on continuously for as
> long as the PC is up and regardless of whether I'm doing anything on the
> PC.
>
> [snip]

My Efficient/Siemens 5100b (supplied by SBC/AT&T) does a similar thing.
It pings my PC every minute and attempts to connect on udp/137 (NBNS)
every hour. I allow the ping, but block the NBNS (although there's
nothing that would answer, anyway).

I figure the modem just wants to know the PC is still alive.

The udp source port numbers increase because each connection attempt is
a unique connection, and that's how ports work for just about any
protocol (although random is better).

Clifford Kite wrote:
> Allen Weiner <(E-Mail Removed)> wrote:
>> My home computing setup consists of a single multiboot PC (primarily
>> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
>> (supplied by Verizon).
>
>> I've observed a bizarre pattern of packets being issued by the Westell
>> 6100. Can someone here hazard a guess as to what the router is trying to do?
>
> I suspect that's the wrong question, the question should probably be
> "What's Verizon trying to do?" The answer to that is almost certainly
> "It's trying to detect any server you might be operating."
> ...
>
>> I don't run a server.
>
> And Verizon wants to make sure you don't ever do so.
>
Your explanation would make sense to me if the packets were coming from
the Internet (say, from Verizon ).

Is your explanation consistent with the fact that the packets are coming
from the router itself? (Source IP address is 192.168.1.1). If I was
running a server, would my Westell 6100 "phone home"?

FWIW, I "hardened" the Westell 6100 firewall by installing a set of
rules I picked up from a forum on dslreports.com. These rules include
dropping all unsolicited inbound requests. This made no difference
whatsoever in the traffic I'm seeing.

Clifford Kite wrote:
> Allen Weiner <(E-Mail Removed)> wrote:
>> My home computing setup consists of a single multiboot PC (primarily
>> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
>> (supplied by Verizon).
>
>> I've observed a bizarre pattern of packets being issued by the Westell
>> 6100. Can someone here hazard a guess as to what the router is trying to do?
>
> I suspect that's the wrong question, the question should probably be
> "What's Verizon trying to do?" The answer to that is almost certainly
> "It's trying to detect any server you might be operating."
> ..

Unlike cable "modems," DSL modems don't have a separate (management)
address that only the ISP can access, so the ISP isn't doing anything.
It's all in the modem and whatever it's ROM tells it to do.

>> I don't run a server.
>
> And Verizon wants to make sure you don't ever do so.

Allen Kistler <(E-Mail Removed)> wrote:
> Unlike cable "modems," DSL modems don't have a separate (management)
> address that only the ISP can access, so the ISP isn't doing anything.
> It's all in the modem and whatever it's ROM tells it to do.

Not in my experience. Maybe the USA is different to the UK in this
respect.

Chris

(E-Mail Removed) wrote:
> My home computing setup consists of a single multiboot PC (primarily
> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
> (supplied by Verizon).
>
> I've observed a bizarre pattern of packets being issued by the Westell
> 6100. Can someone here hazard a guess as to what the router is trying to do?
>
> Roughly every 20 seconds the router issues an HTTP connection request to
> Port 80 on my PC. The first request after boot logged by iptables in
> /var/log/messages has a source port of 1032. The source port increases
> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
> each connection request, the router issues an NBNS NBSTAT packet
> (NetBIOS), plus some other packets. This goes on continuously for as
> long as the PC is up and regardless of whether I'm doing anything on the PC.
> ...

Same modem, same thing. More actually. The modem/router does a slow "sweep"
through the private IP address space. It does an ARP request on each
address. If it is set to 10.0.0.1, it does "Who has 10.0.0.2?", then "Who
has 10.0.0.3?", etc all the way up to 254. It does one address every 1.2
seconds, in groups of 10. Whenever it finds a live box it probes it with
HTTP and NBSTAT, multiple times - it keeps returning to that system between
ARP'ing other addresses. As far as I can tell, this is Westell's idea of a
good way to "auto-discover" the local network. The HTTP and NBTSTAT probes
are apparently trying to determine the PC name, perhaps operating system
type. I don't see that it gets used, except to display the "My Network"
thing in the modem's management page.

I think it is harmless, annoying, and pointless, and I see no way to turn
it off.

ljb wrote:
> (E-Mail Removed) wrote:
>> My home computing setup consists of a single multiboot PC (primarily
>> running Fedora 9) and a Westell 6100-E90 DSL (wired) modem/router
>> (supplied by Verizon).
>>
>> I've observed a bizarre pattern of packets being issued by the Westell
>> 6100. Can someone here hazard a guess as to what the router is trying to do?
>>
>> Roughly every 20 seconds the router issues an HTTP connection request to
>> Port 80 on my PC. The first request after boot logged by iptables in
>> /var/log/messages has a source port of 1032. The source port increases
>> by one for every subsequent request, e.g. 1197, 1198, 1199... Along with
>> each connection request, the router issues an NBNS NBSTAT packet
>> (NetBIOS), plus some other packets. This goes on continuously for as
>> long as the PC is up and regardless of whether I'm doing anything on the PC.
>> ...
>
> Same modem, same thing. More actually. The modem/router does a slow "sweep"
> through the private IP address space. It does an ARP request on each
> address. If it is set to 10.0.0.1, it does "Who has 10.0.0.2?", then "Who
> has 10.0.0.3?", etc all the way up to 254. It does one address every 1.2
> seconds, in groups of 10. Whenever it finds a live box it probes it with
> HTTP and NBSTAT, multiple times - it keeps returning to that system between
> ARP'ing other addresses. As far as I can tell, this is Westell's idea of a
> good way to "auto-discover" the local network. The HTTP and NBTSTAT probes
> are apparently trying to determine the PC name, perhaps operating system
> type. I don't see that it gets used, except to display the "My Network"
> thing in the modem's management page.
>
> I think it is harmless, annoying, and pointless, and I see no way to turn
> it off.

I had a similar thread in one of the forums at dslreports.com. A former
telco tech conjectured that the traffic was from the router doing
network mapping. But unlike your reply, he didn't explain how the http
and nbstat packets fit in. Thanks very much for your explanation.

I too saw ARP packets with an ascending address pattern in my Wireshark
snapshots. I didn't analyze them in any where near the level of detail
that you have done.