5

I recently was told the username and password to get into my ISP-provided cable modem. It's a Cisco DPQ3925C.

Some poking around for unrelated purposes led me to the list of ARP entries. I didn't recognize a couple of these, so I ran whois on the IPs. Two of them are in IP space registered to the US Department of Defense.

enter image description here

22.99.6.1 and 22.100.208.1 are both tied to 00:01:5C:6E:00:46. The same MAC address is also tied to the default gateway the modem received from the ISP.

Both addresses remain after a reboot.

And, needless to say, I am not on a federal network and have, to my knowledge, never connected directly to one.

Normally I'd assume there's a perfectly reasonable explanation for this, but given the security climate nowadays, I'm inclined to call shenanigans. What's going on here?

Mikey T.K.
  • 175
  • 7
  • Post details. what MAC? What IP? – rook Apr 19 '17 at 21:17
  • I think the obvious answer is run wireshark, and see if there's arp requests that are populating these entries. Maybe you have some strange piece of equipment that's configured for that network? – Steve Sether Apr 20 '17 at 03:59
  • I don't think that will work, since the requests are going from the modem out the DOCSIS WAN interface (not the LAN side). I don't have any equipment that can sit on that side of the connection. – Mikey T.K. Apr 20 '17 at 04:01
  • Maybe. But your cable modem says this table is from your network: ARP/RARP Table Click ARP/RARP Table to see a complete list of all devices that are connected to your network. To retrieve the most up-to-date information, click Refresh. – Steve Sether Apr 20 '17 at 04:16

2 Answers2

3

My guess is that your cable modem or cable provider is using this address space internally for some purpose because the 22.0.0.0/8 space is non-routable. From: http://blog.erratasec.com/2013/12/dod-address-space-its-not-conspiracy.html#.WPgyoHXyvrc

This sort of thing happens a lot. I (or others I trust) have seen 1.0.0.0/24, 22.0.0.0/24, and other instances of 30.0.0.0/24 used this way. I can confirm that companies use DoD address space as private addresses. Just because it's DoD doesn't mean they route to the DoD. The reason all these address spaces are DoD is because that's really the only source of unused IPv4 addresses left. All IPv4 address ranges have been assigned. But, the DoD has been assigned 20% of the IPv4 address space, but most of it is used within the DoD, on their own private networks, and is not routable to the outside world. Thus, if you are looking for a large chunk of "private" addresses that won't suddenly one day be assigned to Akamai or Amazon (and thus, explode in your face), then DoD addresses are the way to go.

You can confirm this by trying to route some packets to these addresses. Use traceroute, where do they go? They should go nowhere.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
2

Here's what I think is happening ranked on order of likleness:

  • The 22.0.0.0/8 address space is non-routable. While it is assigned a public IP, it's only actually used inside the DoD's network. An packets sent to IPs on that range will go nowhere. The reason a lot of companies do this is because we've almost run out of IPv4 addresses, and most of the DoD's IPv4 allocation is mostly used internally. Most of the default private address spaces like 10.0.0.0/8 or 192.168.0.0/16 are widely used internally (in homes and offices), and might cause routing confusion if reused. Since the DoD mainly uses these IPs internally, it doesn't hurt to use them in the ARP table of devices.

  • The US DoD recently sold a large chunk of its IPv4 allocation to other companies. I can't find a source right now, but it's highly likely that providers haven't updated their whois data to reflect this yet.

  • You're on a watchlist. This is the most ridiculous of them all, and I don't believe it myself.

thel3l
  • 3,384
  • 11
  • 24