33

Recently I wondered why my router shows a constant downstream of 5 MBit/s, while I am downloading almost no data. I discovered the "packet logging" function of my router, with which I was able to log all the traffic in the wireshark format. And I recognized that 80% of the downstream traffic was not for my IP address, so it just gets discarded (probably). When tapping the "internet interface" of my router, I could see the downstream packets of IP-adresses that is not mine: Mail addresses from other people, DNS query responses from other people, http-responses from other people...

My question: The fact that I can see other people's downstream, is this normal or is it a misconfiguration on the side of the ISP?

I doubt that it's normal, because this causes a lot of unnecessary traffic, which is bad for me, bad for the ISP and also a data privacy issue for everyone.

user3297416
  • 443
  • 4
  • 5
  • 2
    That isn't normal, what sort of connectivity do you have? – NickW Mar 14 '14 at 11:31
  • VDSL2, and the switching center uses apparently a broadcom machine. – user3297416 Mar 14 '14 at 11:35
  • 4
    Something is very badly configured at the lower levels, do as SvW suggests. – NickW Mar 14 '14 at 11:38
  • 14
    Note that this means your data is being seen by other customers. – Adam Davis Mar 14 '14 at 14:10
  • 1
    This isn't about professional IT and thus isn't [on topic for Server Fault](https://serverfault.com/help/on-topic). Flagged for migration to Super User. – Blacklight Shining Mar 14 '14 at 23:25
  • Gotta love it when the topic police roll out... – zxq9 Mar 15 '14 at 13:53
  • 1
    @zxq9 I think it's actually better that this be on the appropriate site. If I had this problem, I would search on Google and Super User and _maybe_ Stack Overflow (since a lot of SU-fitting things get posted there), but I wouldn't think to look on Server Fault. – Blacklight Shining Mar 15 '14 at 15:42
  • 3
    @BlacklightShining if I had the same problem I would just look on google and it will give me server fault, since it's already here ;) – Braiam Mar 15 '14 at 16:57
  • @BlacklightShining This actually sounds more like the questions I usually seen on [Security.SE](http://security.stackexchange.com/) (by way of Hot Questions, at least - the normal fare on the frontpage don't seem to match).. ;) – Izkata Mar 16 '14 at 15:43

3 Answers3

33

No, this is not normal. Contact your provider to resolve this issue. When they can't, switch away ASAP.

Sven
  • 97,248
  • 13
  • 177
  • 225
  • This is normal if it's a shared connection such as cable. See the other answers here for more on that. The provider could try to disable in some way forwarding of WAN packets to the LAN side, but that makes little difference to the security; there's a fairly narrow range of attackers between those who wouldn't know the packets are being fowarded to their LAN anyway and those without the skills to get around the disabled forwarding. The correct approach, if you're on a shared connection like this, is to ensure that as much as possible your traffic to the network is encrypted, e.g., with a VPN. – cjs Oct 11 '19 at 02:56
14

It has been a while since I consulted to the telecom industry so I am going off of what is still likely.

For DSL, this is sub-par. You should never see traffic destined for another IP address. I would check with your provider. This is not a standard configuration and it is likely that there are some settings in the RedBack that are not right. Each connection should be segmented and the bandwidth you are paying for by contract is being wasted. DSL connections are frame connections when you whittle through all of the protocols. This means that your frame connection must only see the traffic for your segment.

For Cable, this is normal. Cable is segmented by neighborhoods depending upon area saturation. A neighborhood could be many miles or one block. This is normal since cable is not a frame connection but based upon broadcast standards much like ethernet over thin-net/thick-net back in the day. Your cable router may or may not enforce network segmentation depending upon the router, either by age or by model. Cable connections almost always see traffic on the WAN side that is not intended for the LAN. But sometimes WAN traffic can be seen on the LAN side. This is not unusual even today with the larger carriers.

closetnoc
  • 256
  • 2
  • 6
  • Wouldn't you have encryption on a cable network? – thejh Mar 16 '14 at 15:22
  • I guess it depends on the carrier. Encryption aside, if traffic is making it's way to the LAN side, it is actually trivial to examine the traffic with the right tools and experience. In fact, it may be trivial to sniff the WAN side too. I used to have to examine traffic including encrypted data near daily with a hardware sniffer to solve network problems. – closetnoc Mar 16 '14 at 16:35
  • I quoted a part of your answer in [my question on Security SE](http://security.stackexchange.com/q/53645/12139). – unor Mar 19 '14 at 00:00
  • I see it. Thanks. I posted an answer, but I am sure a better answer will come along soon. – closetnoc Mar 19 '14 at 01:29
  • I also was under the impressions that all cable ISPs use BPI these days. – Fred Thomsen Mar 23 '14 at 00:12
  • You may be right. I wrote of my experiences in the past couple of years in a rural area on the SE security site. It could be that things are changing rapidly to conform to standards. I have seen things change here. However, it does not mean that everyone is concerned about security and performance. There is a whole world out there. – closetnoc Mar 23 '14 at 00:37
  • So how does this work exactly? I wonder why all the usual LAN-like chatter of "What are all your IP addresses?" and "Does anyone support this [service/protocol]?" aren't seen on WAN links, esp if some PCs are directly bridged into the ISP network. Are broadcasts basically ignored? What about multicasts? – Milind R Jan 18 '20 at 18:53
4

If it's cable, by definition it's shared circuit. Seeing other people's downstream under global logging of all packets would be normal.

Promisc mode cable gear would be an interesting anomaly but that sounds like exactly what is happening.

RobotHumans
  • 151
  • 3
  • Major cable companies are going to generally route through fibre nodes, and only those nodes are "shared circuit". No cable ISP in the United States would have such a configuration that would make this possible. – Thebluefish Mar 15 '14 at 12:37