I have been getting "IP subnet broadcast amplification" errors in the security log of my Netopia 3364N ADSL modem. Searching for any information on Google turned out being a waste of time (the only post I found was on Experts Exchange [http://www.experts-exchange.com/Security/Q_21756799.html ] and the solution was… buying a Cisco modem which is not a fix to the original problem).
Calling AT&T and speaking with DSL support (on an unrelated problem, but I figured I can ask anyway), then with Advanced Internet Services support did not help either. In both cases I was told that they did not know what that security log error meant. I understand that AT&T cannot support every modem on the market but… it was them that supplied me with this model! So I contacted Netopia support and after a few minutes on the online chat I simply gave up.
What was so hard to find turned out being so easy to understand. The "IP Subnet Broadcast Amplification" was nothing more than an attempted smurf attack . The idea behind such an attack is simple: the attacker sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses using the spoofed source address of the intended victim. The result of such an attack can be devastating as hosts on the pinged network will respond with ICMP traffic directed at the spoofed address. In some cases this may result in hundreds of hosts responding. Most modern network equipment is protected against DoS services attacks such as smurfing and other types as well.
To sum things up: the solutions found online and "help" received from ATT and Netopia were of no help at all. Purchasing a replacement "simply because" is not a solution to any problem but once again, research helped solve a problem, which in the end turned out not being a problem any way.
It seems I’m not the lone ranger with this one. I followed the same path of discovery that you did, save that I found out what this “IP Subnet Broadcast Amplification” attack was from your post, and that it’s so severe that it overloads my router, causing internet outages for up to several minutes, at least a few dozen times per day, and god forbid I should want to connect on a Saturday or Sunday. I even went so far as to report the router as “defective” equipment, to which AT&T responded that these attacks were causing the trouble, not the unit. So I’m going to have to replace their flawed equipment on my dime. One would think that customer service would… but I’m venting at the wrong person. Sry. :\
I’m having the same problems with my Netopia and it’s kicking me off around 10 times an hour… and wireless is completely kicked off forcing a reboot of the router. AT&T as no answer… is there a fix for this? What did you end up doing to resolve your issues?
Matt,
What’s the model number of the Netopia router that you’re using?
Cayman 3000 series v6.3+ manual says :
Subnet Broadcast Amplification
Distributed DoS (Denial of Service) attacks often use a technique known as
broadcast amplification, in which the attacker sends packets to a router’s
subnet broadcast address. This causes the router to broadcast the packet to
each host on the subnet. These, in turn, become broadcast sources,
thereby involving many new hosts in the attack. The Cayman unit detects
and discards any packets that would otherwise be transmitted to a subnet
broadcast address. The Security Monitoring logs the event. PDF manual can be found at http://www.netopia.com/equipment/pdf/manuals/cayman63.pdf
What, AT&T support did not know something. No way! BLAH. We have had AT&T DSL for less than 1 year and I have made 20+ support calls for various problems. Dozens of DSL disconnects a day, 250k download speeds, router needed to reboot every day. They tried new router, which the tech who installed it could not even figure out how to expose our static IP block, I had to show him.
Honestly, AT&T DSL is poor, and their support is useless unless if you are a IT person since they just read a script and tell you to reboot. Oh problem fixed, goodbye. Until tomorrow!