Finding the Truth Behind Cable Modem Traffic Bursts?

Techi asks: "I help to support a small cable modem network in Kansas, and we keep having recurring problems with all the modems in a node bursting extreme amounts of traffic for a period of about 30 seconds. At the end of this 30 second period, the upstream port that the node in question is connected to dies under the pressure. We have recently implemented a fix to keep people from uncapping modems in the form of a config file update from our DHCP system. I know we could have done it differently, but it wasn't my decision. Does anyone have any idea what could be causing 70 or so modems at a time to suddenly erupt with outgoing traffic nonstop until the upstream dies?"

Possible spyware and/or application updates?

[ShaunC]

I don't know much about DOCSIS and DHCP, so if that's where the issue lies, my comments are probably off-base. However, I have to wonder if perhaps the spike you're noticing is the result of some popular program's "auto-update" feature, or spyware phoning home en masse. Many programs set themselves to do updates at certain times of day, and assuming most of your customers' computers have their system clock set within a reasonable amount of variance, it might be something benign.

For example, all the Macs on my network are set to query Apple's network time server at midnight daily. And on my Windows machines, Windows Media Player is set to check for updates weekly. The amount of traffic involved in either example should be minimal, but you never know what's borked. There was a story here recently about some versions of Windows and MacOS causing too much DNS traffic, so it could even be something at the OS level.

Is this a recent phenomenon? Brilliant Digital said they were going to activate their leechware in May, and May is now more than half-over. Maybe they've flipped the switch and all your users with KaZaAaAaAaA are now sending uberpackets to BD at predetermined times.

Are there any specifics as to where the traffic is destined? Is the traffic burst from all of the nodes going to the same host, or to the same port on multiple hosts? Are ports 25 or 119 involved? There's been a fairly nasty Hipcrime attack (usenet sporgeries) over the past few days, and spam is always a problem; both of these abuse broadband relays as much as possible. Lots of possibilities, I guess - would help to get some more details, if they can be provided.

Shaun