Consumer networking head scratcher

Roland Dobbins rdobbins at
Thu Mar 2 05:24:38 UTC 2017

On 2 Mar 2017, at 9:55, Oliver O'Boyle wrote:

> Currently, I have 3 devices connected. :)

You could have one or more botted machines launching outbound DDoS 
attacks, potentially filling up the NAT translation table and/or getting 
squelched by your broadband access provider with layer-4 granularity.  
And the boxes themselves could be churning away due to being compromised 
(look at CPU and memory stats over time).  Aggressive horizontal 
scanning is often a hallmark of botted machines, and it can interrupt 
normal network access on the botted hosts themselves.

I don't actually think that's the case, given the symptomology you 
report, but just wanted to put it out there for the list archive.

What about DNS issues?  Are you sure that you really have a networking 
issue, or are you having intermittent DNS resolution problems caused by 
flaky/overloaded/attacked recursivs, EDNS0 problems (i.e., filtering on 
DNS responses > 512 bytes), or TCP/53 blockage?  Different host 
OSes/browsers/apps exhibit differing re-query characteristics.  Are the 
Windows boxes and the other boxes set to use the same recursors?  Can 
you resolve DNS requests during the outages?

Are your boxes statically-addressed, or are they using DHCP?  
Periodically-duplicate IPs can cause intermittent symptoms, too.  If 
you're using the consumer router as a DHCP server, DHCP-lease nonsense 
could be a contributing factor.

Are the Windows boxes running some common application/service which 
updates and/or churns periodically?  Are they members of a Windows 
workgroup?  All kinds of strange name-resolution stuff goes on with 
Windows-specific networking.

Also, be sure to use -n with traceroute.  tcptraceroute is useful, too.  
netstat -rn should work on Windows boxes, IIRC.

Roland Dobbins <rdobbins at>

More information about the NANOG mailing list