Monday, September 29, 2014

Comcast users: disable Gateway Smart Packet Detection [UPDATED]

(This is an update from an article I shared back in 2010)

I just ran across this article.

Apparently, the cable modem that Comcast ships to business internet customers has a "Smart Packet Detection" feature that has a nasty habit of making connections go flaky from time to time. According to one report I read, it was actually causing the router to drop every other packet, which will obviously make your user experience less than ideal.

I'm not sure what this feature is supposed to do, and Googling reveals nothing but recommendations that you turn it off. But if turning it off fixes your problems, then I'd recommend doing it. Comcast's support staff don't always know about this, so they might not tell you to try this unless you're persistent enough to get your call escalated to high-level techs.


It's not just Comcast business customers. As some of you may know, I recently (in July) switched to Comcast internet as a result of moving to a location that has no other high speed internet service. I was seeing all kinds of flaky behavior, typically manifesting as web pages that would hang or take forever to load. The netstat command would show hundreds of connections in the "SYN_WAIT" state, meaning the TCP stack is waiting for connections to be established. This is very similar to the linked article.

After re-reading the article today, I decided to visit the firewall settings on my modem/router (a Zoom model 5352). There was no "smart packet detection" setting, but there were settings for "port scan detection" and "IP flood detection". According to the manual, these settings look for and block that activity on both the WAN (internet) side of the router and the LAN side.

Of course, when you open 30 tabs at once in a web browser (or just one site that has a lot of embedded content), it results in hundreds of TCP connections originating from a single IP address on the LAN. The router is clearly misinterpreting this as an IP flood attack, and it blocks them. When I disabled these features, I once again got the performance I have come to expect from high speed internet.

I sent e-mail to Zoom letting them know about this. I think they need to update their packet-flood detection algorithms. I also think they should have separate configurations for LAN-side and WAN-side detection. I would like to detect and block scans and floods that originate from the internet, but not from computers on my LAN.

1 comment:

Anonymous said...

I had the same problem. Crazy comcast.