Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2

Author Topic: Home routers proxying bad traffic for Botnets  (Read 13368 times)

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Home routers proxying bad traffic for Botnets
« on: April 13, 2018, 10:19:46 AM »

According to a white paper published this week by Akamai over 65,000 home routers are proxying bad traffic for botnets.

Akamai reports that it has detected over 4.8 million SOHO routers which are vulnerable by exposing UPnP services via the WAN interface and of these have identified over 65,000 devices which have already been compromised.

Quote from: Akamai
The simple explanation of the vulnerability that lead to NAT injections, is that these devices expose services on their WAN interface that are privileged and meant to only be used by trusted devices on a LAN. Using these exposed services, an attacker is able to inject NAT entries into the remote device, and in some cases, expose machines behind the router while in other cases inject Internet-routable hosts into the NAT table, which causes the router to act as a proxy server.


A list of vulnerable routers is listed in the report, but notably a lot of ASUS models are affected including the DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B, RT-N66U etc

Refs:-
Akami
Bleeping Computer
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Home routers proxying bad traffic for Botnets
« Reply #1 on: April 13, 2018, 10:23:14 AM »

Full list of affected manufacturers and models can be found in the report but I list below some of the more popular makes.

ASUS
DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B,
MTK7620, RT-AC3200, RT-AC51U, RT-AC52U, RT-AC53,
RT-AC53U, RT-AC54U, RT-AC55U, RT-AC55UHP, RT-
AC56R, RT-AC56S, RT-AC56U, RT-AC66R, RT-AC66U,
RT-AC66W, RT-AC68P, RT-AC68R, RT-AC68U, RT-AC68W,
RT-AC87R, RT-AC87U, RT-G32, RT-N10E, RT-N10LX, RT-
N10P, RT-N10PV2, RT-N10U, RT-N11P, RT-N12, RT-N12B1,
RT-N12C1, RT-N12D1, RT-N12E, RT-N12HP, RT-N12LX,
RT-N12VP, RT-N14U, RT-N14UHP, RT-N15U, RT-N16, RT-
N18U, RT-N53, RT-N56U, RT-N65R, RT-N65U, RT-N66R,
RT-N66U, RT-N66W, RTN13U, SP-AC2015, WL500

Belkin
F5D8635-4 v1, F9K1113 v5

DrayTek Corp.
Vigor300B

NETGEAR
R2000, WNDR3700, WNDR4300v2, WNR2000v4

ZyXel
Internet Center, Keenetic, Keenetic 4G, Keenetic DSL,
Keenetic Giga II, Keenetic II, Keenetic Lite II, Keenetic
Start, NBG-416N Internet Sharing Gateway, NBG-418N
Internet Sharing Gateway, NBG4615 Internet Sharing
Gateway, NBG5715 router, X150N Internet Gateway
Device



Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Home routers proxying bad traffic for Botnets
« Reply #2 on: April 13, 2018, 10:24:51 AM »

How to Fix It

Quote from: Akami
If a device is affected by this vulnerability, there are only a few options for mitigation. The first would be to replace 
the device with something else that you’ve confirmed is not vulnerable to these types of attacks. If replacing the
device is not an option, it is typically possible to disable UPnP services on the device. However, this could have
impacts in other areas of your network, such as gaming or media streaming. 
In cases where neither of these options work, deploying a firewall in front of your affected device and blocking 
all inbound traffic to UDP port 1900 will prevent the information leaks that make TCP daemon discovery possible. 
If your device is already compromised, this would still allow proxy injection and proxy usage. Manually removing 
these injections would stop proxy usage, but would not prevent future injections from happening, making this
solution a game of whack-a-mole
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: Home routers proxying bad traffic for Botnets
« Reply #3 on: April 13, 2018, 10:43:27 AM »

For anyone who is paranoid and wants to chcek out their router you can check port 1900 using https://www.grc.com/ (using Sheilds Up), I did check mine just to be sure and it is fine  ;)

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 33879
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Home routers proxying bad traffic for Botnets
« Reply #4 on: April 13, 2018, 11:07:58 AM »

Cheers Stuart - Direct links for UPnP Port probes at grc.com

Port 1900

Port 5000

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Deathstar

  • Reg Member
  • ***
  • Posts: 138
Re: Home routers proxying bad traffic for Botnets
« Reply #5 on: April 13, 2018, 11:20:30 AM »

Stealth (DSL-AC68U)
« Last Edit: April 13, 2018, 06:49:19 PM by Deathstar »
Logged
VMG1312-B10A Bridge Mode to ASUS DSLAC68U

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: Home routers proxying bad traffic for Botnets
« Reply #6 on: April 13, 2018, 12:23:33 PM »

Likewise (Technicolor DGA4130)
Logged
  Eric

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Home routers proxying bad traffic for Botnets
« Reply #7 on: April 13, 2018, 12:31:29 PM »

UPNP test passed and Stealth on 1900 and 5000 on an Asus DSL-N55U. Hmmm.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: Home routers proxying bad traffic for Botnets
« Reply #8 on: April 13, 2018, 01:16:09 PM »

UPNP test passed and Stealth on 1900 and 5000 on an Asus DSL-N55U. Hmmm.

Tim you must have UPNP turned off.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Home routers proxying bad traffic for Botnets
« Reply #9 on: April 13, 2018, 02:20:24 PM »

Stealth on 1900 but not 5000,  Asus N66U running Merlin.

What's the implications of turning off UNPNP?

ETA. Actually port 5000 is something to do 3CX as its forwarded to that.
« Last Edit: April 13, 2018, 05:03:04 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Home routers proxying bad traffic for Botnets
« Reply #10 on: April 13, 2018, 06:13:50 PM »

Stealth (Netgear D6220)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Home routers proxying bad traffic for Botnets
« Reply #11 on: April 13, 2018, 06:56:02 PM »

Stealth at home - Pfsense  :thumbs:
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Home routers proxying bad traffic for Botnets
« Reply #12 on: April 13, 2018, 07:20:35 PM »

Tim you must have UPNP turned off.

Stuart

Not that I am aware Stuart although I am using V9 of Asus firmware which has had some security updates. Log shows uPNP is enabled.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

broadstairs

  • Kitizen
  • ****
  • Posts: 3697
Re: Home routers proxying bad traffic for Botnets
« Reply #13 on: April 13, 2018, 08:06:43 PM »

Not that I am aware Stuart although I am using V9 of Asus firmware which has had some security updates. Log shows uPNP is enabled.

OK then I suspect they may have fixed it. Interestingly I checked my Netgear D6220 and it has UPNP enabled but both ports WAN side show stealth.

Stuart
Logged
ISP:Vodafone Router:Vodafone Wi-Fi hub FTTP

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Home routers proxying bad traffic for Botnets
« Reply #14 on: April 13, 2018, 10:02:25 PM »

Same here Stuart with my Asus both ports are stealth yet checking WAN settings Upnp is enabled.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655
Pages: [1] 2