Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Smart Hub 2 Regularly Being Breached and Used as a Reflector for Attacks  (Read 1650 times)

Dr. Strangelove

  • Just arrived
  • *
  • Posts: 3
Smart Hub 2 Regularly Being Breached and Used as a Reflector for Attacks
« on: April 21, 2022, 11:52:32 AM »
Hi guys,

I am a BT customer in the UK and on checking the router logs after a recent outage it seems my router is at least being used as a reflector for attacks by nation/s states for attacks. below are a few exerpts (out of the hundreds) from my router log in no particular order;

04:00:01, 21 Apr.
DoS(Spoofing): IN=ppp1 OUT= MAC= SRC=49.232.158.14 DST=redacted - the ip of my local bt exchange LEN=60 TOS=0x00 PREC=0x60 TTL=49 ID=11465 PROTO=TCP SPT=45259 DPT=51584 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=40499 MARK=0x8000000

DoS(UDP Loopback): IN=ppp1 OUT= MAC= SRC=64.62.197.43 DST=redacted - the ip of my local bt exchange LEN=29 TOS=0x00 PREC=0x00 TTL=52 ID=62825 DF PROTO=UDP SPT=44858 DPT=19 LEN=9 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.15 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=900 DF PROTO=TCP SPT=58581 DPT=5814 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.9 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=51757 DF PROTO=TCP SPT=42593 DPT=9946 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.138 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=34822 DF PROTO=TCP SPT=52762 DPT=9076 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.133 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=26863 DF PROTO=TCP SPT=40071 DPT=4206 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.14 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=31607 DF PROTO=TCP SPT=53105 DPT=61913 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=30992 DF PROTO=TCP SPT=22505 DPT=5407 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=3219 DF PROTO=TCP SPT=22598 DPT=8524 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.10 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=42552 DF PROTO=TCP SPT=29382 DPT=5658 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.133 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=2147 DF PROTO=TCP SPT=43867 DPT=7550 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=50986 DF PROTO=TCP SPT=27039 DPT=10091 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=21760 DF PROTO=TCP SPT=41660 DPT=8145 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.14 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=20132 DF PROTO=TCP SPT=57124 DPT=32800 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=57026 DF PROTO=TCP SPT=14990 DPT=4204 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=35577 DF PROTO=TCP SPT=12000 DPT=17180 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.13 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=32320 DF PROTO=TCP SPT=14628 DPT=5304 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=21631 DF PROTO=TCP SPT=21953 DPT=9312 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.133 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=50061 DF PROTO=TCP SPT=33355 DPT=22071 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=45704 DF PROTO=TCP SPT=39690 DPT=9129 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=42 ID=25496 DF PROTO=TCP SPT=13952 DPT=6305 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.133 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=13444 DF PROTO=TCP SPT=43323 DPT=50443 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=111.7.96.132 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=41 ID=58937 DF PROTO=TCP SPT=36574 DPT=671 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=26890 DF PROTO=TCP SPT=31979 DPT=7282 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.12 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=26104 DF PROTO=TCP SPT=26946 DPT=15418 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.12 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=20593 DF PROTO=TCP SPT=40621 DPT=7836 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=50294 DF PROTO=TCP SPT=47240 DPT=31340 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=26229 DF PROTO=TCP SPT=20229 DPT=4602 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.17 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=47 ID=40654 DF PROTO=TCP SPT=19714 DPT=7417 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.11 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=60205 DF PROTO=TCP SPT=23944 DPT=9749 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=45.143.203.12 DST=redacted - the ip of my local bt exchange LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=23494 PROTO=TCP SPT=45696 DPT=59883 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

04:00:01, 21 Apr.
DoS(SYN Flooding): IN=ppp1 OUT= MAC= SRC=123.160.221.13 DST=redacted - the ip of my local bt exchange LEN=52 TOS=0x00 PREC=0x00 TTL=48 ID=62970 DF PROTO=TCP SPT=35030 DPT=9560 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000

after doing whois searches I have IPs from all over the world, the first appeared to be russian, then ukrainian but since I have had many from across the US afew from part of europe and now lots from China. God knows the actual location of the attacker/s

As I said previously BT must be aware of this and I am very aware that the 'smart' hub 2 is an absolute piece of crap with very little if any defense, I have reset the router and changed the password to a new max length alphanumeric value many times but they return within the day. I am reticent to have BT snooping on my line any more than is necessary as I like to torrent a thing or 2 from time to time.

What would be a good, reasonably secure but cost affective alternative to the smart hub bearing in mind these attacks? I have been thinking about the above HG612 purely as a modem and then pairing it with another router, would a newer modem be better do you have any recommendations?

thanks in advance

Logged

Edinburgh_lad

  • Reg Member
  • ***
  • Posts: 232
Re: Smart Hub 2 Regularly Being Breached and Used as a Reflector for Attacks
« Reply #1 on: April 21, 2022, 12:05:33 PM »
It looks like your firewall is doing its job.
Logged

Dr. Strangelove

  • Just arrived
  • *
  • Posts: 3
Re: Smart Hub 2 Regularly Being Breached and Used as a Reflector for Attacks
« Reply #2 on: April 21, 2022, 12:31:39 PM »
Quote from: Edinburgh_lad on April 21, 2022, 12:05:33 PM
It looks like your firewall is doing its job.

Well thats at least somewhat reassuring.. but I'm not convinced the good ole 'smart' hub 2 is going to keep out nation states.. and this isn't the full router log, this may just be before penetration, especially considering I discovered this after the internet went down for my most of my town the other day.

I will definitely still be replacing it
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5281
    • Thinkbroadband Quality Monitors
Re: Smart Hub 2 Regularly Being Breached and Used as a Reflector for Attacks
« Reply #3 on: April 21, 2022, 02:07:20 PM »
Quote from: Dr. Strangelove on April 21, 2022, 12:31:39 PM
Well thats at least somewhat reassuring.. but I'm not convinced the good ole 'smart' hub 2 is going to keep out nation states.. and this isn't the full router log, this may just be before penetration, especially considering I discovered this after the internet went down for my most of my town the other day.

I will definitely still be replacing it

I suspect its the opposite, its logging it because its being denied by the firewall (as it tells you which rule denied it on the left).

Everyone gets this sort of traffic, its just not all routers log traffic that was blocked by their firewall.
« Last Edit: April 21, 2022, 02:15:49 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + Huawei CPE Pro 2 H122-373 WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors