
Unpatched routers being used to build vast proxy army, spy on networks - rbanffy
https://arstechnica.com/information-technology/2018/09/unpatched-routers-being-used-to-build-vast-proxy-army-spy-on-networks/
======
tpfour
I finally convinced myself of building an opnsense wifi router after years of
procrastination. I want to take back control of my network, or at least
monitor it properly.

What are the most interesting network analysis tools I should look into? I'm
talking more about high-level visualisations. For example, I'd be interested
in keeping a list of every device that's ever connected to my network, and
maybe get alerts upon detecting it. Or map requests/connections in real-
time/historically on a globe in HTML5. Just some fun stuff to actually get a
sense of what's going on in my network.

Any recommendations?

~~~
iopuy
mitmproxy is what you need. I've installed it on a Raspberry Pi that then acts
as a hotspot. mitmproxy allows me to see every bit of data that is being put
on the wire. All telemetry, pings, contacts, and more being transmitted home
(respective of encryption). A transparent proxy is essential if you want to
deep drive into what the apps on your network are actually doing.

~~~
existencebox
Do you happen to know what added latency one can expect from using one of
those? (Apologies if my brief googling was off-point and this is a well
answered question)

~~~
programmarchy
Did a little googling and couldn’t find any benchmarks but the new v4 release
claims a 4x improvement in speed.

[https://mitmproxy.org/posts/releases/mitmproxy4/](https://mitmproxy.org/posts/releases/mitmproxy4/)

------
nstart
So for people like myself who don't know much about this stuff, I was
wondering what we can learn to figure out if the routers we are using are
compromised in any way. On a similar tangent, is there any way we can detect
any editing being done by an ISP? Like how and where they might be inserting
headers into our traffic for example.

Just curious where to start in this exercise.

~~~
marcosdumay
I guess the preferred way to discover if your router is compromised would be
by network analysis... And you would need to plug it into some other computer
for that, what just shifts the problem to the other computer.

I guess you can gain some confidence that it isn't compromised, but can never
be sure.

About edit being done by the ISP, once you fix on a not all powerful adversary
(not the NSA), it's easy to get some machine it couldn't have tainted.

~~~
ant6n
That doesn't sound like a way that would be preferred by any home user. How
about starting with a list of affected routers?

~~~
marcosdumay
Well, you are going with a completely different question than the one I got.
And rereading the GP, I don't know which is correct, so, well maybe.

------
TeMPOraL
I'm surprised that neither here, nor in the article 2 days ago, I can find a
_list of affected routers_. Or even a tip on how should I check if my Mikrotik
is affected / has been pwnd by either of those attacks.

In hopefully unrelated story, my Mikrotik and/or my ISP has been acting up in
the past hour; I've lost the ability to resolve many .com domains for ~30
minutes, even though I have Google's NS configured set up as the first two on
the router. Manual queries (Mikrotik: resolve somedomain.com server 8.8.8.8 /
Local: nslookup - 8.8.8.8) resolved correctly; it's just defaults that
couldn't. Sad to admit this, but I have no clue what's going on -.-

~~~
headgasket
Most models can be affected. Check if your first firewall rule sends to the
built in proxy. See
[https://www.google.ca/amp/blog.netlab.360.com/7500-mikrotik-...](https://www.google.ca/amp/blog.netlab.360.com/7500-mikrotik-
routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/amp/)
in particular check if the webproxy and/or socks service are enabled.

~~~
TeMPOraL
Seems I'm fine with that, for now. Thanks.

------
huhtenberg
Related, from 2 days ago -
[https://news.ycombinator.com/item?id=17908028](https://news.ycombinator.com/item?id=17908028)

------
brotherjerky
After the last one of these articles, I finally flashed my router with
OpenWRT, and it's been pretty nice so far. Best feature: Installed `adblock`
package, and now I get DNS-level ad blocking, which is simply fantastic. Works
on all clients (including mobile) and significantly faster than blocking in
browser.

~~~
SpikeDad
A nice alternative which allows you to keep using your router's own software
or routers not compatible with open source software is PI-HOLE ([https://pi-
hole.net](https://pi-hole.net)). Provides the same DNS level blocking with a
lot more information and features.

~~~
neilsimp1
I've been thinking of getting a Pi-Hole for a while, but also have a router
running OpenWRT. Are there any advantages/disadvantages to using a Pi-Hole vs.
using an AdBlock package on the router?

~~~
LeftTurnSignal
I used an adblock package in pfSense but not OpenWRT. The issues I had with
pfSense's package was it wasn't nearly as configurable as pi-hole and it used
up a bit too many resources on the Soekris 5505 box. I had to uninstall it
because it took too many resources.

I ended up installing Docker on my laptop, grabbing the Pi-Hole container, and
configuring my laptop to use the docker container as the DNS server.

So far this has worked very well. Wherever I go, I have pihole running in the
background. I can access the web interface and do everything I could do on the
rasp pi-hole, without the extra hardware. It does take a minute or two to
start up in the background after logging in though.

------
christophilus
Anyone here used Plume[0]? A friend of mine recently suggested it, and it
sounds interesting but also... a bit scary. I suspect it has a centralized
attack point (get into the Plume infrastructure, and you can probably
automatically roll a virus out to all Plume routers in the world).

[0] [https://www.plume.com/](https://www.plume.com/)

~~~
ac29
Plume got a pretty icy reception here when they launched their subscription-
based pricing model:
[https://news.ycombinator.com/item?id=17293078](https://news.ycombinator.com/item?id=17293078)

If you really need a mesh (you probably don't), there are other solutions. If
you know at least a little about home networking and WiFi, just setup a Unifi
system and be done with it.

~~~
crestfallen
Let me first say that I am not a super network dude. I know enough to be
dangerous.

The newer story @ Ars has some updated stats and thoughts:
[https://arstechnica.com/features/2018/06/exclusive-plumes-
ne...](https://arstechnica.com/features/2018/06/exclusive-plumes-new-superpod-
hardware-is-here-and-its-fast/)

Part of the improvement is the hardware. The latency improvement is awesome,
for example. But part of it seems to legitimately be the optimization that
their software is doing re: signal strength, which backhaul to use, auto
updates, the level of customer support, and other stuff.

I don't know how it compares, but it seems it may be better than people were
initially thinking.

------
21
I thought that Linux is secure against viruses, because it has a sane security
model, unlike Windows which is insecure no matter what.

~~~
yjftsjthsd-h
Linux, the kernel, and NT, the kernel, are mostly secure. People manage to
build insecure things on top of each.

~~~
xorcist
Well, that's perhaps reductionist a bit too far to be a useful statement.
There are other things outside the kernel that are important too, and design
decisions that matter to user space.

Things like OLE can be said in retrospect wasn't a good idea security wise.
Autorun kept delivering for more than a decade. Perhaps GDI could do with a
security model. That sort of things makes it unnecessarily difficult to secure
the system.

The reason we don't hear about Windows router botnets is because nobody
bothers building those boxes in the first place. You put your Windows box
behind a small Linux box in order to connect it to the Internet, not the other
way around.

~~~
ectospheno
Quite a few are placed behind small BSD boxes rather than Linux. But yeah,
internet facing Windows routers aren't exactly common. Certainly not without
spending a good bit of time in group policy editor turning off almost
everything.

