
Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs - AndrewDucker
https://www.bleepingcomputer.com/news/security/over-65-000-home-routers-are-proxying-bad-traffic-for-botnets-apts/
======
riobard
Yet another misuse of 1.1.1.1 in the figures.

Actually, it was a mistake NOT reserving more human-friendly IP blocks for
documentation/example purpose. The three /24 blocks reserved all fail
blatantly because nobody remembers them, and they look as unsuspicious as
normal blocks.

1.2.3.0/24 would be a much better choice because people would easily remember
them and know it's not "real", just like you would not take a phone number
123-4567 on a filled form as "real" (even though it might be).

Next time you make anything, please remember to design for human.

~~~
ge0rg
Except that everybody knows that the "fake" phone number prefix is 555:
[https://en.wikipedia.org/wiki/555_(telephone_number)](https://en.wikipedia.org/wiki/555_\(telephone_number\))
;-)

~~~
IncRnd
Except that not everybody knows that. I use the # for information at stores,
when asked for a #, and the cashiers usually have no idea what 555-1212 means.
In my sample, the vast majority of people do NOT know.

~~~
smudgymcscmudge
Wasn’t 555-1212 the only 555 number that worked?

~~~
mikestew
It used to connect you to directory information (as in "I need to number for
mikestew in Seattle...") for the specified area code (or local, if no area
code specified). I don't know if it still works or not.

------
throwawya1w2
I thought my home network was secure. Last week, I turned on my Surface and
its lock screen had a "remote session active" screen. Before I could do
anything, it turned itself off. When I turned it back on, it showed "low
battery" and turned off. I have no idea if this was a bug or somebody remotely
accessed it. I had everything updated to the latest software/firmware. Remote
desktop itself was disabled on the surface (though it had "allow remote
assistance" enabled"). I didn't have router web administration enabled. Router
admin password as well as wifi password were unique, 15-20 chars long and I
never used them anywhere else. Same thing for my Microsoft account that I use
for Windows login. Wifi also had MAC address filtering enabled. There was only
one more person using my network, and its unlikely they would do this because
I don't think they know my password. And I don't think they are that
technically knowledgeable other than to use a PC for browsing. I also had a
Synology NAS with OpenVPN. Router was configured to forward the VPN port, but
Synology's firewall was configured to allow connections only from 2 IP ranges
that my phone gets when on mobile network. Strangely, after this incident, I
turned off the VPN and now my NAS goes to sleep properly. It never used to
sleep before. I sit right next to the NAS and I could hear the HDDs
reading/writing all the time, although slowly. I always used to think may be
someone was slowly copying files from my NAS.

I had earlier setup a pfsense box purely for ad blocking and to keep out
Google/Microsoft creepware. But I had stopped using it because of the learning
curve. Now, I am learning how to properly configure it.

Its kind of amusing if you think about it. In olden days, people had to worry
about physical attack of their house. Nowadays, I am more worried about these
virtual attacks.

~~~
tinus_hn
Routers and NAT only protect against incoming connections. If someone can
force your computer to make an outbound connection there is no protection.

~~~
throwawya1w2
The Surface was factory reset only a few days back. I don't use it that much
except for occasional ebooks. The only software I had in it were Firefox,
Chrome, Office and Drawboard if you don't consider all that Candy crush/Soda
crush/Animal kingdom bloat that MS likes to push on us (which I promptly
uninstalled).

I have to admit that I downloaded the pdf ebooks from piracy sites. So don't
know if they had some malware in them. I did scan them with MBAM, Avira, MS
Defender before use though. Note that i didn't download them from Surface. I
downloaded them using a Ubuntu VirtulaBox VM running on another laptop. I
restore the VM to a previous snapshot each time after use.

~~~
tinus_hn
It could very well be the original Microsoft software doing this. Check if
your Microsoft account and other cloud accounts you are using on that machine
have been compromised.

------
sokoloff
To save some googling, as neither this article nor the Akamai report defined
“APT”:

[https://en.m.wikipedia.org/wiki/Advanced_persistent_threat](https://en.m.wikipedia.org/wiki/Advanced_persistent_threat)

~~~
tbihl
At this point, if you're reading an Akamai report, APT probably stands alone
as a term. On a list of abbreviations their readers should know, it's not
quite 'IP address', but surely it's ahead of 'DNS'.

------
kuon
Why is UPnP even a thing? I mean, with NAT hole punching you can do P2P, and
if you are hosting anything (web server or even bit torrent), manually
forwarding a port should be within your reach.

I've been using an OpenBSD based router for years with no UPnP support and
never had any issue (like unable to play online games or anything). I'm really
curious why it's present on all home routers.

~~~
LinuxBender
UPnP / SSDP is a half baked standard will be a thing for the foreseeable
future unfortunately. I say half baked, because with just a little effort and
critical thinking, users would have full control over the interaction between
their systems and their routers.

For starters, a lot of gaming companies now depend on people having this so
that the users run the servers instead of the gaming company having to pay for
the infrastructure. They won't begin to explain to kids how to forward ports.

Many app makers now assume this as well and certainly do not want to explain
to non technical users how to forward ports to a machine on their network.

IoT is just leveraging an existing precedence.

~~~
kuon
I guess that's how we end up with situations like
[http://www.insecam.org/](http://www.insecam.org/)

I think this kind of knowledge should be common, I mean, you should have a
"network" course at school, learn how to forward ports and basis about how
internet works.

Well, this is another discussion.

------
Sukotto
Ok. What specific steps should we be doing to ensure a home router is
configured safely?

Please assume a consumer grade router given by the ISP and _maybe_ another one
bought off the shelf at a box retailer. Also assume unable or unwilling to
flash firmware.

~~~
ge0rg
Disable UPnP in the router settings. In theory, that should close the hole.

Disable remote maintenace / web access. Many router web UIs have exploitable
flaws that can be used to bypass password authentication.

Ensure that you are always running the latest firmware version. If there are
no up-to-date versions / the router is too old, you might complain to the ISP.
However, they might try to sell / rent you the latest and greatest router
model then.

~~~
prepend
It looks like this exploit gets around disabled remote maintenance, since it
makes remote traffic seem local.

Disabling upnp will do it. I’m going to set up blocking all inbound on 1900 on
ISP’s router stopping traffic before it gets to my home router. I might
finally be grateful for being forced by the isp to use their hardware for
nothing other than a hop between my network’s router and the isp’s network.

------
ge0rg
The full Akamai report linked from the article also outlines that this
technique (accessing UPnP from the Internet while pretending to come from the
LAN) allows to expose the router's LAN services (e.g. web interface) on the
Internet. I wouldn't be surprised if it could be also used to scan your LAN
and to connect to any local machines, to access unauthenticated resources and
to brute-force your passwords.

~~~
bhouston
A lot of people have insecure computers/file servers inside of their local
firewall.

------
orliesaurus
How do I know if my router is affected? EDIT: nvm, here is the list
[https://www.akamai.com/us/en/multimedia/documents/white-
pape...](https://www.akamai.com/us/en/multimedia/documents/white-
paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf)

~~~
kevinSuttle
Script doesn't appear to be formatted for copy/paste...

------
always_good
Nothing is going to change until this kind of stuff affects the financials of
the people using these bad router configs, compromised internet of thing
devices, malwared computers, and anything else that creates a bunch of
outbound traffic.

It should be impossible to be unaware that your home network's outbound is
saturated all month. It's ridiculous.

~~~
rando444
So the way to get the elderly, non-tech savvy, and low usage users to buy a
new router is to make them suffer financially?

------
AndyMcConachie
This Phrack article predates their 2011 reference to successful UPNP exploit
by 3 years.

[http://phrack.org/issues/65/5.html#article](http://phrack.org/issues/65/5.html#article)

UPNP is a mess and I'm not even sure if there is a way to proplerly make it
secure.

------
techload
I'm surprised that there are no TP-Link routers on the list of affected
manufacturers.

~~~
mondoshawan
Surprised to see Ubiquiti on that list. Thankfully, the EdgeRouter series
doesn't show up there!

Still, I'll be blocking port 1900 and focusing more on defense in depth on my
home net...

The irony is that back when I was a teenager adminning our home routers, I'd
always disable UPnP simply because of what it is -- at the time it stood to
reason that any consumer POS device could bypass the firewall with it and do
horrible things from the inside out. Nowadays I've become a bit lazy because I
think I'm pretty fatigued at fighting this kind of junk.

------
notyourday
I know I'm a strange fellow, but I am having a hard time to understand why
consumer grade routers are such garbage.

I have been using 2x wall-mounted industrial mini PCs running Debian to cover
2400 sq two story house. They just work. They have no software that is tricky
or unknown. Hell, the one that has a cross connect to the cable modem even run
a firewall. Speeds blow consumer routers out of the water. I even have a guest
network so the visitors can access internet and not see anything else they are
not supposed to have access to. Cost? $300 for both.

~~~
xiao_haozi
You don't happen to have a writeup about your hardware selection and how you
configured these do you? I've been thinking of going this way in a new house.

~~~
gvb
I followed the Ars guide to building a linux router from scratch and adjusted
to fit my network needs:

[https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-
bui...](https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-building-a-
linux-router-from-scratch/)

------
ShorsHammer
Had experience with multiple ISP's pushing their own heavily marked-up and
broken routers. I assume its a good money maker.

If only there was a slither of corporate responsibility and associated
punishment, probably a big ask from governments benefiting handsomely from the
vulnerabilities despite the loss to the citizens they represent.

Guess it could be considered a new form of taxation? National security only
really extends the physical domain.

~~~
dcow
I don't really think this is one of those cases unless I missed some trend
recently where the govt is using misconfigured routers to access home
networks... This is an overly scary article about running upnp on the wrong
interface.

~~~
ShorsHammer
Sorry perhaps I don't understand your point, but the research in this article
is entirely about governments and bad actors penetrating home networks for
their own use.[1]

Are you suggesting private APT's exist? Seen no evidence so far that it's
anyone but a dozen nations who lamely try to rebrand every now and then.

UPnP is a world of trouble in general, but even moreso for the average person
disabling it in a house full of kids. There's needs to be responsibility taken
by any large tech company pushing insecure products on their customers.

[1] researchers at Symantec had uncovered parts of this proxy network due to
their ongoing investigation into the “Inception Framework,” and the APT group
behind it.

~~~
dcow
_Sorry perhaps I don 't understand your point, but the research is about
governments and bad actors penetrating home networks for their own use._

Source? This isn't a new report. All it talks about is that misconfigured upnp
is used by one APT framework (see: [https://www.symantec.com/blogs/threat-
intelligence/inception...](https://www.symantec.com/blogs/threat-
intelligence/inception-framework-hiding-behind-proxies)).

~~~
vuln
Umm... It was leaked the CIA (the US government exploited home routers...

[https://arstechnica.com/information-
technology/2017/06/advan...](https://arstechnica.com/information-
technology/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-
listening-posts/)

------
alexharrisnyc
We have found a large amount routers hitting our servers at my current job
using routers with poor or no security. It seems as if they tend to be using
email password dumps and just going through their lists through these routers
trying to log into our site.

------
milankragujevic
I sent an Email to Telecom Serbia warning them that ZTE ZXHN H1X8N XDSL modems
they've been giving to customers are vulnerable and they should push new
settings through CWMP that disable UPnP.

------
jacksmith21006
One of the reasons went to using the Google WiFi as home as did not want to
worry about things like this or keeping my network gear up to date.

------
0xffff2
How many home routers are there in the world? 65,000 actually sounds like a
shockingly low number to me.

~~~
campuscodi
Akamai found evidence of compromise on 65,000. Said around 4 million were
vulnerable.

------
trumped
My router is affected but I would never enable UPnP or remote management ...

