Hacker News new | past | comments | ask | show | jobs | submit login
Over 65,000 Home Routers Are Proxying Bad Traffic for Botnets, APTs (bleepingcomputer.com)
213 points by AndrewDucker 11 months ago | hide | past | web | favorite | 93 comments

Yet another misuse of in the figures.

Actually, it was a mistake NOT reserving more human-friendly IP blocks for documentation/example purpose. The three /24 blocks reserved all fail blatantly because nobody remembers them, and they look as unsuspicious as normal blocks. would be a much better choice because people would easily remember them and know it's not "real", just like you would not take a phone number 123-4567 on a filled form as "real" (even though it might be).

Next time you make anything, please remember to design for human.

A whole 16 million IPs were allocated in for private use, and "10" is pretty easy to remember. Trouble is people then used it.

By the time,, and were allocated in RFC5737, it was too late.

IPv6 makes human IP addresses meaningless, but even they I believe they allocated 2001:DB8::/32

What a stupid address range for examples

> IPv6 makes human IP addresses meaningless

Tell that to my blog dead:beef:dead:beef:dead:beef:dead:beef

The 10.x region is the reason that a former employer is such a huge user of NAT. They'd acquire a business who were also using that range, and they'd integrate the networks via NAT because it was too hard & dangerous to change the acquired company's devices & services.

Except that everybody knows that the "fake" phone number prefix is 555: https://en.wikipedia.org/wiki/555_(telephone_number) ;-)

Except that 'everybody' in this case only means people in North America, and, reading the siblings of this comment, not even all of them.

Not only people in North America — I’d say everybody that has an above average interest in movies. In Hollywood they use 555-xxxx all the time.

Except these days a real number is commonly used if it provides a marketing benefit, given how easy it is for people to pause movies and read all visible text.

I'm watching Hawaii Five-Oh on Netflix at the moment, and the show regularly uses that prefix when a phone number is required for the plot. Makes me smile every time they do it.


Except that not everybody knows that. I use the # for information at stores, when asked for a #, and the cashiers usually have no idea what 555-1212 means. In my sample, the vast majority of people do NOT know.

You might be confusing "do not know" for "do not care."

Yeah, my technique is to punch a random number into the machine, if it works then no problem, but if not the cashier will just scan the "store card" after the 2nd failure.

That's my technique too, but when the cashier asks to look up my number I give them 555-1212. That is what fed into my comment. Most people don't care what number is used, but many also don't know that 555-1212 is the secondary information number. This, of course, depends upon their age and geography. This comes up in the friendly conversations that result upon them looking up the phone number.

When I bought large items at crappy retailers like currys, the often refused to serve me without a postcode. I'd use SW1A 1AA, 2AA or 0AA

Except when buying a TV -- that would be W1A 1AA


Sadly the reverse lookup for 10 Downing Street is "Prime Minister and First Lord of the Treasury".

I told the cashier "That's me, don't you recognise me without the makeup?"

You should have said something like "note that the Chief Mouser to the Cabinet Office, albeit less known to the general public, also lives in the building", which is technically true.

Cashiers don't know, or don't care?

Of course some know but don't care, but the majority I met don't know.

How did you ascertain that they didn't know?

Because I was the one who provided the phone number and stood there talking with them.

How do you differentiate not caring what number you gave them from not knowing? The fact that they showed no reaction is more of a sign of how few fucks are given rather than everyone else's ignorance.

How do you differentiate not caring what number you gave them from not knowing

I said how in the comment to which you replied.

Where did I say, "fact that they showed no reaction"? Why do you interpret something unstated as a fact?

Because you failed to bother to give a more comprehensive answer when I asked how you knew I extrapolated. Did you personally conduct a survey?

Wasn’t 555-1212 the only 555 number that worked?

It used to connect you to directory information (as in "I need to number for mikestew in Seattle...") for the specified area code (or local, if no area code specified). I don't know if it still works or not.

There are other codes in there, caller & circuit id read-backs and other utilities the telco will use. They're usually private, but no serious harm if the public find out about them.

If you make it foolproof, the world will just create better fools.

We haven't always had CIDR.

Saying that not carving a single /24 out of a class A network is bad UX when variable length netmasks weren't even in use yet is a fundamentally silly misreading of history.

I thought my home network was secure. Last week, I turned on my Surface and its lock screen had a "remote session active" screen. Before I could do anything, it turned itself off. When I turned it back on, it showed "low battery" and turned off. I have no idea if this was a bug or somebody remotely accessed it. I had everything updated to the latest software/firmware. Remote desktop itself was disabled on the surface (though it had "allow remote assistance" enabled"). I didn't have router web administration enabled. Router admin password as well as wifi password were unique, 15-20 chars long and I never used them anywhere else. Same thing for my Microsoft account that I use for Windows login. Wifi also had MAC address filtering enabled. There was only one more person using my network, and its unlikely they would do this because I don't think they know my password. And I don't think they are that technically knowledgeable other than to use a PC for browsing. I also had a Synology NAS with OpenVPN. Router was configured to forward the VPN port, but Synology's firewall was configured to allow connections only from 2 IP ranges that my phone gets when on mobile network. Strangely, after this incident, I turned off the VPN and now my NAS goes to sleep properly. It never used to sleep before. I sit right next to the NAS and I could hear the HDDs reading/writing all the time, although slowly. I always used to think may be someone was slowly copying files from my NAS.

I had earlier setup a pfsense box purely for ad blocking and to keep out Google/Microsoft creepware. But I had stopped using it because of the learning curve. Now, I am learning how to properly configure it.

Its kind of amusing if you think about it. In olden days, people had to worry about physical attack of their house. Nowadays, I am more worried about these virtual attacks.

Routers and NAT only protect against incoming connections. If someone can force your computer to make an outbound connection there is no protection.

The Surface was factory reset only a few days back. I don't use it that much except for occasional ebooks. The only software I had in it were Firefox, Chrome, Office and Drawboard if you don't consider all that Candy crush/Soda crush/Animal kingdom bloat that MS likes to push on us (which I promptly uninstalled).

I have to admit that I downloaded the pdf ebooks from piracy sites. So don't know if they had some malware in them. I did scan them with MBAM, Avira, MS Defender before use though. Note that i didn't download them from Surface. I downloaded them using a Ubuntu VirtulaBox VM running on another laptop. I restore the VM to a previous snapshot each time after use.

It could very well be the original Microsoft software doing this. Check if your Microsoft account and other cloud accounts you are using on that machine have been compromised.

And securing houses is easy, with locks, metal parts, and alarms. You know what you're doing network-security-wise but you still don't know if the baddies got in or not...

Of course, securing your home is only easy because of geographic separation between yourself and the types of places where thieves will break through a non-reinforced wall while you're out of town.

The typical aphorism is "Locks only keep honest people honest."

Really, even securing your house is tricky. My place in Florida was built with the hinges to the front door on the /outside/ because of local building codes. Unfortunately, I only realized that after it was built. The locks are nice, but any enterprising thief would simply pop the hinges and remove the door if I hadn't taken steps to prevent it.

Bypassing locks is easy, and security systems are only useful when law enforcement is at the ready (rare in many places).

I had a girlfriend who would leave her sliding glass door ajar with a 2x4 to prevent it from being opened enough to let a person through. This was until I demonstrated that, unlatched, the door could just be lifted out of its frame and set aside.

I think their point was that the person has to be at your house. E.g. they can't systematically and remotely try the door handle of homes halfway around the world.

Have you looked into Windows logs?

I saw these entries in Event Viewer -> TerminalServices-LocalSessionManager.

I tried to turn it on around 8:50 pm. Here, "SURFACE\name" is my MS account.

> 4/9/2018 8:49:40 PM Remote Desktop Services: Session logoff succeeded: User: SURFACE\name Session ID: 3

> 4/9/2018 8:49:40 PM Session 3 has been disconnected by session 3

> 4/9/2018 8:49:40 PM %s from %S( #0x%x/0x%x )

> 4/9/2018 8:49:40 PM Session 3 has been disconnected, reason code 11

> 4/9/2018 8:49:41 PM Session 4 has been disconnected, reason code 11

> 4/9/2018 8:49:41 PM Remote Desktop Services: Session has been disconnected: User: SURFACE\name Session ID: 3 Source Network Address: LOCAL

> 4/9/2018 8:51:00 PM Begin session arbitration: User: SURFACE\name Session ID: 4

> 4/9/2018 8:51:00 PM End session arbitration: User: SURFACE\name Session ID: 4

>4/9/2018 8:51:00 PM Remote Desktop Services: Session logon succeeded: User: SURFACE\name Session ID: 4 Source Network Address: LOCAL

>4/9/2018 8:51:00 PM Remote Desktop Services: Shell start notification received: User: SURFACE\name Session ID: 4 Source Network Address: LOCAL

I am not sure if the entries at 8:49 pm is what I saw as the "remote session active". Also, I am not sure if this LocalSessionManager is the right place to look.

Your post prompted me to check my own Even Viewer. After some frenzied searching for the meaning of "Remote Desktop Services" entries in my own logs I figured that alarm seems to stem only from unfortunate naming of events that LocalSessionManager drops. As this document describes[0] and after confirming with another account the events are generated when one account wishes to run a processes under another account ("Run as administrator/different user" functionality). It might be that Windows Update triggered this on your computer, consider also that Windows Update sometimes updates third party drivers and one wouldn't expect they follow all best practices.

[0] https://docs.microsoft.com/en-us/windows-hardware/customize/...

There should be another TerminalServices-something or RemoteDesktop-something log which logs connection attempts in more detail.

Regarding pfsense, I want to add some more info just so that people may not getting any wrong idea about it.

I stopped using pfSense because I had enabled many block lists in pfBlockerNg and it was blocking sites like Github. Now, I am learning how to properly configure it. I also setup an ELK dashboard yesterday night. This is a heatmap of the scans in last 30 minutes.


To save some googling, as neither this article nor the Akamai report defined “APT”:


At this point, if you're reading an Akamai report, APT probably stands alone as a term. On a list of abbreviations their readers should know, it's not quite 'IP address', but surely it's ahead of 'DNS'.

Why is UPnP even a thing? I mean, with NAT hole punching you can do P2P, and if you are hosting anything (web server or even bit torrent), manually forwarding a port should be within your reach.

I've been using an OpenBSD based router for years with no UPnP support and never had any issue (like unable to play online games or anything). I'm really curious why it's present on all home routers.

Hole punching is ineadequate for routers with address-dependent NAT mappings or with DS-Lite/CGNAT. With UPnP-IGD or NAT-PCP/PMP the CPE can forward the port mappings to the AFTR/CGN.

UPnP / SSDP is a half baked standard will be a thing for the foreseeable future unfortunately. I say half baked, because with just a little effort and critical thinking, users would have full control over the interaction between their systems and their routers.

For starters, a lot of gaming companies now depend on people having this so that the users run the servers instead of the gaming company having to pay for the infrastructure. They won't begin to explain to kids how to forward ports.

Many app makers now assume this as well and certainly do not want to explain to non technical users how to forward ports to a machine on their network.

IoT is just leveraging an existing precedence.

I guess that's how we end up with situations like http://www.insecam.org/

I think this kind of knowledge should be common, I mean, you should have a "network" course at school, learn how to forward ports and basis about how internet works.

Well, this is another discussion.

Ok. What specific steps should we be doing to ensure a home router is configured safely?

Please assume a consumer grade router given by the ISP and _maybe_ another one bought off the shelf at a box retailer. Also assume unable or unwilling to flash firmware.

Disable UPnP in the router settings. In theory, that should close the hole.

Disable remote maintenace / web access. Many router web UIs have exploitable flaws that can be used to bypass password authentication.

Ensure that you are always running the latest firmware version. If there are no up-to-date versions / the router is too old, you might complain to the ISP. However, they might try to sell / rent you the latest and greatest router model then.

It looks like this exploit gets around disabled remote maintenance, since it makes remote traffic seem local.

Disabling upnp will do it. I’m going to set up blocking all inbound on 1900 on ISP’s router stopping traffic before it gets to my home router. I might finally be grateful for being forced by the isp to use their hardware for nothing other than a hop between my network’s router and the isp’s network.

> Disable remote maintenace / web access

By this do you mean a public remote address/login or the generic 192.168.0.X login page when on the serving network?

Side note: If there's one tech support job for friends and family I don't mind doing it's helping them replace the slow modem their ISP is "renting" them.

I was paying $60 per year for a DOCSIS 2 modem. Replaced it with a DOCSIS 3 for $90. Huge speed boost for almost free.

I've been begging my wife for years to let me upgrade the crap modem that the ISP is loaning us. She's terrified that if I touch anything, it's all going to break, and since she works out of the house, she won't be able to get online. Sigh...

And based on the last 3 providers I've had, you were getting a steal at $60/yr

Make sure companies care about their products and not only about money. My Swiss ISP is providing in-house developed hardware and it's quite good. I was quite surprised.

Probably not talking about USP or Swisscom then :) I use init7 now for a while with my own router and seriously never had so few networking issues ever.

I have no issues with the Swisscom box.

Well the one my ISP gave me did not only crash regularly but also auto enabled WPS, and a remote telnet administration port every other day which was insecure as fuck. These were only the obvious flaws.

Sometimes your only choice is changing the ISP.

Disable upnp. Define port forwarding statically where necessary.

The full Akamai report linked from the article also outlines that this technique (accessing UPnP from the Internet while pretending to come from the LAN) allows to expose the router's LAN services (e.g. web interface) on the Internet. I wouldn't be surprised if it could be also used to scan your LAN and to connect to any local machines, to access unauthenticated resources and to brute-force your passwords.

A lot of people have insecure computers/file servers inside of their local firewall.

How do I know if my router is affected? EDIT: nvm, here is the list https://www.akamai.com/us/en/multimedia/documents/white-pape...

Script doesn't appear to be formatted for copy/paste...

Nothing is going to change until this kind of stuff affects the financials of the people using these bad router configs, compromised internet of thing devices, malwared computers, and anything else that creates a bunch of outbound traffic.

It should be impossible to be unaware that your home network's outbound is saturated all month. It's ridiculous.

So the way to get the elderly, non-tech savvy, and low usage users to buy a new router is to make them suffer financially?

This Phrack article predates their 2011 reference to successful UPNP exploit by 3 years.


UPNP is a mess and I'm not even sure if there is a way to proplerly make it secure.

I'm surprised that there are no TP-Link routers on the list of affected manufacturers.

Surprised to see Ubiquiti on that list. Thankfully, the EdgeRouter series doesn't show up there!

Still, I'll be blocking port 1900 and focusing more on defense in depth on my home net...

The irony is that back when I was a teenager adminning our home routers, I'd always disable UPnP simply because of what it is -- at the time it stood to reason that any consumer POS device could bypass the firewall with it and do horrible things from the inside out. Nowadays I've become a bit lazy because I think I'm pretty fatigued at fighting this kind of junk.

Me too, but I'm quite disappointed that Netis is on the list, with literally every model they made, and I have installed about 50 routers from Netis for neighbors because I thought they were "not that bad" given they cost $10 with a 2 year warranty. But, I was wrong.

Good. I updated the firmware on my Archer C7 anyway, though.

I know I'm a strange fellow, but I am having a hard time to understand why consumer grade routers are such garbage.

I have been using 2x wall-mounted industrial mini PCs running Debian to cover 2400 sq two story house. They just work. They have no software that is tricky or unknown. Hell, the one that has a cross connect to the cable modem even run a firewall. Speeds blow consumer routers out of the water. I even have a guest network so the visitors can access internet and not see anything else they are not supposed to have access to. Cost? $300 for both.

You can buy these things for $15. How much rigorous design, care, and quality testing do you think they get? To these companies, “software” is just a line on the BOM, like a screw or plastic piece. It’s something you source as cheaply as possible and pour into the product as the last step in the assembly line.

It’s amazing that these devices even work.


But you can get Mikrotik routers for about $50, which are great. Also you can choose to have a dedicated router with no wireless, and have a dumb access point dealing with the wireless part. However, ordinary consumers won't bother.

> I know I'm a strange fellow, but I am having a hard time to understand why consumer grade routers are such garbage.

i work at a contract engineering firm which employs a lot of folks who've stuffed linux into embedded products (frequently ones expensive enough that if you have to ask the price, you can't afford it), though not afaik any routers.

in general:

this kind of work is done by firmware engineers who were hired because they had "linux" on their resume. they have no networking experience, and know less about security. to the extent that the project manager is aware that security is a thing, they assume any "technical" person is as good as any other on the subject. how the devices will be kept up to date is not discussed until right before the software is delivered (if ever).

>I have been using 2x wall-mounted industrial mini PCs

Can you share the manufacturer/model # of the devices you are using?

My current favorite is ZCY (X30 and X32). They are basically Intel BayTrails. You just need to remember that BayTrails have this funny feature where they would not boot off the GPT partition, so you need to make sure your boot devices are MBRs.

Just got another X32 for a different project. I replace broadcoms with Atheros and use little VESA mounts mounts from Ebay that I drill into a dry wall by the ceiling. After that mounting them on a wall is no different than attaching them to the backs of the monitors.

I recommend AliExpress as the source for the systems themselves ( blows ebay out of the water ). Strangely, mounts are cheaper on Ebay.

You don't happen to have a writeup about your hardware selection and how you configured these do you? I've been thinking of going this way in a new house.

I followed the Ars guide to building a linux router from scratch and adjusted to fit my network needs:


I have a pile of notes that I was planning on organizing and publishing over next week or so. I will get back to this thread or submit it when it is done.

Had experience with multiple ISP's pushing their own heavily marked-up and broken routers. I assume its a good money maker.

If only there was a slither of corporate responsibility and associated punishment, probably a big ask from governments benefiting handsomely from the vulnerabilities despite the loss to the citizens they represent.

Guess it could be considered a new form of taxation? National security only really extends the physical domain.

I don't really think this is one of those cases unless I missed some trend recently where the govt is using misconfigured routers to access home networks... This is an overly scary article about running upnp on the wrong interface.

Sorry perhaps I don't understand your point, but the research in this article is entirely about governments and bad actors penetrating home networks for their own use.[1]

Are you suggesting private APT's exist? Seen no evidence so far that it's anyone but a dozen nations who lamely try to rebrand every now and then.

UPnP is a world of trouble in general, but even moreso for the average person disabling it in a house full of kids. There's needs to be responsibility taken by any large tech company pushing insecure products on their customers.

[1] researchers at Symantec had uncovered parts of this proxy network due to their ongoing investigation into the “Inception Framework,” and the APT group behind it.

Sorry perhaps I don't understand your point, but the research is about governments and bad actors penetrating home networks for their own use.

Source? This isn't a new report. All it talks about is that misconfigured upnp is used by one APT framework (see: https://www.symantec.com/blogs/threat-intelligence/inception...).

Umm... It was leaked the CIA (the US government exploited home routers...


We have found a large amount routers hitting our servers at my current job using routers with poor or no security. It seems as if they tend to be using email password dumps and just going through their lists through these routers trying to log into our site.

I sent an Email to Telecom Serbia warning them that ZTE ZXHN H1X8N XDSL modems they've been giving to customers are vulnerable and they should push new settings through CWMP that disable UPnP.

One of the reasons went to using the Google WiFi as home as did not want to worry about things like this or keeping my network gear up to date.

How many home routers are there in the world? 65,000 actually sounds like a shockingly low number to me.

Akamai found evidence of compromise on 65,000. Said around 4 million were vulnerable.

My router is affected but I would never enable UPnP or remote management ...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact