Michael Horowitz |
Home => Barbarians at the gate
|
[Formatted for Printing] | From the personal web site of Michael Horowitz |
May 28, 2019
At home, our computers, tablets, phones and assorted IoT devices are connected to the Internet through a router. In addition to sharing a single Internet connection amongst many devices, routers also include a firewall, which is a huge security benefit. Here we will see just how big.
As the title of this blog implies, bad guys are constantly attacking/probing our routers. If your router has had a hole poked in its firewall, then it is very likely that bad guys are constantly probing a device in your home looking for a way to do something bad. The most popular page on my RouterSecurity.org website, is the one with assorted tests you can run to kick the tires on the firewall in your router.
The constant probes of our firewall defense normally flies under the radar. No computer, tablet or phone ever pops up a message that a bad guy was rebuffed. Of course, our devices hardly ever get probed, the router is our sacrificial lamb. Many routers are mute about this, they report nothing about probes/attacks that they blocked.
One router that I ran across, an old Verizon FIOS model, did provide an audit trail of rejected incoming connection attempts. I blogged about this in March 2018. The log file filled up quickly, in the case I wrote about, it took only 9 minutes. In that time, the router had rebuffed 38 connection attempts, which multiplies out to 6,080 per day.
For the longest time, I could not figure out how to get my router, a Pepwave Surf SOHO to report on the Barbarians attacking its gate. But, now I can.
The Verizon FIOS router logged everything; I opted to concentrate on one function, Microsoft's Remote Desktop (aka RDP). Windows PCs that can be remotely controlled by RDP listen for incoming connections on TCP port 3389.
Just days after I ran my test, Microsoft issued emergency patches for Remote Desktop to fix a bug so critical, they even patched Windows XP. So, if the function was popular with bad guys before, it's more popular now. That said, I have no idea exactly how popular RDP is with the bad guys. On the Speed Guide list of the most commonly open ports, 3389 is twelfth.
Note that port 3389 is but one of 65,535 TCP ports. Not to mention UDP which also has 65,535 ports. The point being this is a very small slice of the Barbarian pie.
The default stance for many routers is to block all unsolicited incoming connection attempts. If you buy a router at retail, that will probably be the way it works out of the box. However, routers from ISPs often come with holes poked into the firewall. The Verizon FIOS router, I just mentioned, had four holes. This is one reason that using a router from an ISP is the least secure option.
My Surf SOHO has no holes in its firewall. To make a hole, I had to forward port 3389 to a computer on my LAN. Sort of. The port had to be forwarded, but I didn't want to actually open up any computer on my LAN to abuse from the Internet. So, I forwarded the port to a LAN side IP address that was not being used. The router, however, does not log forwarded ports. To get the activity report shown below, I created an inbound firewall rule that logged incoming connection attempts on port 3389, and, for good luck, blocked them too. I was thus double protected while watching for bad guys.
For a random 24 hour period, shown below, there were 62 probes looking for an open Windows machine to remotely control. The probes came from 20 different countries and from 7 different states in the US. Again, this is one day, one TCP port. Among the countries best known for spying, 14 probes came from Russia, 1 from China and 1 from Israel. Among the countries not known for spying, 5 came from Lithuania, 4 from the Netherlands and 4 from Vietnam.
Time | Source IP address | From | Known Scanner? |
May 06 14:15:24 May 06 14:10:49 May 06 13:54:20 May 06 12:39:39 May 06 12:27:14 May 06 11:15:43 May 06 11:04:13 May 06 10:57:55 May 06 10:35:03 May 06 10:28:31 May 06 10:21:09 May 06 10:14:29 May 06 10:05:58 May 06 09:52:05 May 06 09:39:24 May 06 09:32:58 May 06 09:25:52 May 06 09:09:12 May 06 09:05:57 May 06 09:04:26 May 06 08:56:02 May 06 08:14:07 May 06 08:05:10 May 06 08:00:53 May 06 07:43:00 May 06 07:20:56 May 06 06:24:53 May 06 06:04:49 May 06 06:04:49 May 06 05:13:22 May 06 05:06:43 May 06 04:32:06 May 06 04:27:34 May 06 03:53:06 May 06 03:36:11 May 06 03:36:05 May 06 03:36:02 May 06 03:02:33 May 06 01:55:26 May 06 01:36:09 May 06 01:23:22 May 05 23:23:52 May 05 22:50:09 May 05 21:45:50 May 05 21:26:14 May 05 20:18:33 May 05 20:09:29 May 05 19:54:55 May 05 19:03:19 May 05 18:23:28 May 05 18:22:10 May 05 18:10:16 May 05 18:07:38 May 05 17:42:12 May 05 16:21:54 May 05 16:20:51 May 05 15:46:31 May 05 15:23:46 May 05 15:22:18 May 05 15:08:36 May 05 14:49:03 May 05 14:49:02 |
196.52.43.99 81.22.45.211 221.143.46.7 107.170.203.109 185.254.122.33 178.128.122.110 220.121.97.43 198.108.66.56 82.202.247.44 81.22.45.133 81.22.45.85 185.200.118.58 192.99.175.189 185.153.197.115 81.22.45.4 94.102.51.31 185.176.26.3 178.223.82.98 81.22.45.135 131.100.127.2 193.32.163.110 216.218.206.114 207.67.19.146 182.160.99.44 160.16.194.85 81.22.45.150 185.176.27.166 111.223.73.130 111.223.73.130 185.254.122.33 185.208.209.6 5.188.161.50 185.208.208.198 185.176.26.51 190.200.114.148 190.200.114.148 190.200.114.148 91.206.15.133 178.128.93.156 51.75.255.233 103.207.38.203 185.176.26.15 185.200.118.42 221.10.172.227 185.254.122.33 138.68.91.246 145.249.107.134 196.52.43.60 81.22.45.211 173.48.143.98 27.71.232.169 104.168.144.166 139.162.77.6 185.254.122.33 103.79.143.145 185.153.198.167 108.160.74.150 103.125.189.115 185.254.122.33 178.128.122.110 84.94.99.189 84.94.99.189 |
New Jersey USA Russia South Korea California USA Lithuania Netherlands South Korea Michigan USA . . . . . Russia Russia Russia England Canada Moldova Russia Amsterdam . . . . . . Russia Serbia Russia Brazil Romania California USA . . . . Minnesota USA Bangladesh Japan Russia Russia Singapore -- Lithuania Netherlands Russia Netherlands Russia Venezuela -- -- Russia Singapore France Vietnam Russia England China Lithuania New York USA Amsterdam New Jersey USA Russia Massachusetts USA Vietnam Washington USA Japan Lithuania Vietnam Republic of Moldova California USA Vietnam Lithuania Netherlands Israel -- |
Yes Yes Yes Yes Yes Yes Yes censys.io Yes Yes Yes Not in Shodan Yes Yes yes openportstats.com Yes Not in Shodan Yes Yes Yes shadowserver.org Yes Yes Not in Shodan Yes Yes Yes -- Yes Yes Yes Yes Yes Not in Shodan -- -- Yes Not in Shodan Yes Not in Shodan Yes Not in Shodan Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Not in Shodan Yes Yes Yes -- |
Attacks on my router looking for Microsoft Remote Desktop |
The data in the "Known Scanner" column comes from Shodan which includes information about known Internet Scanners from GreyNoise Intelligence. Every computer that Shodan knew about was a known scanner. A couple of the known scanners are good guys (censys.io and shadowsesrver.org). My guess is that openportstats.com is also a good guy. But the huge majority are, no doubt, Barbarians at the gate, probing for weaknesses.
So, what is being done about the known bad guys? Good question.
In some other testing, not shown above, I found a customer of my ISP, Spectrum, trying to get into my router. So, I contacted Spectrum and was told they would do nothing without a police report. The Internet is like the Wild West but without any Sheriffs.
Like any community, the Internet has its bad neighborhoods.
IP addresses that start with 81.22.45 seem to be a bad area in Russia. My router was probed from:
81.22.45.4
81.22.45.85
81.22.45.133
81.22.45.135
81.22.45.150
81.22.45.211 (twice)
Another bad neighborhood, also in Russia, are the IP addresses that start with 185.176.26. My router was probed from:
185.176.26.3
185.176.26.15
185.176.26.51
185.176.27.166
To close on a Defensive Computing note, there are some defenses against open ports in a router. For one thing, don't use a router from your ISP as they are the most likely to have open ports. And, test your router with assorted online firewall testing tools. Finally, disable UPnP in your router. UPnP is enabled by default on every consumer router I have seen. It can be used by devices on your LAN to open ports in the router's firewall.
I hope to write much more about assorted defensive tactics for when when ports need to be opened.
| ||
@defensivecomput | TOP | Home => Barbarians at the gate |
michael--at--michaelhorowitz.com | Last Updated: May 29, 2019 3 PM | ||
Copyright 2001-2024 |
Copyright 2001-2024 |