Some time back I did a blog post here, on routers, router hacking, back door commands, and other interesting things. I was doing some emailing with a friend in Germany and I wanted to hunt that post down for him. Yet for some reason I can't find it. I know I didn't delete it. I have never deleted any of my blog posts, no matter what the topic or results have been. Yet .. .. .. it's gone. With that said, I'm going to post this information again, with a bit more detail and advice. :)
I've been around the block with computers. 35 (or so) years of building, supporting, and programming them does give me a little insight on how they operate. I myself am certainly not a "hacker" per say. And I don't profess to be a real security "expert". I know enough to know some of the simple things to watch for, and how to go about protecting against them, to the best of my simple abilities.
Back in the summer of 2012, I did a screen shot of a program I use called WallWatcher. This program monitors my router, and reports in real time, all of the incoming and outgoing connections, the protocols used, the remote and local IP addresses involved and port information for all of the packets sent, or attempted to be sent. It also reports attempted connections in both directions.
I was having a terrible time with internet stability, and quite often... just going to Google Dot Com, my system would freeze up. My router would at times, go into an infinite loop of cold starts, which made all forms of communications impossible. Other times, there would be a "hiccup", and some stuff would come back. I realize some of you are going "huh?" so let me explain.
Within the configuration pages of your router (most people have one of those now) are places where you can do things like port forwarding, and allowing certain ports to be open that normally would not be. If you are a gamer, you are probably aware of what I mean. :) When you make a change in one of these configurations and hit the "save" button for it, the router stores those changes and then sends out (whats refereed to as) a "warm start" command. This allows the changes to be applied, usually without affecting any other things you have going on. Kind of like plugging in a USB device with your computer system running. A cold start, is essentially the same thing as taking the power away from the router. No power, no communications.
Anyway, I checked my WallWatcher program, and took this screen shot of what happened back in June of 2012.
The entries in yellow, are the router reset commands being performed. If you notice that really long entry in the message area, you can see that it's going to some absurdly weird place at google. And immediately, it went into a cold start. I did nothing more than opening a web browser, and went to google. I did no search, entered nothing in the search area, pressed no buttons. .. .. and my router was attacked. I say "attacked" because doing a remote cold start is something restricted to higher end routers, and should by all definition of security, only be allowed by a top level system administrator that has been authorized to do those functions. My router is not "high end", and sure as hell Google is not authorized for anything of this nature.
I also use another program called PeerBlock. It's great "open source" software, that I use to stop annoying advertising, and other such things. Anyway, over several months, I have built up a list of many IP addresses that I have (painfully) encountered, of many MANY other sites that also send out weird code to cause my router to cold start. They ALL have that same form of really long weird name, and for the most part, those IP's belong to systems that are a part of "the cloud" network.
When clouds first started appearing on the internet many years back, hitting one of them would at times, bring up a pop-up box with legal terms about what a cloud is, what you are allowed to do, etc. One of the things mentioned in that agreement, was that cloud servers by default, are allowed to control ports in your computer, supposedly in order to enforce the rules of the server. And around the same time in technology, newer routers began appearing on the market, replacing older models.
Older routers had a feature where you could enable "remote logging", which allowed the router to report what it was doing, to an internal port on the system. This is the feature that WallWatcher and other log reporting software uses, to display "in english" what is going on. A super powerful thing to have, for those wanting to know whats happening. All of the newer routers have had that feature removed.
Oh sure, you can still get a log report, the manufacturers tell you. But you have to open your router configuration page, go to the report page, and open the report, which appears in a web browser. And it only shows a few things, with the information being 'static', not in real time. In order to get the current information, you have to refresh the webpage. Hell, if you refreshed the page even every 5 seconds, you could easily miss thousands of "hits". So all of the router manufacturers have essentially left you in the dark. On purpose.
Why? Well, with the cloud now being out, they didn't want to cause people any worry about their ports being accessed, and a real time log display could
If you think cloud servers are still cute, then open your router log webpage and note the information. Then go to a known cloud server webpage in a new browser window. Go back to your router configurations, change or make up some port setting changes, enable them (you can clear all this later) and save the changes. Go back to your router log file and look at the new entries. I'm betting you will find additional probing, just from sitting on a cloud server. You see, it SAW those changes made, and it was curious what the heck you were doing. Of course, much of this depends on how your router logs work. By the way, even the desktop version of TweetDeck appears to have some minor cloud association with it. I've notice a few minor probes coming from them, when I make my own router changes. ... 2 or 3 tiny queries of some kind. Where as many other sites can send out requests 20 or 30 times.
And for me... I have to say... THIS is MY computer. What I do in the way of router changes is NONE of your business! If your website or cloud server is SO poorly programmed that you "can't take a chance" on what I did, then ... grow up.
As for the "security of the cloud", well... here are my thoughts. Yes, by all means, if one server goes down, the rest of them in "the cloud" can still probably serve your internet request. Some cloud servers network within the same data center, and some network amongst other data servers in other locations, which could be 100's of miles (or more) away. After all, this is the internet. :)
One would tend to suspect that if one of those servers could be hacked (and it happens) ... just think of the huge amount of data... OR monitoring ... that could be accessed or watched over.
There are a lot of people out there, that do a lot of bad things. There is a lot of spying going on. Draw your own conclusions on who may be accessing what, and ask yourselves what about the bigger picture down the road. Will there be back door commands that will eventually allow those "big brother" types to gain access to your system?
On the plus side, all is not lost. There ARE places where you can get great 'open source' firmware to restore and upgrade your router operations. WARNING! If you choose to take this route, then search and read and re-read everything you can about exactly the steps you need to take. If you fail to do this properly, you can "brick" your router. At which point you may have to toss it. Just saying...
I recommend the DD-WRT site for the firmware and TONS of information, including forums and wiki stuff... and for an example, check out this PCWORLD article for some general information.
I forgot to add... There have been several times when these "cold starts" have been sent into an infinite loop. This locks the router up solid, and the only way to stop it is to pull the power. To the uninformed user, this makes them think their router must be bad, so they go out and buy a new one... that can be controlled.
ReplyDeleteFWIW, the "absurdly weird place at google" was an attempt to experimentally measure IPv6 adoption by randomly selecting visitors to their front page to participate in the experiment. When you loaded google.ca at 12:03 am, the page served to you had some Javascript in it that asked your browser to contact the address identified. Google collected stats as to whether you connected to them using IPv4 or IPv6. There have been a number of papers published and conference presentations given describing this experiment and its results over its lifetime.
ReplyDeleteAs to why your router did a cold start in response to this... Some routers have really crappy v6 stacks. Some computers do too. Perhaps the router didn't like something about that communication. If you're going to make the extraordinary claim that this is malicious activity from Google, the onus is on you to provide the evidence required to establish that. A packet capture on the Internet side of the router would be sufficient here, but this log does not provide sufficient information to establish what you say it does.
As to why you experience this more on "cloud" sites. Cloud providers make more use of IPv6 because the network infrastructure they use is generally newer than the network infrastructure on the rest of the Internet. As for why your DD-WRT / Tomato / ... firmwares seem to work better, they've generally got better quality stacks all around. Sad fact of life, but firmware development is _not_ where router manufacturers make their money, so it's not where they spend their money.
As far as spying goes, I see exactly zero reason that an attacker would care to know what your router settings are. I see no reason that any attack scenario would look like this (a cold boot without access to the admin interface).
Long and the short of it: Probably not malicious, probably not spying, probably just a crappy router.
When I see a normal DNS type message, it's pretty clear. When I see some very long totally unusual type DNS entry, I call it weird. If that's a difference between IPv4 and 6, then so be it.
DeleteI used Google as an example. This "type" of ... code ... happens in many places. YouTube is just one of the many others. I've also experienced the same results at some of the Adobe update pages. The vast majority of the places where I've had to block, have been "the big players" on the internet. And there IS a total difference between the IE and FireFox browsers as well.
If I go to Google with FF... I don't get the attacks that I do with IE. The code being issued between those two browsers is vastly different. This is not rocket science to figure out. A simple "view source" of the webpages is clear.
The fact also remains, that if I am on a cloud server system, and I make a port configuration change on my router setup page and save it, I get those 20 or more probes immediately after. Why any website has any form of "authority" to even SEE that I made a change, is absurd. An out and out invasion of privacy...
I note you jumped to conclusions as well. I never said that I am USING open source firmware, I simply pointed out that it exists as an alternative.
One of the main reasons why people get routers (at least in the past) was for added protection. Part of that protection is knowing in real time, whats going on. Real time logs was a HUGE feature... especially for security. The reason people bought one. To remove that feature... perhaps the most important one ... well, it has to make you wonder why.
Could I packet sniff? Certainly. Have I done that? Yes... Would I post that type of data here in this blog and reveal more personal information? No.
My router serves me well. Very well. Which certainly makes it "not crappy". But, thanks for taking the time to reply... :) I stand behind my statements, whatever is happening, I don't think its for the "better good".