Michael Horowitz
Home => Barbarians at the gate
[Formatted for Printing] From the personal web site of  Michael Horowitz

Barbarians at the gate

May 28, 2019

At home, our computers, tablets, phones and assorted IoT devices are connected to the Internet through a router. In addition to sharing a single Internet connection amongst many devices, routers also include a firewall, which is a huge security benefit. Here we will see just how big.

As the title of this blog implies, bad guys are constantly attacking/probing our routers. If your router has had a hole poked in its firewall, then it is very likely that bad guys are constantly probing a device in your home looking for a way to do something bad. The most popular page on my RouterSecurity.org website, is the one with assorted tests you can run to kick the tires on the firewall in your router.

The constant probes of our firewall defense normally flies under the radar. No computer, tablet or phone ever pops up a message that a bad guy was rebuffed. Of course, our devices hardly ever get probed, the router is our sacrificial lamb. Many routers are mute about this, they report nothing about probes/attacks that they blocked.

One router that I ran across, an old Verizon FIOS model, did provide an audit trail of rejected incoming connection attempts. I blogged about this in March 2018. The log file filled up quickly, in the case I wrote about, it took only 9 minutes. In that time, the router had rebuffed 38 connection attempts, which multiplies out to 6,080 per day.

For the longest time, I could not figure out how to get my router, a Pepwave Surf SOHO to report on the Barbarians attacking its gate. But, now I can.

The Verizon FIOS router logged everything; I opted to concentrate on one function, Microsoft's Remote Desktop (aka RDP). Windows PCs that can be remotely controlled by RDP listen for incoming connections on TCP port 3389.

Just days after I ran my test, Microsoft issued emergency patches for Remote Desktop to fix a bug so critical, they even patched Windows XP. So, if the function was popular with bad guys before, it's more popular now. That said, I have no idea exactly how popular RDP is with the bad guys. On the Speed Guide list of the most commonly open ports, 3389 is twelfth.

Note that port 3389 is but one of 65,535 TCP ports. Not to mention UDP which also has 65,535 ports. The point being this is a very small slice of the Barbarian pie.

The default stance for many routers is to block all unsolicited incoming connection attempts. If you buy a router at retail, that will probably be the way it works out of the box. However, routers from ISPs often come with holes poked into the firewall. The Verizon FIOS router, I just mentioned, had four holes. This is one reason that using a router from an ISP is the least secure option.

My Surf SOHO has no holes in its firewall. To make a hole, I had to forward port 3389 to a computer on my LAN. Sort of. The port had to be forwarded, but I didn't want to actually open up any computer on my LAN to abuse from the Internet. So, I forwarded the port to a LAN side IP address that was not being used. The router, however, does not log forwarded ports. To get the activity report shown below, I created an inbound firewall rule that logged incoming connection attempts on port 3389, and, for good luck, blocked them too. I was thus double protected while watching for bad guys.

For a random 24 hour period, shown below, there were 62 probes looking for an open Windows machine to remotely control. The probes came from 20 different countries and from 7 different states in the US. Again, this is one day, one TCP port. Among the countries best known for spying, 14 probes came from Russia, 1 from China and 1 from Israel. Among the countries not known for spying, 5 came from Lithuania, 4 from the Netherlands and 4 from Vietnam.

Time Source IP address From Known Scanner?
May 06 14:15:24
May 06 14:10:49
May 06 13:54:20
May 06 12:39:39
May 06 12:27:14
May 06 11:15:43
May 06 11:04:13
May 06 10:57:55
May 06 10:35:03
May 06 10:28:31
May 06 10:21:09
May 06 10:14:29
May 06 10:05:58
May 06 09:52:05
May 06 09:39:24
May 06 09:32:58
May 06 09:25:52
May 06 09:09:12
May 06 09:05:57
May 06 09:04:26
May 06 08:56:02
May 06 08:14:07
May 06 08:05:10
May 06 08:00:53
May 06 07:43:00
May 06 07:20:56
May 06 06:24:53
May 06 06:04:49
May 06 06:04:49
May 06 05:13:22
May 06 05:06:43
May 06 04:32:06
May 06 04:27:34
May 06 03:53:06
May 06 03:36:11
May 06 03:36:05
May 06 03:36:02
May 06 03:02:33
May 06 01:55:26
May 06 01:36:09
May 06 01:23:22
May 05 23:23:52
May 05 22:50:09
May 05 21:45:50
May 05 21:26:14
May 05 20:18:33
May 05 20:09:29
May 05 19:54:55
May 05 19:03:19
May 05 18:23:28
May 05 18:22:10
May 05 18:10:16
May 05 18:07:38
May 05 17:42:12
May 05 16:21:54
May 05 16:20:51
May 05 15:46:31
May 05 15:23:46
May 05 15:22:18
May 05 15:08:36
May 05 14:49:03
May 05 14:49:02
196.52.43.99
81.22.45.211
221.143.46.7
107.170.203.109
185.254.122.33
178.128.122.110
220.121.97.43
198.108.66.56
82.202.247.44
81.22.45.133
81.22.45.85
185.200.118.58
192.99.175.189
185.153.197.115
81.22.45.4
94.102.51.31
185.176.26.3
178.223.82.98
81.22.45.135
131.100.127.2
193.32.163.110
216.218.206.114
207.67.19.146
182.160.99.44
160.16.194.85
81.22.45.150
185.176.27.166
111.223.73.130
111.223.73.130
185.254.122.33
185.208.209.6
5.188.161.50
185.208.208.198
185.176.26.51
190.200.114.148
190.200.114.148
190.200.114.148
91.206.15.133
178.128.93.156
51.75.255.233
103.207.38.203
185.176.26.15
185.200.118.42
221.10.172.227
185.254.122.33
138.68.91.246
145.249.107.134
196.52.43.60
81.22.45.211
173.48.143.98
27.71.232.169
104.168.144.166
139.162.77.6
185.254.122.33
103.79.143.145
185.153.198.167
108.160.74.150
103.125.189.115
185.254.122.33
178.128.122.110
84.94.99.189
84.94.99.189
New Jersey USA
Russia
South Korea
California USA
Lithuania
Netherlands
South Korea
Michigan USA . . . . .
Russia
Russia
Russia
England
Canada
Moldova
Russia
Amsterdam . . . . . .
Russia
Serbia
Russia
Brazil
Romania
California USA . . . .
Minnesota USA
Bangladesh
Japan
Russia
Russia
Singapore
  --
Lithuania
Netherlands
Russia
Netherlands
Russia
Venezuela
  --
  --
Russia
Singapore
France
Vietnam
Russia
England
China
Lithuania
New York USA
Amsterdam
New Jersey USA
Russia
Massachusetts USA
Vietnam
Washington USA
Japan
Lithuania
Vietnam
Republic of Moldova
California USA
Vietnam
Lithuania
Netherlands
Israel
  --
Yes
Yes
Yes
Yes
Yes
Yes
Yes
censys.io
Yes
Yes
Yes
Not in Shodan
Yes
Yes
yes
openportstats.com
Yes
Not in Shodan
Yes
Yes
Yes
shadowserver.org
Yes
Yes
Not in Shodan
Yes
Yes
Yes
--
Yes
Yes
Yes
Yes
Yes
Not in Shodan
--
--
Yes
Not in Shodan
Yes
Not in Shodan
Yes
Not in Shodan
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Not in Shodan
Yes
Yes
Yes
--
Attacks on my router looking for Microsoft Remote Desktop

The data in the "Known Scanner" column comes from Shodan which includes information about known Internet Scanners from GreyNoise Intelligence. Every computer that Shodan knew about was a known scanner. A couple of the known scanners are good guys (censys.io and shadowsesrver.org). My guess is that openportstats.com is also a good guy. But the huge majority are, no doubt, Barbarians at the gate, probing for weaknesses.

So, what is being done about the known bad guys? Good question.

In some other testing, not shown above, I found a customer of my ISP, Spectrum, trying to get into my router. So, I contacted Spectrum and was told they would do nothing without a police report. The Internet is like the Wild West but without any Sheriffs.

Like any community, the Internet has its bad neighborhoods.

IP addresses that start with 81.22.45 seem to be a bad area in Russia. My router was probed from:
81.22.45.4
81.22.45.85
81.22.45.133
81.22.45.135
81.22.45.150
81.22.45.211 (twice)

Another bad neighborhood, also in Russia, are the IP addresses that start with 185.176.26. My router was probed from:
185.176.26.3
185.176.26.15
185.176.26.51
185.176.27.166

To close on a Defensive Computing note, there are some defenses against open ports in a router. For one thing, don't use a router from your ISP as they are the most likely to have open ports. And, test your router with assorted online firewall testing tools. Finally, disable UPnP in your router. UPnP is enabled by default on every consumer router I have seen. It can be used by devices on your LAN to open ports in the router's firewall.

I hope to write much more about assorted defensive tactics for when when ports need to be opened.

 

 

 @defensivecomput TOP Home => Barbarians at the gate   
 michael--at--michaelhorowitz.com   Last Updated: May 29, 2019 3 PM  
  License Plate
Copyright 2001-2019
Copyright 2001-2019  
Printed at:   August 25, 2019 4:36am   ET
Viewed 1,094 times since May 28, 2019 (12/day over 88 days)