At home, our computers, tablets, phones and assorted IoT devices are connected to the Internet through a router. In addition to sharing a single Internet connection amongst many devices, routers also include a firewall, which is a huge security benefit. Here we will see just how big.

As the title of this blog implies, bad guys are constantly attacking/probing our routers. If your router has had a hole poked in its firewall, then it is very likely that bad guys are constantly probing a device in your home looking for a way to do something bad. The most popular page on my RouterSecurity.org website, is the one with assorted tests you can run to kick the tires on the firewall in your router.

The constant probes of our firewall defense normally flies under the radar. No computer, tablet or phone ever pops up a message that a bad guy was rebuffed. Of course, our devices hardly ever get probed, the router is our sacrificial lamb. Many routers are mute about this, they report nothing about probes/attacks that they blocked.

One router that I ran across, an old Verizon FIOS model, did provide an audit trail of rejected incoming connection attempts. I blogged about this in March 2018. The log file filled up quickly, in the case I wrote about, it took only 9 minutes. In that time, the router had rebuffed 38 connection attempts, which multiplies out to 6,080 per day.

For the longest time, I could not figure out how to get my router, a Pepwave Surf SOHO to report on the Barbarians attacking its gate. But, now I can.

The Verizon FIOS router logged everything; I opted to concentrate on one function, Microsoft's Remote Desktop (aka RDP). Windows PCs that can be remotely controlled by RDP listen for incoming connections on TCP port 3389.

Just days after I ran my test, Microsoft issued emergency patches for Remote Desktop to fix a bug so critical, they even patched Windows XP. So, if the function was popular with bad guys before, it's more popular now. That said, I have no idea exactly how popular RDP is with the bad guys. On the Speed Guide list of the most commonly open ports, 3389 is twelfth.

Note that port 3389 is but one of 65,535 TCP ports. Not to mention UDP which also has 65,535 ports. The point being this is a very small slice of the Barbarian pie.

The default stance for many routers is to block all unsolicited incoming connection attempts. If you buy a router at retail, that will probably be the way it works out of the box. However, routers from ISPs often come with holes poked into the firewall. The Verizon FIOS router, I just mentioned, had four holes. This is one reason that using a router from an ISP is the least secure option.

My Surf SOHO has no holes in its firewall. To make a hole, I had to forward port 3389 to a computer on my LAN. Sort of. The port had to be forwarded, but I didn't want to actually open up any computer on my LAN to abuse from the Internet. So, I forwarded the port to a LAN side IP address that was not being used. The router, however, does not log forwarded ports. To get the activity report shown below, I created an inbound firewall rule that logged incoming connection attempts on port 3389, and, for good luck, blocked them too. I was thus double protected while watching for bad guys.

For a random 24 hour period, shown below, there were 62 probes looking for an open Windows machine to remotely control. The probes came from 20 different countries and from 7 different states in the US. Again, this is one day, one TCP port. Among the countries best known for spying, 14 probes came from Russia, 1 from China and 1 from Israel. Among the countries not known for spying, 5 came from Lithuania, 4 from the Netherlands and 4 from Vietnam.

The data in the "Known Scanner" column comes from Shodan which includes information about known Internet Scanners from GreyNoise Intelligence. Every computer that Shodan knew about was a known scanner. A couple of the known scanners are good guys (censys.io and shadowsesrver.org). My guess is that openportstats.com is also a good guy. But the huge majority are, no doubt, Barbarians at the gate, probing for weaknesses.

So, what is being done about the known bad guys? Good question.

In some other testing, not shown above, I found a customer of my ISP, Spectrum, trying to get into my router. So, I contacted Spectrum and was told they would do nothing without a police report. The Internet is like the Wild West but without any Sheriffs.

Like any community, the Internet has its bad neighborhoods.

IP addresses that start with 81.22.45 seem to be a bad area in Russia. My router was probed from:
81.22.45.4
81.22.45.85
81.22.45.133
81.22.45.135
81.22.45.150
81.22.45.211 (twice)

Another bad neighborhood, also in Russia, are the IP addresses that start with 185.176.26. My router was probed from:
185.176.26.3
185.176.26.15
185.176.26.51
185.176.27.166

To close on a Defensive Computing note, there are some defenses against open ports in a router. For one thing, don't use a router from your ISP as they are the most likely to have open ports. And, test your router with assorted online firewall testing tools. Finally, disable UPnP in your router. UPnP is enabled by default on every consumer router I have seen. It can be used by devices on your LAN to open ports in the router's firewall.

I hope to write much more about assorted defensive tactics for when when ports need to be opened.