We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Anybody know about hacked routers?
Comments
-
I can't believe I've just read through the whole of this thread.
My brain is fried! Haha. But I'm interested to know the 'culprit'. I'm hooked!0 -
I think we may have found the problem... (summary:- ISP recording 10-20GB of monthly usage when only 50MB/day actually used).
With all clients and Wifi off the ISP was still recording usage; I disabled incoming port 53 and after 20 hours it appears to have solved the problem. Somebody thinks our router is a DNS server. Does this sound plausible?0 -
grumpycrab wrote: »I think we may have found the problem... (summary:- ISP recording 10-20GB of monthly usage when only 50MB/day actually used).
With all clients and Wifi off the ISP was still recording usage; I disabled incoming port 53 and after 20 hours it appears to have solved the problem. Somebody thinks our router is a DNS server. Does this sound plausible?
I suppose it is, do you have a static IP addy? If so, this scenario would make more sense as clients, if set to use a specific DNS server, would look to that IP addy for it's DNS services.
If dynamic, I would have thought it unlikely to be an ongoing problem after each reboot.......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple
0 -
Good point about the dynamic/static address. I cannot think why they would be on a static address...will ask ISP...0
-
grumpycrab wrote: »Good point about the dynamic/static address. I cannot think why they would be on a static address...will ask ISP...
I'm a little out of touch these days with dynamic/static IP addys from the ISP POV, but most "business" lines had at least an option to have a static IP addy, and a lot of ISPs offered them to "home" lines also (but possibly at a small premium)....deffo worth a check
......Gettin' There, Wherever There is......
I have a dodgy "i" key, so ignore spelling errors due to "i" issues, ...I blame Apple0 -
Zen Internet supply a static IP, which I use to run a couple of servers at home.
I think IDNet and AAISP do as well.0 -
I suppose it is, do you have a static IP addy? If so, this scenario would make more sense as clients, if set to use a specific DNS server, would look to that IP addy for it's DNS services.
If dynamic, I would have thought it unlikely to be an ongoing problem after each reboot.
There are people scanning for open recursive name servers all the time, and if you end up running one, you will be used as a reflector for denial of service attacks. Changing IP number (which often doesn't happen even with dynamic addresses, as they are sometimes "sticky" over restarts of the line or router) will mitigate it for a few hours, but then you'll be found.
The attack, in essence, is that a DNS request is crafted which sends a large response. The attacker forges that request to come from the victim's IP number: they can do this because DNS runs over UDP, which is connectionless. Your router then sends a large reply, to the victim. This means that (a) the attacker can send a 50 byte query and get a 500 byte response sent to the victim, thus multiplying the DDoS effect by ten and (b) the attacker's IP number is concealed.
Running open recursive DNS servers: bad, bad, bad.0 -
Interesting thanks. Surely the default setting for cheapo/home routers is closed recursive DNS settings? What setting am I looking for (under DNS I assume)?securityguy wrote: »...Running open recursive DNS servers: bad, bad, bad.0 -
"Surely the default setting for cheapo/home routers is closed recursive DNS settings? "
You'd like to think, wouldn't you?
"What setting am I looking for (under DNS I assume)?"
No idea, but that would be the obvious place to start.
A firewall rule to block out-of-state port 53 coming in would be belt and braces, too.0 -
That's what the ISP has asked me to do. Seems to have worked. I assume the router logs will identify blocked events (I don't have access to the router here). Quick question - does an ISP have any role in stopping this kind of thing or are they being honest when they say its nothing to do with them?securityguy wrote: »A firewall rule to block out-of-state port 53 coming in would be belt and braces, too.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.2K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.4K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards