Pretty sure my modem is compromised

I've been having some issues with my internet connection becoming unstable and often when looking at the traffic graphs in pfsense I see a flat amount of download traffic on the WAN interface which I can't account for. I've run wireshark on the WAN interface and I'm seeing a lot of NTP traffic, so it seems like a DDOS, but on closer inspection neither the source or destination addresses are mine. It looks to me like my modem (not really a modem but I'm not sure what to call it) is sending all this NTP traffic out in to my networks and also (presumably, I have no way of checking) out to the internet.

What's weird to me is that the modem has its own public IP address, assuming this traffic is coming from the modem but that's the only thing that makes sense to me, I assume so the ISP can remote in to it. I've done a port scan on it and it does have an open port for SSH.

Anyway, this is what the modem actually is: http://www.nbnco.com.au/learn-about-the-nbn/network-technology/fixed-wireless-explained.html

It's really hard to find any meaningful documentation on what this thing actually is and how it works.

and this is a link to a quick packet capture on my WAN interface, none of the IPs are my WAN IP, this seems to be traffic being sent somewhere on the WAN network and I can only guess that it's the modem.

Anyway, I'd really like some opinions on whether you think the modem is compromised or if it's just broken, or maybe this is normal and the issue is something else. Currently there doesn't appear to be much NTP traffic, but sometimes it gets in to the tens of megabits.

I'll probably call my ISP tomorrow but I'm not looking forward to it.

Is your WAN IP the 58.108.86.181 address?

Here's a quick check of the two main IP addresses the NTP service is responding to
https://www.virustotal.com/en/ip-address/213.174.150.37/information/

https://www.virustotal.com/en/ip-address/207.226.173.108/information/

Now looking at the capture data we can clearly see the NTP Monlist reponse bit 7 being used

image.png986x369 37.3 KB

The packet size is also equal to 0x48 (Decimal 72)

This is clear as daylight that your modem is vulnerable to the monlist feature exploit and is actively being used as part of an NTP amplification attack.

See this article for details:

Your modem is essentially helping with a DDoS attack on several targets and your ISP should be alerted of the fact. If there is an update available for your modem at all or if you are able to disable NTP services on it do so now.

This should be all the evidence you need for your ISP to investigate the problem and issue a update/recall of these modems, if they do not comply your best bet is to get a different modem

I'm assuming that 58.108.86.181 is the address of the modem, my WAN address is different.

Thanks for figuring that out for me, not so good news though I guess. The modem is totally out of my control, it's not even really the ISP's as it belongs to the government. Which is kind of not great considering that most people in Australia are going to have one of these things sooner or later.

I'll call my ISP tomorrow and hopefully they will actually be helpful

Thanks a lot, it's really helpful to know exactly what the problem is

Ok so quick shodan scan of the various IP's nothing In depth

This is your Box in Perth

Here's some of the IP's from the monlist responses:

All of them are running NTP services, some on legit ports some on some really not legit ports.

NIST Colorado (legit)

Regional IT Newcastle Australia(legit)

Ok Dafuq is this, server seems to be missing
https://www.shodan.io/search?query=185.35.63.143

All the below are Residential IP's in Switzerland

PS: There's a shit ton of residential IP's from switzerland in this, I just posted three.

I completely missed the monlist section when I had a look at it in wireshark, can't believe I didn't see that.

It really annoys me that this thing has it's own public IP with open SSH ports. I have no way of seeing what's coming in and out of it except on my WAN side which doesn't help much. I thought it was just a layer 2 device. I haven't been able to find any one else having similar problems with it, maybe they just haven't noticed but if it has some kind of vulnerability it could be a very widespread problem as these things are installed for all types of connection on the NBN (The governments internet upgrade thing).

I'll be looking into it later and post updates on what I can find here.

I can see my router's LAN address in there, 10.1.1.3, and also 10.1.1.2 which I don't know what that is. I can ping it but I don't remember setting anything to that address.

Figured out what 10.1.1.2 was, but it is interesting that my LAN address would show up in there, the modem or whatever it is shouldn't be able to see it.

NTP server peers as of now

client    time-c.timefreq.bldrdoc.gov
client    103.38.120.36 (dns1.ncl01.nsw.privatecloudco.com)
client    10.1.1.3

Quick pull of monlist connected IP's on that address right now:

-------------------------------NTP List------------------------------
Target host: 58.108.86.181
10.1.1.3
103.38.120.36
132.163.4.103
185.35.62.71
185.35.62.158
185.35.62.171
185.35.62.172
185.35.62.238
185.35.63.120
185.35.63.143
185.35.63.150
185.35.63.169
196.52.43.55

System Info:
(Pretty awful embedded box)

Nmap scan report for n58-108-86-181.per1.wa.optusnet.com.au (58.108.86.181)
Host is up (0.54s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-info: 
|   receive time stamp: 2017-06-02T11:12:49
|   version: ntpd [email protected] Sun Oct 17 13:24:55 UTC 2010 (1)
|   processor: armv5tejl
|   system: Linux/2.6.28.10-ami
|   leap: 0
|   stratum: 2
|   precision: -18
|   rootdelay: 363.696
|   rootdisp: 111.741
|   refid: 132.163.4.103
|   reftime: 0xdcdbc1d0.a77da29c
|   clock: 0xdcdbc6a6.55fdef87
|   peer: 6526
|   tc: 10
|   mintc: 3
|   offset: -4.076
|   frequency: 16.360
|   sys_jitter: 58.744
|   clk_jitter: 8.411
|_  clk_wander: 0.568\x0D
Service Info: OS: Linux/2.6.28.10-ami

Stats on the box:

ntpdc -n -c monlist 58.108.86.181
remote address          port local address      count m ver rstr avgint  lstint                                                                                                                                                              
===============================================================================                                                                                                                                                              
132.163.4.103            123 10.1.1.2           11657 4 3      0    870      14                                                                                                                                                              
103.38.120.36            123 10.1.1.2           10210 4 4      0    994     201                                                                                                                                                                                                                                                                                                                      
196.52.43.55           25533 58.108.86.181          1 3 4      0   5242    5242                                                                                                                                                              
185.35.63.120          56559 58.108.86.181          1 3 2      0   5549    5549                                                                                                                                                              
185.35.62.171          60486 58.108.86.181          1 3 4      0   7218    7218                                                                                                                                                              
185.35.63.143          39653 58.108.86.181          1 3 2      0  91921   91921                                                                                                                                                              
185.35.62.71           60556 58.108.86.181          1 3 4      0  92933   92933                                                                                                                                                              
185.35.63.150          55708 58.108.86.181          2 3 2      0 175586  178425                                                                                                                                                              
185.35.62.238          60024 58.108.86.181          1 3 4      0 179734  179734                                                                                                                                                              
185.35.63.169          41628 58.108.86.181          1 3 2      0 264707  264707                                                                                                                                                              
185.35.62.158          60306 58.108.86.181          1 3 4      0 266275  266275                                                                                                                                                              
185.35.62.172          60946 58.108.86.181          1 3 4      0 353445  353445                                                                                                                                                              
10.1.1.3                 123 10.1.1.2            9783 4 4      0   1083  418956

Other ntp services seem to using similar older versions of ntpd 4.2.6
All of which include a substantial amount of DDoS vulnerabilities

https://www.cvedetails.com/vulnerability-list/vendor_id-2153/product_id-3682/opdos-1/NTP-NTP.html

Also the NTP service on your Box has only recently appeared.
When shodan last scanned it, it wasn't detected apparently and I'm assuming it has a static IP address.

I'm not sure, I can't restart it right now, but I'll do that later and see if it changes, I did restart a few days ago when the connection got really bad.

Updated the post with more stats including the query counts

All the 185.35.xxx.xxx Addresses are clients that queried your modem's/boxes NTP server at some point recently.

The port 123 addresses are systems that your box queried recently.

TLDR: Your modem shouldn't be running a publicly exposed NTP server on the WAN side.

I don't understand why my LAN addresses are there, it shouldn't be able to see them

I'll say, I would go further and say that it shouldn't have it's own public IP address outside of my network that I have no control over (or ability to firewall).

Because the NTP server is incorrectly configured it is able to see on both sides of the NAT both the internal and external network connections.

using ntpdc you will be able to issue various requests to your sever as well as send crafted packets to exploit NTP amplification attacks.

Some reading that might explain things better:

https://www.transip.eu/question/100000699-protect-server-against-amplification-attacks/

https://samsclass.info/124/proj14/p6x-NTP-DrDOS.htm

Running a monlist scan against your IP

sudo nmap -sU -pU:123 -Pn --script=ntp-monlist 58.108.86.181

Starting Nmap 7.40 ( https://nmap.org )
Nmap scan report for n58-108-86-181.per1.wa.optusnet.com.au (58.108.86.181)
Host is up (0.58s latency).
PORT    STATE SERVICE
123/udp open  ntp
| ntp-monlist: 
|   Target is synchronised with 132.163.4.103
|   Alternative Target Interfaces:
|       10.1.1.2        
|   Private Servers (1)
|       10.1.1.3        
|   Public Servers (2)
|       103.38.120.36   132.163.4.103   
|   Public Clients (10)
|        185.35.62.171   185.35.63.120   185.35.63.169   185.35.62.71
|        185.35.62.172   185.35.63.143   196.52.43.55   185.35.62.158 
|_      185.35.62.238   185.35.63.150

Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds

@Dexter_Kane

This is effectively the internal LAN address on which your NTP server also accepts requests

you could issue an ntpdc 10.1.1.2 and then send commands to it.

http://doc.ntp.org/4.1.2/ntpdc.htm

Ideally you would want to be able to connect to the modem/box whatever this thing is over ssh and reconfigure the ntp service via ntp.conf to only listen on the internal 10.1.1.2 address instead of listening on 0.0.0.0:123 as it likely is now and doesn't even have the following mitigations in place

https://www.transip.eu/question/100000699-protect-server-against-amplification-attacks/

I could understand that if this was happening on the router, but this is happening on the modem. The router has it's own WAN address which is different to 58.108.86.181 which I am assuming to be the modem because it doesn't make much sense for it to be anything else. What I don't understand is how the modem is able to see an address on my LAN when there shouldn't be a route to it.

10.1.1.3 is the LAN address of the router, 10.1.1.2 is a device on the LAN, which I didn't think was running an ntp server but it may very well be. I'm going to unplug it anyway as it's not working properly and I'm not sure what's going on with it.

How is your router hooked up to the modem?

1. Bridge mode X over Ethernet (Router get's the IP from the ISP) and modem just does network protocol wrapping.

2. or just Ethernet direct (2 layer NAT) so the router which get's it's external IP assigned from the modem and then the modem again gets its external IP assigned from the ISP?

The router get's it's IP from the ISP, it's just plugged in to this box and configured to use DHCP. But it appears like the modem has it's own separate public IP address, presumably so the ISP, or whoever, can remote in.

What your describing though doesn't sound like you're using bridge mode.

it sounds like both your modem and router are running their own DHCP server and NAT.

Is your router handling the PPPoE or other protocol login to the ISP? Or are you letting the modem do that?
If you haven't configured any other ISP related setting on your router than yes your modem will have it's own external IP from the ISP because it's operating as a standard DHCP client to the modem instead of bridged directly to the modems WAN and doing that itself.

If you were running in bridge mode your router would be getting that external IP directly on it's wan port instead of the modems wan port. Think of it like passing the external internet connection directly through to your router.

What are these modems btw? Any model number or web admin page on them that is user accessible? Or is it just a locked down black box?