I’ve been having some issues with my internet connection becoming unstable and often when looking at the traffic graphs in pfsense I see a flat amount of download traffic on the WAN interface which I can’t account for. I’ve run wireshark on the WAN interface and I’m seeing a lot of NTP traffic, so it seems like a DDOS, but on closer inspection neither the source or destination addresses are mine. It looks to me like my modem (not really a modem but I’m not sure what to call it) is sending all this NTP traffic out in to my networks and also (presumably, I have no way of checking) out to the internet.
What’s weird to me is that the modem has its own public IP address, assuming this traffic is coming from the modem but that’s the only thing that makes sense to me, I assume so the ISP can remote in to it. I’ve done a port scan on it and it does have an open port for SSH.
It’s really hard to find any meaningful documentation on what this thing actually is and how it works.
and this is a link to a quick packet capture on my WAN interface, none of the IPs are my WAN IP, this seems to be traffic being sent somewhere on the WAN network and I can only guess that it’s the modem.
Anyway, I’d really like some opinions on whether you think the modem is compromised or if it’s just broken, or maybe this is normal and the issue is something else. Currently there doesn’t appear to be much NTP traffic, but sometimes it gets in to the tens of megabits.
I’ll probably call my ISP tomorrow but I’m not looking forward to it.
The packet size is also equal to 0x48 (Decimal 72)
This is clear as daylight that your modem is vulnerable to the monlist feature exploit and is actively being used as part of an NTP amplification attack.
See this article for details:
Your modem is essentially helping with a DDoS attack on several targets and your ISP should be alerted of the fact. If there is an update available for your modem at all or if you are able to disable NTP services on it do so now.
This should be all the evidence you need for your ISP to investigate the problem and issue a update/recall of these modems, if they do not comply your best bet is to get a different modem
I'm assuming that 58.108.86.181 is the address of the modem, my WAN address is different.
Thanks for figuring that out for me, not so good news though I guess. The modem is totally out of my control, it's not even really the ISP's as it belongs to the government. Which is kind of not great considering that most people in Australia are going to have one of these things sooner or later.
I'll call my ISP tomorrow and hopefully they will actually be helpful
Thanks a lot, it's really helpful to know exactly what the problem is
I completely missed the monlist section when I had a look at it in wireshark, can't believe I didn't see that.
It really annoys me that this thing has it's own public IP with open SSH ports. I have no way of seeing what's coming in and out of it except on my WAN side which doesn't help much. I thought it was just a layer 2 device. I haven't been able to find any one else having similar problems with it, maybe they just haven't noticed but if it has some kind of vulnerability it could be a very widespread problem as these things are installed for all types of connection on the NBN (The governments internet upgrade thing).
I can see my router's LAN address in there, 10.1.1.3, and also 10.1.1.2 which I don't know what that is. I can ping it but I don't remember setting anything to that address.
Figured out what 10.1.1.2 was, but it is interesting that my LAN address would show up in there, the modem or whatever it is shouldn't be able to see it.
Also the NTP service on your Box has only recently appeared. When shodan last scanned it, it wasn't detected apparently and I'm assuming it has a static IP address.
I'm not sure, I can't restart it right now, but I'll do that later and see if it changes, I did restart a few days ago when the connection got really bad.
I'll say, I would go further and say that it shouldn't have it's own public IP address outside of my network that I have no control over (or ability to firewall).
Ideally you would want to be able to connect to the modem/box whatever this thing is over ssh and reconfigure the ntp service via ntp.conf to only listen on the internal 10.1.1.2 address instead of listening on 0.0.0.0:123 as it likely is now and doesn't even have the following mitigations in place
I could understand that if this was happening on the router, but this is happening on the modem. The router has it's own WAN address which is different to 58.108.86.181 which I am assuming to be the modem because it doesn't make much sense for it to be anything else. What I don't understand is how the modem is able to see an address on my LAN when there shouldn't be a route to it.
10.1.1.3 is the LAN address of the router, 10.1.1.2 is a device on the LAN, which I didn't think was running an ntp server but it may very well be. I'm going to unplug it anyway as it's not working properly and I'm not sure what's going on with it.
Bridge mode X over Ethernet (Router get's the IP from the ISP) and modem just does network protocol wrapping.
or just Ethernet direct (2 layer NAT) so the router which get's it's external IP assigned from the modem and then the modem again gets its external IP assigned from the ISP?
The router get's it's IP from the ISP, it's just plugged in to this box and configured to use DHCP. But it appears like the modem has it's own separate public IP address, presumably so the ISP, or whoever, can remote in.
What your describing though doesn't sound like you're using bridge mode.
it sounds like both your modem and router are running their own DHCP server and NAT.
Is your router handling the PPPoE or other protocol login to the ISP? Or are you letting the modem do that? If you haven't configured any other ISP related setting on your router than yes your modem will have it's own external IP from the ISP because it's operating as a standard DHCP client to the modem instead of bridged directly to the modems WAN and doing that itself.
If you were running in bridge mode your router would be getting that external IP directly on it's wan port instead of the modems wan port. Think of it like passing the external internet connection directly through to your router.
What are these modems btw? Any model number or web admin page on them that is user accessible? Or is it just a locked down black box?