I think its just a coincidence that it happened around the same time as the update. There are numerous router hacks out in the open, so I would guess that the user of the address in question is running a series of hacks across a wide range of addresses. This gives credence to the idea of running a good firewall, better than a typical router can supply in terms of LAN protection and rejection of external hacking exploits that are out in the wild.
Yes, definitely makes a case for a robust firewall. I have 2 types of firewalls and the other one is Norton 360 which is also very good, but only when my computer is on.
This kind of thing is actually pretty scary when you consider that average computer users are not so-called tech savvy types and are very vulnerable.
What I meant to say was a real firewall, starting with something like a pfsense firewall and moving up from there into possibly an enterprise class firewall. Firewalls such as those have much better processing capabiity, numerous tools for inspection and rejection of incoming data and external probing and much better control over all aspects of firewall operation. Of course they also come with a steep learning curve. Any device or antivirus/antimalware/firewall program in the consumer class of devices or programs pales in comparison. I'm sure that there are more than a few people on the board who will attest to that 🙂
I understand what you're saying. I was in the IT business for a few decades and have experienced just about everything there is first-hand.
After my update I noticed the options under AiProtection. I have this turned off and looking for your opinions.
What exactly does this option do ? Why do you need more than the NAT Firewall that comes with the router?
Just to make sure that everyone is on the same page, the latest firmware out for the RT-AC68U is Firmware version 188.8.131.52.378.4585. The release date for this version is 2015/03/12, which is the same as the previous version, Version 184.108.40.206.378.4376. For some interesting reason, 4376 is no longer listed. So, a check for updated firmware is in order if you own one of these routers.
AiProtection is the result of an agreement between Trend Micro and Asus to include Trend Micro protection in the Asus router firmware. This goes well beyond a NAT firewall. This utility appears to use a blacklist of sites that are known to contain malware. If you attempt to go to one of these sites, you will first receive a popup warning from the Trend Micro protection system. This is essentially a first line of protection, to protect your own network and its clients from malware laden sites.
The Asus site and others, indicates that the AiProtection uses packet inspection to check for malware, however, further reading online indicates that this is not the case as it would result in patent claims against Trend Micro. Who is right, good question, as the press release from Trend Micro and info from Asus is nebulous to say the least.
Here is the 2014 press release by Trend Micro:
Is it useful? I believe so. I have it enabled and it doesn't appear to be affecting the WAN-LAN performance from what I can see. So, for now, I'm satisfied that there doesn't appear to be any problems by letting it run.
If you run a google search for Asus AiProtection, you will come across numerous references to it as it is included in other Asus routers as well.
Have a look at the review that is included within the following page:
For additional reading, have a look at the following snippet from a Trend Micro White paper:
The Deep Packet Inspection (DPI) Engine outlined in this excerpt is now included within the Asus Router Firmware:
DEEP PACKET INSPECTION (DPI) ENGINE
Enabling Intrusion Detection and Prevention, Web Application Protection, and Application Control.
The solution’s high-performance deep packet inspection engine examines all incoming and outgoing traffic, including SSL traffic, for protocol deviations, content that signals an attack, and policy violations. It can operate in detection or prevention mode to protect operating systems and enterprise application vulnerabilities. It protects Web applications from application-layer attacks, including SQL injection and cross site scripting. Detailed events provide valuable information, including who attacked, when they attacked, and what they attempted to exploit. Administrators can be notified automatically via alerts when an incident has occurred. DPI is used for intrusion detection and prevention, Web application protection, and application control.
So, in theory, running AiProtection Utility should protect your network in two ways, first by checking the site address, and by running packet inspection.
Thanks for a detailed response Datalink. I will enable the AiProtection too. Glad for the links too.
This is a very interesting option and it makes perfect sense. One thing I noticed is that AiProtection's parental control option lets you schedule times that a connected device is able to access the Internet. I'm sure this will appeal to many parents out there who have posted on these forums asking if there is such a capability available to them.
On another note, the hacking being reported by my router is getting stranger by the day. Yesterday, in addition to the hack attempts I reported earlier, I got a different one overnight: "Apr 1 01:07:36 HTTP login: Detect abnormal logins at 5 times. The newest one was from 220.127.116.11".
I may be wrong, but I'm convinced that I'm seeing these things for the first time since the new firmware update, which must have enabled this feature somehow. It would be interesting to hear from some other Asus owners about their experience with this.
I'm also going to enable AiProtection to see how it responds to these intrusion attempts.
I enabled AiProtection and did a scan. It is showing that the routers access password was not changed even though I did.
I have changed the admin password twice and rebooted, but AiProtection Scan is still showing that the password was not changed. Is this a bug or is my sysem compromised ? I logged out and checked that I can only log back in with my password, not the default.
Did you also change your User ID? If not, that would explain it because it checks both your ID and password.
I do have a bug on mine, though. It tells me I don't have UPnP disabled even though I do. I've even turned it on and off, but it still gives me that message.