cancel
Showing results for 
Search instead for 
Did you mean: 

Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

MidLevel
I'm Here A Lot

A couple of weeks ago, we got a warning that we were going over our bandwidth limit of 320Gb, which is excessive for us. When inspecting the Hitron, there were 3 rules added under port forwarding, that were not there before.  I originally setup the router and changed the cusadmin default password and told nobody, so I do not know how the port rules were added.  

I called Rogers tech support and explained.  They were puzzled too.  We factory reset the modem and went on. 

 

Two weeks later, in a new billing period, I checked bandwidth usage.  During a day when internet useage was very light, we did almost 8Gb of data. When I logged into the Hitron, there were again, 3 port forwarding rules added. 1 Toredo and 2 Skype.  We don't use Skype.  I have to assume somebody is logging into the Hitron from the WAN (internet) port to make changes, as I have secured the Hitron from my local side. No open WiFi, no unrecognized clients connected, default passwords changed.

 

I called Rogers, and got escalated to a Tech Expert.  They had no answers or explanations.  Again we factory reset the Hitron.  They also recommended that I leave the Hitron unplugged for 8 hours to get a new WAN IP assigned and see if that helps (I call this security through obsurity), which is not a great solution.    I am unable to diasable the login through the WAN port. 

 

My question, is anybody else experiencing this type of behaviour?

 

It is worriesome as it appears I am being billed for bandwidth that I am not using.  The Hitron has no features either to help assist with the detective work, ie. good logs or routing tables. For now I am just watching closely my Hitron and data useage. 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Gdkitty
Resident Expert
Resident Expert

As long as you change your password, someone shouldnt be able to get into your modem.. (unless they brute forced the password).  That login should not be visible externally.. so really only someone within your own network would then be able to.
Regardless of your regular login username/password... rogers will still have access to the modem.
They have a MSO, Superadmin login.. which gives them access to other settings, etc that we do not see (such as changing stuff like the channel binding, etc).
Even back with the old modem only modems, rogers always has access from their back end, internally, to be able to access it and change things, restart it remotely, etc.

 


As for the fix.. well its a 'workaround' type fix.

It SHOULD be properly fixed IMHO.. but  still hasnt yet.

With UPNP, it should turn open the port as needed and then remove it.  The problem is, its not removing them.

I have it turned off and have not has any issues Skype or anything else not working, etc.



View solution in original post

34 REPLIES 34

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

catemu
I've Been Here Awhile

I am not a fan of these Modem/Router Combos. As far as I know, these have two types of users that can login. A regular "customer user" and an "administrator user". Even if you change the "cusadmin" default password someone with the administrator password can make changes; internet companies normally have the same administrator password configured for all their units, it doesn't take long for these administrator default passwords to get around. You may need to change that "administrator password" somehow. But to avoid any further "misterious" logins, I would setup the Hitron CGN3 as a bridge only and use a router with a good secured Wi-FI password. You may have to buy a router though, the quality depends on what type of user you are.

 

Here is tre link to make the Hitron a bridge only.

 

http://www.rogers.com/web/support/internet/home-networking/247?setLanguage=en

 

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Gdkitty
Resident Expert
Resident Expert

There have been some odd usage things come up with some others in the past... but generally its been beleived to be more so from something like MAC cloning or something similar.

This is the first i have specfically heard of someone getting OTHER port forwarding things added to the list though.

I am wondering if having UPNP on on the router.. and some device trying to start something/connect, it adding it?  THats the only other possibility i can think of, other than if its being broken into.

Personally, JUST incase there is a comprimiz specifically on that one itself.. i would go and exchange it, if you are able to.

 



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

I talked with Tech Support again and they told me to exchange the modem. Within 4 hours of factory reset, another port forward rule was added. This time though I was able to identify what local computer the rule was made for. More sleuthing to do yet....

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Actually, i never thought of that..

 

What is it actually forwarding to? Is it all the same IP?

Does the machine show up on the device table (when it eventually comes up) and can you identify what machine it is?  That it is one of yours?

 

Would be an interesting test then... turn that device completely off.. do the reset.. then see if they come back with it off



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

It was forwarding to a windows PC, and after checking the running processes and  running a virus scan we didn't find anything of concern. I deleted the rule pointing to this computer. 

 

Over night another port forward rule was added that used the IP address of my own PC!  I don't think there is malicious software running on the local computers. 

 

The port forward rules that were being added always pertained to a single local ip adress of one of the computers on the local network.  I assume the attacker looked at the DHCP client list and created a rule accordingly. Why? This essentially opens a hole in the firewall to that computer and allows an outside attacker to issue commands to that computer and get responses to understand how that computer is setup. The first step to hacking.   This allows an attacker to learn about your PC and network setup and find vulnerabilities, which could be bad news for me.  I have reduced network secuirty on the Windows computers to enable file sharing without user names and passwords.

 

I am exchanging this Hitron CGN3 today with a different one today.  Hopefully the new one has different login protections.  But I agree with another commenter, in that I may have to put the Hitron CGN3 in bridge mode and use another router that I can secure. That way they can't simply login to the Hitron CGN3 using the WAN ip address.  Roger's may have to disable this feature in the future. It's going to cost them money and it's a big liablity.  I used to work for an ISP, and have logged into hundreds of modems over the internet (without users knowlegde) to reprogram them in efforts of support.  With many reports about vulnerable routers, and security bugs embedded in router firmware, and this experience,  I am more than a little concerned.

 

 

 

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Guess what.. i just checked mine.. and there are entries as well.

Skype-UDP-at-192.168.0.121:35208-(2911) 35208~35208 35208~35208 UDP 192.168.0.121
Skype-TCP-at-192.168.0.121:35208-(2911) 35208~35208 35208~35208 TCP 192.168.0.121
Giraffic-UDP-on-192.168.0.15 52007~52007 52007~52007 UDP 192.168.0.15


Now.. interestingly enough.
.121, is a STATIC address, i have set on my LAPTOP.. which is the ONLY one i really run skype on.
.15 is my samsung smart TV..  which looking up Giraffic, is a technology Samsungs uses to help with stoping buffering on its streaming.

Did i put these there??? NO.

But that they are services that are present on those devices at those addresses.

 

I am GUESSING that UPnP may be working on the router fully now, and allowing devices to automatically add their own entries possibly.


I am going to try and REMOVE the entries.
As well, i have turned of UPnP on the gateway...
(doing this all remote from home)
Will test over tonight to see when those devices are on, if the entries are re-added.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Actually there was a Toredo entry as well.

(which is for IPV6 tunneling)



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

The interesting question is going to be, what if the entries return, with the UPNP function disabled.  That leads to two thoughts:

 

1. the UPNP function is still active despite the disabled function indication within the user interface.  Has there been a bug introduced in the last firmware update?

 

2.  is there a security breach in the control interface which is used by Rogers to remotely control and configure the modems?  Don't know what Rogers uses, but TR-069, which is used by other ISPs is not considered to be absolutely secure.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Many things like the XBOX, PS3/4, try to use UPnP to do its connection outbound properly..
An issue the NAT on the CGN3 seems to have issues with..

This could be an attempt to FIX those sorts of things, by enabling whatever was blocking them before on the UPnP/NAT side.. but may have allowed this unit to then do these sorts of things..


I will let you guys know if i see anything tonight/overnight.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

RE:  The interesting question is going to be, what if the entries return, with the UPNP function disabled.  That leads to two thoughts:

 

1. the UPNP function is still active despite the disabled function indication within the user interface.  Has there been a bug introduced in the last firmware update?

 

  I did notice the UPNP enabled, but I am unsure how it is used. If this feature is enabled, does that allow applications to create port forwarding rules on the router?  I could definetly see why this would be beneficial. It would reduce administration duties and tech support calls.  But I am unsure if this is what is going on here.  I really, really, hope this is what is happening though. Will have to do some reading on it and do some experimenting. 

 

As a side note, I did ask the Rogers Tech Expert this exact question.  Can an application on it's own create port forwarding rules as needed?   The answer was to exchange the Hitron CGN3, which I have now done.  But that is a pretty tough tech question to answer. 

 

 

 

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

No offence to anyone that works there, etc... but MOST of the techxperts, tech support, etc..  Some of them only have a rudementary IT knoledge.
Quite a number of board members here, myself included, have alot more IT knoledge. (either from just personal, to working in the field like myself)

 

Often with support.. the DEFAULT if they cant figure it out, is to swap the unit.
Which isnt always a bad idea.. there are many cases where i recomend it as well.

 

But i am thinking NOT the case here.

 

 

As for how UPnP works..

NAT traversal[edit]

One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.

Thats section from the wikipedia entry on UPnP.

Which pretty much says.. exactly what is happening here.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

l read up on UPnP from www.upnp.org and learned something new and it's a relief.  With UPnP enabled on Hitron CGN3, applications or devices, can automatically create their own port forwarding rule in the Hitron CGN3. 

 

My Quick Test:

 

1.  On the Hitron CGN3, ensured there were no port forwarding rules.

2.  Connected my XBOX 360 (a UPnP device) to the internet and logged into my xbox live account

3.  Checked the CGN3 and there was a port forwarding rule added for the xbox. 

4. Turned the Xbox off, and the rule still remains.  (DHCP lease time is 1 week)

 

So what I've been observing is normal behaviour.  Likely no remote logins happening or anyting malicious. 

 

Thanks for all the comments.  It was a nice ah ha! moment.  It also forced me to understand why I have never had to mess with port forwarding for so many years now. 

Cheers!

 

 

 

 

 

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Do you have UPNP enabled in the CGN3?  The interesesting thing is that the xbox doesn't clean up after itself and delete the UPNP established port forwarding rules when it is disconnecting.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

catemu
I've Been Here Awhile

Would the fact that these ports are being automatically created explain the extra bandwidth that you are  consuming?... Just wondering.

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Gdkitty
Resident Expert
Resident Expert

Shouldnt, generally no.

 

Doing the port forwarding, makes things usuall more PROFICIENT in what they are doing... download a torrent faster, communicate with the game server quicker, etc.

 

You wouldnt use MORE data.. doing the same thing would use the SAME amount.. you might just be able to do that same thing QUICKER.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used


@MidLevel wrote:

l read up on UPnP from www.upnp.org and learned something new and it's a relief.  With UPnP enabled on Hitron CGN3, applications or devices, can automatically create their own port forwarding rule in the Hitron CGN3. 

 

My Quick Test:

 

1.  On the Hitron CGN3, ensured there were no port forwarding rules.

2.  Connected my XBOX 360 (a UPnP device) to the internet and logged into my xbox live account

3.  Checked the CGN3 and there was a port forwarding rule added for the xbox. 

4. Turned the Xbox off, and the rule still remains.  (DHCP lease time is 1 week)

 

So what I've been observing is normal behaviour.  Likely no remote logins happening or anyting malicious. 

 

Thanks for all the comments.  It was a nice ah ha! moment.  It also forced me to understand why I have never had to mess with port forwarding for so many years now. 

Cheers!

 

 

 

 

 


I can confirm as well, that with UPnP OFF, the additions are NOT added.

 

 

SOOOOO

It appears that there HAS been a change, that UPnP has been 'PROPERLY' enabled on the devices.
(where it had the enable on it before, it never WAS enabled)

This is likely to help with people having issues with devices such as some VIOP adapters, game systems, etc.

 

I do agree with Datalinks statement though.. normally would think they would be removed after the machine was done.. may be a bug still somewhat in the UPnP part on the CGN3.

 

So people having issues with some devices, have the option to leave it ON.


Leaving it ON, at this point in time.. if you have enough devices, COULD possibly fill up the port forwarding table??

Anyone not wanting it happening, should turn UPnP OFF.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Has there been another firmware update beyond 4.2.4.5?



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Not on mine at least.

I would guess, it was just a different setting on the main config type profile on it.



Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

sbayley
I've Been Around

Thanks for the info in your post - I've also had disturbing usage numbers from Rogers reports .. often 5 days or more a month with a range of 6GBs to 15GBs. March 17th we had a single day hit of over 41 GBs .. our Plan limit was 80GBs the day before we had only used 75% of our allowed bandwidth & the day after we were at 125%.  I also called Rogers to see what they could do - and apparently nothing, I did get a template e-mail saying what I could do on average with Band width - none of their examples went anywhere near the 41GB usage level I experienced & they didn't have any idea what to do except upgrade.

 

So we did upgrade to a new plan Ignite 60 with a 200GB limit. I'm still searching for a cause - hoping that something was wrong in the old modem which Rogers replaced with a Hetron.

 

Thank you for the heads up on port forwarding - I will check on that regularly.I just took a look and have no rules set up, but the Port Forwarding was enabled. I assume that's a default set-up. So I disabled it & will add this to a checklist of what to verify on a reular (maybe weekly) basis to avoid these overages. If I'm really lucky the new Router will staop whatever the driver was for the 41GBs - but I don't really expect that to be the case.

 

It's pretty clear that I either accept being eventually pushed to the expense of unlimited bandwidth or spend a lot of personal time & effort finding tools that actually provide data that can be analyzed, and doing my own tracking.

 

 

Re: Hitron CGN3 - Port forward rules mysteriously added (twice!) and Bandwitdh appears being used

Can you log into your modem, navigate to the DOCSIS WAN page or tab, copy the Downstream and Upstream tables and paste them into this thread.  I've seen other high usage reports that have had terrible signal levels and signal to noise ratios and I'd like to see if this is yet another case.



Topic Stats
  • 34 replies
  • 23198 views
  • 2 Likes
  • 11 in conversation