were you guys able to resolve your SSDP vulnerability issue?
Today I got the call from Rogers about SSDP vulnerability and I dont have any DLink Router or anything to with DLink. I have not changed any device which connects to modem provided by Rogers since one year, this appears to me as a scam from Rogers.
2 days back, I was told that I have virus and this is related to Open DNS Resolver, called customer service and after 2 hours, Customer service could speak to Tech support to fix it on Rogers end, so I dont know what was original issue about. Now this time another virus, when asked first told me that I need to disable UPNP on the Router, when I told I dont have any Router other than Rogers wifi modem, then Tech support told me that it is SSDP vulnerability 🙂
I can see Upnp enabled on Rogers modem, but Tech support told me that it should be left ENABLED, and I should find out from my WiFi range extender if it has any SSDP vulnerability issue? I have been using WiFi range extender close to an year now, I dont know how this has become an issue now. Also I checked all Admin setup for this Amped Wifi Range extender, I dont see anything to do with Upnp setup, so completely lost to think that Roger's is trying to get rid of me as their customer ( no help from Tech support, all they know is that scan will run again after 2 days)
If you run a Wifi Range Extender you might in fact have an SSDP vulnerability. Run a Google search for the following:
WiFi range extender SSDP vulnerability
You might be surprised at what pops up. Looks like there are range extenders that do in fact have an SSDP vulnerability. Only way to check is to navigate down thru the manufacturer's web site and see if your particular model has an SSDP vulnerability and if a firmware update to resolve this has been issued.
Fwiw, personal opinion, UPNP should never be enabled unless you absolutely know that you need it and can't manage to run the port forwarding settings on your own, for whatever device you are running. UPNP can be a security hazard and should be recognized as such.
Looking back one page, @sswilson indicated a somewhat interesting speculation on the subjet. "One of the theories that's been bandied about is that rogers isn't actually testing for the SSDP/UPNP exploit, but instead only scanning for mac addys they can tie to D-Link routers that may have been vulnerable originally. I don't know if that's accurate, but unless there's something I'm missing I can't find any vulnerability on my network when I test it using external tools."
This raises an interesting question, why is Rogers contacting you about this and how are they determining who to call. I'm not sure that any scanning they can do of devices connected to the modem would allow them to determine the firmware version of those devices. Interesting indeed.....
I am definitely going to check with Amped wireless regarding my WiFi range extender modem REC15A (but I am surprised how come it is reported now, when I have been using it for more than 6 months).
Regarding UPnP enabled, that is on Rogers provided Advaced modem ( I have also done re-set on my modem, but it is still on), dont know why it has to be enabled. When I asked Rogers Tech Support, she mentioned that I dont need to make any change on Roger's modem, should I disable it? what damage this can do ?
Check my edit in the post above. Unless you know that you need UPNP to set port forwarding for online games for example, it should be disabled. UPNP works in conjunction with the connected device to set the modem parameters so that the device can access the internet. That's the good side of it. The bad side of it is that a rogue application can also do the same thing using UPNP. This might include changing the DNS address to a rogue Domain Name Server in an attempt to capture login credentials for bank sites and others. So, like anything else, designed for useful purposes but overtaken by miscreants who use if for purposes which are far from good. Personal opinion, make the modem changes yourself so that you understand what is being changed and why those changes are being made.
Fwiw: UPNP, WEP and WPS should all be disabled. The Wifi security should be set to WPA-2 AES only. Do not use TKIP or TKIP/AES as TKIP is no longer secure. The network names and passphrases should be long strings of random characters, numbers and sybols. The longer the better, in both cases. Use the entire allowed length, 32 characters for the network name, and 63 or 64 characters for the passphrase, depending on what type of character string you use.
No range extender on my system at all, and if it was wifi related on the internal network they'd have no way of detecting it anways. I honestly think there's either something haywire with their monitoring software, somebody is spoofing my IP, it's virus related and their generic reporting system is identifying the issue incorrectly, or there's a telephone based phishing attempt going on and they don't want to admit it.
As I stated earlier... all tests I've done into my network have come up negative, and as far as how they test... it's a fairly simple test that sends a request to the IP over a certain port that would typically only be seen from the router into your home. The problematic routers are the ones that respond to a request from the external side.
As it stands, this is a non issue for me now. I've converted over to FibeOp.
"The problematic routers are the ones that respond to a request from the external side." An interesting observation. Can a wifi access point or range extender be attacked thru wifi only, which is sitting beyond the Gateway firewall on the internal network? I haven't read enough about this to understand all of the permutations and combinations here.
Since the attack would be coming in from the wireless side (and thus part of your internal network) it wouldn't qualify as the same exploit, and would be very limited in scope since it'd only be accessible within range of your wireless connection. Easier to just brute force your wireless than bother with this kind of exploit.
edit: it's also important to note that I had UPNP disabled anyways. If it's hardware related the only thing I can imagine it being would be either my Sony Blueray player or my Onkyo Receiver.
150/30 rated, reporting 175/27 (apparently they over provision to 200 which allows for 25 left over for the IPTV) MTR to Diablo III servers way over on the other coast is a sub 60 average until I hit the Blizz IPs that don't report. It helps that Bell appears to have a direct connect to ATT so there's no mucking about with third party backbone like LvL 5.