I'm receiving emails from firstname.lastname@example.org saying, "We have received notification that your Rogers Public IP address has been identified as being vulnerable to SSDP (Simple Service Discovery Protocol) reflection attacks....................."
I'm using the CGN3ROG modem with a D-Link Dir 862L (AC1600 Dual Band Gigabyte) Router for wi-fi.
In my router settings UPnP, WAN Ping, IPV4 and IVP6 Multicast Streams are all disabled. D-Link says this newer router does not have SSDP vulnerabilty. Firmware is up to date.
I have run the ShieldsUp UPnP Expore Test many times on both the PC and a laptop. Both are good. Both computers are also free of viruses and spyware.
So, why am I still getting abuse warnings? Is there something else here I should be looking at? Any help would be greatly appreciated. I have not talked to Rogers yet. I got the first email a few weeks ago, followed their suggestions, and all has been good until now. Have received two more emails in the last couple days.
Have a look at the following threads:
I would do a Factory reset on both the CGN3 and 862L and reset all parameters from scratch, including disabling UPNP, and possibly consider disabling SSDP discovery service on your pc and laptops. I would also run scans looking for the Conflicker Worm.
I disabled SSDP Discovery on the desktop and laptop.
I tested both for Conficker with McAfee's conficker tool and the Conficker Eye Chart. Didn't find anything.
Will do the resests and see what happens.
Nothing has changed here except for the new modem and router when I upgraded to Hybrid 60 a couple months ago. Have been with Rogers for years with no issues so this is baffling.
I've run into the same issue with the same router. There is in fact a new firmware (1.01) but it doesn't come up when you use the router's "check for new firmware" function on their web interface. (It's available from the dlink website Dir-862L ).
I've run both the grc.com and rapid7 tests with both reporting zero responses to the exploit. UPNP has been turned off on the router, and the latest firmware update has been applied. After receiving my third call on the subject I specifically went around to each individual PC and ran the GRC and Rapid7 exploit tests on them on the off chance that something had slipped by my antivirus but again came up empty.
I've spoken to tier 2 twice on the subject with the first time being told that "the dude who can run those tests isn't in for the next few days but I'll get him to run some tests on your IP when he comes back and we'll contact you if we see something". I didn't hear back from them so assumed there was no issue. Received a third robo-call this morning and got the impression that the tier 2 tech I received this time was pretty much only offering lip service... imagine my surprise when after he'd put me on hold a couple of times to "check this out" I was informed by him that they didn't have the ability to test for this live and that it could only be done by the automated system. (At that point I didn't bother asking him what exactly he had been doing when he put me on hold to check it out).
He had no suggestions or possible explanations to my questions WRT my not being able to replicate the issue on my end using GRC or rapid7 testing and the only offered solution was for me to stop using the router.
The only thing I can think of is that maybe one of my entertainment appliances (networked receiver and blueray player) has an issue and was willing to troubleshoot that with the tech by turning them on/off and unplugging the network to them, but since they can't (or probably more likely won't) do live testing there was nothing left to do.
Bell is going to be here on the 28'th to install FibreOp.
Yeah, I'm not sure what's going on with it. I'd have been more than happy to do further testing if they had gotten back to me after the first time I spoke with tier 2 and the TSR said that they'd run tests on the IP and respond if they still saw a problem, but I never got a follow up.
The second talk to tier 2 (today) was much less productive with the TSR telling me that they don't have the ability to test for that real time. Basically telling me that my only option was to replace the router. Either the first TSR lied to me or the second one did, and I don't react very well to being lied to.
As it stands, I was already scheduled to switch over to Bell at the end of the month but I didn't have too many bad things to say about rogers other than the fact that their infrastructure is starting to get a bit dated in Atlantic Canada and that bell has stepped up their game substantially.
Their tech support (or more importantly lack of tech support) on this issue has soured my impression and if I hadn't already been booked, I probably would have been switching ISPs over this anywise.
One of the theories that's been bandied about is that rogers isn't actually testing for the SSDP/UPNP exploit, but instead only scanning for mac addys they can tie to D-Link routers that may have been vulnerable originally. I don't know if that's accurate, but unless there's something I'm missing I can't find any vulnerability on my network when I test it using external tools.