I'm receiving emails from email@example.com saying, "We have received notification that your Rogers Public IP address has been identified as being vulnerable to SSDP (Simple Service Discovery Protocol) reflection attacks....................."
I'm using the CGN3ROG modem with a D-Link Dir 862L (AC1600 Dual Band Gigabyte) Router for wi-fi.
In my router settings UPnP, WAN Ping, IPV4 and IVP6 Multicast Streams are all disabled. D-Link says this newer router does not have SSDP vulnerabilty. Firmware is up to date.
I have run the ShieldsUp UPnP Expore Test many times on both the PC and a laptop. Both are good. Both computers are also free of viruses and spyware.
So, why am I still getting abuse warnings? Is there something else here I should be looking at? Any help would be greatly appreciated. I have not talked to Rogers yet. I got the first email a few weeks ago, followed their suggestions, and all has been good until now. Have received two more emails in the last couple days.
Have a look at the following threads:
I would do a Factory reset on both the CGN3 and 862L and reset all parameters from scratch, including disabling UPNP, and possibly consider disabling SSDP discovery service on your pc and laptops. I would also run scans looking for the Conflicker Worm.
I disabled SSDP Discovery on the desktop and laptop.
I tested both for Conficker with McAfee's conficker tool and the Conficker Eye Chart. Didn't find anything.
Will do the resests and see what happens.
Nothing has changed here except for the new modem and router when I upgraded to Hybrid 60 a couple months ago. Have been with Rogers for years with no issues so this is baffling.
I've run into the same issue with the same router. There is in fact a new firmware (1.01) but it doesn't come up when you use the router's "check for new firmware" function on their web interface. (It's available from the dlink website Dir-862L ).
I've run both the grc.com and rapid7 tests with both reporting zero responses to the exploit. UPNP has been turned off on the router, and the latest firmware update has been applied. After receiving my third call on the subject I specifically went around to each individual PC and ran the GRC and Rapid7 exploit tests on them on the off chance that something had slipped by my antivirus but again came up empty.
I've spoken to tier 2 twice on the subject with the first time being told that "the dude who can run those tests isn't in for the next few days but I'll get him to run some tests on your IP when he comes back and we'll contact you if we see something". I didn't hear back from them so assumed there was no issue. Received a third robo-call this morning and got the impression that the tier 2 tech I received this time was pretty much only offering lip service... imagine my surprise when after he'd put me on hold a couple of times to "check this out" I was informed by him that they didn't have the ability to test for this live and that it could only be done by the automated system. (At that point I didn't bother asking him what exactly he had been doing when he put me on hold to check it out).
He had no suggestions or possible explanations to my questions WRT my not being able to replicate the issue on my end using GRC or rapid7 testing and the only offered solution was for me to stop using the router.
The only thing I can think of is that maybe one of my entertainment appliances (networked receiver and blueray player) has an issue and was willing to troubleshoot that with the tech by turning them on/off and unplugging the network to them, but since they can't (or probably more likely won't) do live testing there was nothing left to do.
Bell is going to be here on the 28'th to install FibreOp.
Yeah, I'm not sure what's going on with it. I'd have been more than happy to do further testing if they had gotten back to me after the first time I spoke with tier 2 and the TSR said that they'd run tests on the IP and respond if they still saw a problem, but I never got a follow up.
The second talk to tier 2 (today) was much less productive with the TSR telling me that they don't have the ability to test for that real time. Basically telling me that my only option was to replace the router. Either the first TSR lied to me or the second one did, and I don't react very well to being lied to.
As it stands, I was already scheduled to switch over to Bell at the end of the month but I didn't have too many bad things to say about rogers other than the fact that their infrastructure is starting to get a bit dated in Atlantic Canada and that bell has stepped up their game substantially.
Their tech support (or more importantly lack of tech support) on this issue has soured my impression and if I hadn't already been booked, I probably would have been switching ISPs over this anywise.
One of the theories that's been bandied about is that rogers isn't actually testing for the SSDP/UPNP exploit, but instead only scanning for mac addys they can tie to D-Link routers that may have been vulnerable originally. I don't know if that's accurate, but unless there's something I'm missing I can't find any vulnerability on my network when I test it using external tools.
were you guys able to resolve your SSDP vulnerability issue?
Today I got the call from Rogers about SSDP vulnerability and I dont have any DLink Router or anything to with DLink. I have not changed any device which connects to modem provided by Rogers since one year, this appears to me as a scam from Rogers.
2 days back, I was told that I have virus and this is related to Open DNS Resolver, called customer service and after 2 hours, Customer service could speak to Tech support to fix it on Rogers end, so I dont know what was original issue about. Now this time another virus, when asked first told me that I need to disable UPNP on the Router, when I told I dont have any Router other than Rogers wifi modem, then Tech support told me that it is SSDP vulnerability 🙂
I can see Upnp enabled on Rogers modem, but Tech support told me that it should be left ENABLED, and I should find out from my WiFi range extender if it has any SSDP vulnerability issue? I have been using WiFi range extender close to an year now, I dont know how this has become an issue now. Also I checked all Admin setup for this Amped Wifi Range extender, I dont see anything to do with Upnp setup, so completely lost to think that Roger's is trying to get rid of me as their customer ( no help from Tech support, all they know is that scan will run again after 2 days)
If you run a Wifi Range Extender you might in fact have an SSDP vulnerability. Run a Google search for the following:
WiFi range extender SSDP vulnerability
You might be surprised at what pops up. Looks like there are range extenders that do in fact have an SSDP vulnerability. Only way to check is to navigate down thru the manufacturer's web site and see if your particular model has an SSDP vulnerability and if a firmware update to resolve this has been issued.
Fwiw, personal opinion, UPNP should never be enabled unless you absolutely know that you need it and can't manage to run the port forwarding settings on your own, for whatever device you are running. UPNP can be a security hazard and should be recognized as such.
Looking back one page, @sswilson indicated a somewhat interesting speculation on the subjet. "One of the theories that's been bandied about is that rogers isn't actually testing for the SSDP/UPNP exploit, but instead only scanning for mac addys they can tie to D-Link routers that may have been vulnerable originally. I don't know if that's accurate, but unless there's something I'm missing I can't find any vulnerability on my network when I test it using external tools."
This raises an interesting question, why is Rogers contacting you about this and how are they determining who to call. I'm not sure that any scanning they can do of devices connected to the modem would allow them to determine the firmware version of those devices. Interesting indeed.....
I am definitely going to check with Amped wireless regarding my WiFi range extender modem REC15A (but I am surprised how come it is reported now, when I have been using it for more than 6 months).
Regarding UPnP enabled, that is on Rogers provided Advaced modem ( I have also done re-set on my modem, but it is still on), dont know why it has to be enabled. When I asked Rogers Tech Support, she mentioned that I dont need to make any change on Roger's modem, should I disable it? what damage this can do ?
Check my edit in the post above. Unless you know that you need UPNP to set port forwarding for online games for example, it should be disabled. UPNP works in conjunction with the connected device to set the modem parameters so that the device can access the internet. That's the good side of it. The bad side of it is that a rogue application can also do the same thing using UPNP. This might include changing the DNS address to a rogue Domain Name Server in an attempt to capture login credentials for bank sites and others. So, like anything else, designed for useful purposes but overtaken by miscreants who use if for purposes which are far from good. Personal opinion, make the modem changes yourself so that you understand what is being changed and why those changes are being made.
Fwiw: UPNP, WEP and WPS should all be disabled. The Wifi security should be set to WPA-2 AES only. Do not use TKIP or TKIP/AES as TKIP is no longer secure. The network names and passphrases should be long strings of random characters, numbers and sybols. The longer the better, in both cases. Use the entire allowed length, 32 characters for the network name, and 63 or 64 characters for the passphrase, depending on what type of character string you use.
No range extender on my system at all, and if it was wifi related on the internal network they'd have no way of detecting it anways. I honestly think there's either something haywire with their monitoring software, somebody is spoofing my IP, it's virus related and their generic reporting system is identifying the issue incorrectly, or there's a telephone based phishing attempt going on and they don't want to admit it.
As I stated earlier... all tests I've done into my network have come up negative, and as far as how they test... it's a fairly simple test that sends a request to the IP over a certain port that would typically only be seen from the router into your home. The problematic routers are the ones that respond to a request from the external side.
As it stands, this is a non issue for me now. I've converted over to FibeOp.
"The problematic routers are the ones that respond to a request from the external side." An interesting observation. Can a wifi access point or range extender be attacked thru wifi only, which is sitting beyond the Gateway firewall on the internal network? I haven't read enough about this to understand all of the permutations and combinations here.
Since the attack would be coming in from the wireless side (and thus part of your internal network) it wouldn't qualify as the same exploit, and would be very limited in scope since it'd only be accessible within range of your wireless connection. Easier to just brute force your wireless than bother with this kind of exploit.
edit: it's also important to note that I had UPNP disabled anyways. If it's hardware related the only thing I can imagine it being would be either my Sony Blueray player or my Onkyo Receiver.
150/30 rated, reporting 175/27 (apparently they over provision to 200 which allows for 25 left over for the IPTV) MTR to Diablo III servers way over on the other coast is a sub 60 average until I hit the Blizz IPs that don't report. It helps that Bell appears to have a direct connect to ATT so there's no mucking about with third party backbone like LvL 5.
That's from Moncton NB.
The most frustrating part of this whole SSDP Vulnerability issue is that there very well might be something going on, but they've apparently contracted out all of their IT security section (I did 11 months on the HSI tech support phones for them back in 2009ish so I know for a fact that Rogers used to have a dedicated section just for these kinds of issues) and thus don't appear to have anybody available to respond when they're faced with somebody who's trying to decipher what the problem really is.
edit: I also wouldn't be surprised to find out that it's something related to their own modem not properly turning off UPNP when in bridge mode, but that's just complete guess work. 😉