Newer Merlin Firmware Conflicts with Local ISP

joshf87

New Around Here
My setup:
- I have a Local WISP, issues a 172.16.x.x address.
- 2 RT-AX88U, one as an AiMesh node, current firmware 386.3_2
- Router operating as an AiMesh node has 3 physically connected clients on the LAN ports

Cliff Notes: I get booted from my ISP with the 386.8 firmware when the AiMesh router had more than physical client connected, but not with 386.3_2. ISP suspects malware.

We recently switched to a new ISP, a local WISP. I decided to update the firmware from 386.3_2 to 386.8 on both. We had no problem with this setup with the 386.3_2 firmware with the ISP, but when I updated the routers to 386.8, our access to the internet gets blocked by the ISP when the AiMesh node had more than one physical client connected/powered on. Wireless clients connected to the node don't seem to trigger this. It doesn't matter what other PC was powered on. When this happens, we have to call the ISP to get internet access back, and they claim it is because of malware on one of our computers. They even suggested having one of their IT guys inspect our computers before letting us back on.

Turns out there is something with the 386.8 firmware or the firmware between these two that causes them to think we are attacking their network or our systems compromised. They are pretty adamant that it is our systems being compromised.

Any ideas to narrow the scope why the ISP thinks we have malware as a result of updating the router firmware? I have to call them to regain internet access so hopefully we can keep testing to a minimum, and like I said, they think it is because of malware on one of our computers.
 
Last edited:

Smokey613

Very Senior Member
Check the WAN settings on your AX88U that connects to your ISP. Make sure the DHCP query frequency is set to Normal and not Aggressive. Sometimes Continuous mode will work.
 

Attachments

  • 772F79C2-B0EC-41DC-9B0C-2579CF3E51D1.png
    772F79C2-B0EC-41DC-9B0C-2579CF3E51D1.png
    116.9 KB · Views: 77

CptMaduro

New Around Here
Could you have picked up malware when you were doing your upgrades? Download any stuff from the internet that you assumed was trustworthy without really checking it? Something could have snuck in. It sounds like you can force a ban with the newer software, but did you revert and check again? Any reason a PC would be able to trigger it in one case of not the other (like, oh, swapping between to laptops --- I'm trying to think of something that might lead this)? A reason ISPs will block your access like what you're describing is when you start sending malformed and/or mal-sequenced packets onto their network. Malformed packets can be used to cause a DOS (denial of service) attack. Basically, you send specifically crafted packets that make no sense within the IP protocol stack, and you degrade the network stack of your target. You can try to trigger packet flooding, force the exhaustion of available memory or throughput, or place the network stack into a paradoxical state that should never be possible to reach and then unpredictable stuff happens (like a kernal panic, let's say). The target might be attacked by more than one computer at a time (a DDOS, or distributed denial of service attack), which just amplifies the problems for the target. Eventually, the target can simply succumb to so much crap being thrown at it that gets forced offline.

Because of growing problems with DOS attacks across the internet, ISPs are being more restrictive about what they filter and what they'll tolerate. Your ISP is likely using automated tools to monitor traffic coming in from the edge points (like your home) and, when it spots something that matches the signature of these kinds of packets, it automatically hits you with the ban hammer and you're blocked. No questions asked. Purely anecdotally, I get the sense that the ISPs that are touchiest about this are those that got badly exploited by parties conducting DOS attacks, or they tend to draw a customer base that, for whatever reason, tend to be sketchy. Think cheap, anonymous, pre-paid "burner" cell phone sellers. They know their customers, and are diligent in policing their networks appropriately.
 

joshf87

New Around Here
Could you have picked up malware when you were doing your upgrades? Download any stuff from the internet that you assumed was trustworthy without really checking it? Something could have snuck in. It sounds like you can force a ban with the newer software, but did you revert and check again? Any reason a PC would be able to trigger it in one case of not the other (like, oh, swapping between to laptops --- I'm trying to think of something that might lead this)? A reason ISPs will block your access like what you're describing is when you start sending malformed and/or mal-sequenced packets onto their network. Malformed packets can be used to cause a DOS (denial of service) attack. Basically, you send specifically crafted packets that make no sense within the IP protocol stack, and you degrade the network stack of your target. You can try to trigger packet flooding, force the exhaustion of available memory or throughput, or place the network stack into a paradoxical state that should never be possible to reach and then unpredictable stuff happens (like a kernal panic, let's say). The target might be attacked by more than one computer at a time (a DDOS, or distributed denial of service attack), which just amplifies the problems for the target. Eventually, the target can simply succumb to so much crap being thrown at it that gets forced offline.

Because of growing problems with DOS attacks across the internet, ISPs are being more restrictive about what they filter and what they'll tolerate. Your ISP is likely using automated tools to monitor traffic coming in from the edge points (like your home) and, when it spots something that matches the signature of these kinds of packets, it automatically hits you with the ban hammer and you're blocked. No questions asked. Purely anecdotally, I get the sense that the ISPs that are touchiest about this are those that got badly exploited by parties conducting DOS attacks, or they tend to draw a customer base that, for whatever reason, tend to be sketchy. Think cheap, anonymous, pre-paid "burner" cell phone sellers. They know their customers, and are diligent in policing their networks appropriately.
The firmware was downgraded back to 386.3_2 and was back to working fine without any changes to the PCs connected to the AiMesh node and calling the ISP to 'unlock' us. It doesn't matter what two PCs were connected on the router acting as a node. I have made no concerted effort to scan for malware (because I know there isn't any because I'm now a newb to computers) and the internet connection is working fine with 386.3_2. If it were malware according to the ISP then they should be blocking us with 386.3_2 as well.
 

CptMaduro

New Around Here
The firmware was downgraded back to 386.3_2 and was back to working fine without any changes to the PCs connected to the AiMesh node and calling the ISP to 'unlock' us. It doesn't matter what two PCs were connected on the router acting as a node. I have made no concerted effort to scan for malware (because I know there isn't any because I'm now a newb to computers) and the internet connection is working fine with 386.3_2. If it were malware according to the ISP then they should be blocking us with 386.3_2 as well.
Understood. Well, it was a thought. I personally know of two other parties that went through getting auto-blocked by ISPs in just the last ten to fourteen days. For one, it happened at their home and the other was a company office, and both had to do with packets going upstream that appeared to be a malware attack. In one case, they tracked the source to an MFD on their network, and I don't know what happened in the other. Maybe you could escalate with the ISP and see if their SOC can give you info about what signature they're seeing and then get that info to RMerlin so he can look at a possible root cause. I wish you the best of luck in getting the situation resolved, and hope that it's not going to be an ongoing struggle with your network provider. Be well, and take care!
 

joshf87

New Around Here
Understood. Well, it was a thought. I personally know of two other parties that went through getting auto-blocked by ISPs in just the last ten to fourteen days. For one, it happened at their home and the other was a company office, and both had to do with packets going upstream that appeared to be a malware attack. In one case, they tracked the source to an MFD on their network, and I don't know what happened in the other. Maybe you could escalate with the ISP and see if their SOC can give you info about what signature they're seeing and then get that info to RMerlin so he can look at a possible root cause. I wish you the best of luck in getting the situation resolved, and hope that it's not going to be an ongoing struggle with your network provider. Be well, and take care!
I will definitely give Smokey613's idea a chance when I have time, but the "Aggressive" option is/was the current option for DHCP in both firmwares.

Hopefully I can get ahold of someone competent there, but if suggesting that their 'IT Guy' come visit and inspect all my machines is the best they can do, I'm not hopeful. By local WISP we are talking a handful of counties in just my state. It's DMCI Broadband. We're locked into a contract, the only other option is a slower ADSL option. No 5G yet, other alternatives suck even worse so please no suggestions on changing ISP :).We aren't spoiled for internet options like city folk.

I want to update to the latest firmware since IMHO it's important to keep it updated.
 
Last edited:

bbunge

Part of the Furniture
You might give the new Asus firmware a try.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top