1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

VPNFilter attack?

Discussion in 'ASUSWRT - Official' started by bbunge, Jun 20, 2018.

  1. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    600
    Location:
    Pennsylvania USA
    Found the following in my log today:

    Jun 20 05:06:47 vpnserver1[25324]: 185.200.118.77:52854 TLS: Initial packet from [AF_INET]185.200.118.77:52854 (via [AF_INET]71.50.195.135%eth0), sid=12121212 12121212
    Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 TLS Error: TLS handshake failed
    Jun 20 05:07:47 vpnserver1[25324]: 185.200.118.77:52854 SIGUSR1[soft,tls-error] received, client-instance restarting

    Was this a failed VPNFilter attack? No corrresponding event in network protection.

    bb
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. kfp

    kfp Very Senior Member

    Joined:
    Jun 26, 2014
    Messages:
    707
    No. That IP (block) is regularly doing port scanning.

    If you find it annoying try using a non-standard port for OpenVPN (change from default 1194). One step further would be using an IP block list and use something like Skynet to block those ranges.
     
  4. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    28,245
    Location:
    Canada
    Switching to UDP might also help reducing noise, port scanners tend to focus on TCP in general.
     
    sfx2000 likes this.
  5. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,751
    Location:
    UK
    Indeed. But the probes from this particular subnet are unusual in that they are probing UDP ports 443 and 1194 (and other TCP ports). Which probably explains why there's been multiple posts about this subnet in recent days.
     
  6. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,478
    Location:
    San Diego, CA
    Somebody must be really, really patient to be scanning UDP :D

    That being said - everything points to a certain netblock, so adding a rule to drop 185.200.118.0/24 should stop the chatter in the logs.

    You could always call their NOC - http://www.as9009.net

    which is M247...
     
    Last edited: Jun 20, 2018
  7. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,751
    Location:
    UK
    Indeed. I posted the code to do that here.;)
     
  8. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    600
    Location:
    Pennsylvania USA
    For now I turned off OpenVPN server. Other attacks as logged by Trendmicro continue. Eight today which is higher than normal.
    Not a friendly place the internet is...

    Sent from my P01M using Tapatalk
     
  9. xtropodx

    xtropodx Regular Contributor

    Joined:
    Aug 5, 2017
    Messages:
    64
    I had a read of this too: https://www.snbforums.com/threads/router-log-am-i-under-attack.27453/

    How can you tell if it's not just port scanning...

    And following looks similar, but if someone could chime in & confirm that'd be great, as it looks suspicious.

    EDIT: forum isn't allowing me to post the stuff from the log, I'm getting a
    "Sorry, you have been blocked" 44bea073e9bb520f" error message :eek:

    EDIT: I've uploaded some of the log into file instead.
    EDIT: nope, even that doesn't want to work :eek::eek:. Selecting 20kb *.txt file just won't uploaded.

    Let's try this instead:
    https://www.dropbox.com/s/8z7luuy4e0s0prv/partiallog.txt?dl=0
     
    Last edited: Aug 17, 2018
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,751
    Location:
    UK
    What are we meant to be looking at? There's nothing of interest in your log. :confused:

    EDIT: I think I see the confusion. The messages in post #1 relate to attempts to connect to the router's VPN server. The messages in your log are from your router's VPN client. It is deliberately restarting itself because there has been no traffic through the tunnel for the prescribed period of time.
     
    Last edited: Aug 17, 2018
    sfx2000 likes this.
  11. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,279
    Location:
    texas
    I would block all of 185.0.0.0/8. I do. It takes me under a minute to block all of 185.0.0.0 with my router.

    A Class A IP address is only 16,000,000 IP addresses.
     
    Last edited: Aug 17, 2018
  12. HowIFix

    HowIFix Guest

    Joined:
    Jul 17, 2018
    Messages:
    261
    I have an Illuminati conspiracy theory, that the creator of the VPNFilter is a router company and the company is the one with the most affected router or the one with fewer affected routers (there are 2) and they blamed X country, because they are enemies of the world and if you ask why they did that, I hope you know the answer.
     
    Last edited: Aug 18, 2018
    Grisu likes this.
  13. xtropodx

    xtropodx Regular Contributor

    Joined:
    Aug 5, 2017
    Messages:
    64
    Well I guess that's just it, I'm not savy with this stuff & from what it looks like to me,

    Code:
    Aug 17 08:44:11 ovpn-client1[2703]: TCP/UDP: Preserving recently used remote address: [AF_INET]168.1.75.38:1197
    
    Is accessing my router? And then, changing stuff??

    Code:
    Aug 17 08:44:14 ovpn-client1[2703]: OPTIONS IMPORT: --ifconfig/up options modified

    I have no idea. These codes/abbreviations etc in logs aren't most user friendly thing in the world :D.
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,751
    Location:
    UK
    Did you see the information I added to my post #9? Those messages are from your VPN client connecting to PIA's VPN server.
     
  15. xtropodx

    xtropodx Regular Contributor

    Joined:
    Aug 5, 2017
    Messages:
    64
    Yeah. So basically nothing to worry about then :)
     
  16. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,478
    Location:
    San Diego, CA
    I think the biggest frustration with VPNFilter is there is no clear discussion behind the specific mechanisms - most of the vendors have been obtuse about exactly how it works.

    The OEM's might have some information under non-disclosure, but for independent free and open source projects, it's really about just battening down hatches and praying for the best.
     
  17. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,478
    Location:
    San Diego, CA
    It's all context - there's a lot of door knocking out there, mostly these days it's cloud based, and they scan all the time looking for opportunities.

    Common sense dictates certain actions - limit open services exposed to the WAN, use good passwords, and don't use default passwords.
     
  18. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,478
    Location:
    San Diego, CA
    TrendMicro cries wolf far to often... not everything is an "attack".

    It's good software, and a great company, but they classifies routine things as "danger Will Robinson" and this can be a problem...
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!