So, anyway, a couple of days ago, I decided to hang out a honeypot. This involved logging into my cable modem, to set a DMZ, and then to add a particular IP address into it. This worked just fine, but then I decided to double check what IPs were connected to my modem.
As expected, nearly all the connected devices had an address like 10.1.10.xxx. This was fine, but I was surprised to see a stray address... 30.18.32.173.
By my understanding (and from what I could find on google), nobody other than my provider, Comcast, should be able to connect to my modem from the outside, and yet here was an obvious outsider.
A quick search of who this IP might belong to, revealed that it was a DoD, or military, IP address.
As you might expect, this got my attention, and I started regular monitoring of my modem.
Regular monitoring revealed that there were about six foreign addresses that connected to my two cable modems, some more persistently than others, but, again, by my understanding, no one should connecting, other than Comcast.
I thought, "They must have my password!", so I changed it, and rebooted my modems.
They continue to connect.
I have no way to tell what port, and service, they are connecting to, so I have no idea what they might have been trying to do. This is not a Good Thing (tm).
The obvious answer here is that my modem firmware has been compromised, and I have no way to check that.
This is where is gets nasty.
I called Comcast, to try to get some support.
I first fought my way through the voice activated menus (sucks if you have an Australian accent), and finally got to a human, whose principal task was to sell me an upgrade.
This failed, so he switched me through to tech support.
This guy spoke better English, but after a while came to understand that he had no idea what I was talking about, and switched me through to the next level support.
This guy listened to me, but his response, from which he could not be shifted, was, "We just rent you the modem. Your network security is your responsibility."
I am _perfectly_ happy to make _my_ network secure, but he was immune to my argument that it was his kit, and was actually outside my network.
He basically ignored me.
I still have no understanding of why remote IPs can connect to me, but I'm working on it.
The _really_ interesting thought here is, "If it can happen to me, who else is it happening to?"
If you are a Comcast customer, and want to check, the basic routine is to point your browser at 10.1.10.1, and log in. The default id is "cusadmin", and the default password is "highspeed".
You then go to "Gateway summary", select "Network", and scroll down to select "Connected computers".
If you see any addresses, outside the pattern of your computer addresses, then you have the same issue.
I'm _sure_ there is a perfectly reasonable, legitimate explanation, but I just can't see it yet, and Comcast did crappy tech support.
I would hate to think that the firmware of my modem had been compromised, and that people were monitoring my Internet traffic. That would never happen, right?
Please let me know if you see similar patterns.
The Internet is tricky. Stay safe, folks.
No comments:
Post a Comment