RT AC-3200 (Ai Two way IPS)

[just a has been]

Since upgrading to the latest Asus stock Firmware just before christmas I have noticed that the Two way IPS log is reporting multiple Exploits of Netcore backdoor access and remote script command execution.
From some Google research I thought this problem only applied to netcore products made in china.
My router is a very early model of hardware, were they made in china or am I completely on wrong track with that.
Router settings security scan reports everything green ok and firewall all in place ok
The Ai log reports this many times per day, tried clearing log and rebooting, still same !
Can anyone shed any light on this . My questions are as the security level is marked as high, has this threat been blocked by the Trend Micro Ai software ?. Does this happen to everyone all the time ? Can I do anything about it and do I need to.
I have uploaded screenshot PDF example of what I am getting
Thanks in advance

 

[st3v3n]

Just a has been, we've all graduated from valued IT professionals, to tolerated 'has-beens' after retirement, nice handle

I watch for anything related to the 3200 since it's our favorite model. I'm wondering, have you had any luck investigating, or tracking the location of the source/addresses of the external attacks that are displayed on this list, and are showing up so frequently? What sort of load is your router's CPU and memory exhibiting, or is the router acting sluggish or overheating? Goes without saying (but I'll say it) you probably have your router's firewall on and selected DDOS protection.

As for what these attacks represent, it's just a suggestion, you might look at the Snort blacklist to see if any of the addresses you're seeing are 'bad' addresses and block them in your router. I'm not familiar with the page in your pdf, since we don't use TM, and it looks different in the new official FW. TM seems to impact the performance for us since we run two concurrent OpenVPN tunnels, so we need every CPU cycle we canget. We're well-protected without running TM, so made the sacrifice and turned it off. Depending on where those IPs and potential attacks are from or are going (source/destination), notwithstanding my lack of comprehension looking at your pdf, even if your 3200 was a very early model, most of these units are built over there. If you're running the new USA Asus official FW, the date of manufacture shouldn't matter. The FW will overwrite whatever was on the 4outer previously, to bring it up to latest best specs.

TM is closed source and no one knows how it does what it does, so all one can do is assess what the implications and benefits are, if you like using it. TM seems to work well enough for those who like it, and when we attempted to use it, we had too much of a resource impact on the router, to justify continuing to send all of our traffic and information to a secret company that isn't transparent. It didn't offer us anything we didn't already have. TM doesn't say much and it isn't a 'bad' company. Many people insist TM performs well for them, so it comes down to whatever works for each user's perceived needs and goals. Companies dealing with security have to keep many secrets, but the more they are wiling to talk about the process, protection and benefits in real terms they offer to us when it comes to what they're doing with our data after they have it, the more I'm inclined to trust allowing that access. Every address looked at, swiped or searched from a keyboard, voice recognition on any device you have goes to TM to analyze then back to your router with their interpretation of what it means. That's a huge amount of trust you have to opt-into. It's not a 'trust no one' mentality, but just the same, I'd be more open to trust if we knew know more about how TM secretly analyzes everything we do; it's like having the NSA built into your router. That's only old IT guy paranoia piping up; every secret 'free' service has a cost, but you can never know. End of speculation

Depending on the amount of bandwidth you have, how many devices/computers are on your LAN, and the amount of useful features in your 3200 that you're using, TM can use a great deal of CPU and RAM. If you utilize a good A/V, anti-spyware, anti-malware, anti-ransom security package and regularly scan your systems, if your systems aren't compromised, then your security and your router is probably doing what it's supposed to do. The RT-AC3200 is a very good unit; many folks take a long time before they grasp or become comfortable with how powerful it is, even using with the stock FW. In time you may want to try one of the forks if you need more advanced features.

Not trying to go off the rails from your questions, but since you don't indicate if you're using OpenVPN, most VPN providers have very robust IPS firewalls and A/V in place as part of the service. Both of the VPN services we use are very active in that regard. It makes a huge difference in keeping the 'bad' stuff out of your router and systems. We haven't had any incidents of attacks for a couple of years, like may be registering in the pdf you posted.

The new latest Asus FW from December 2017 supposedly expands the3200's NVRAM to 128kb, other's have tested and confirmed this. Are you able to use multiple OpenVPN clients/configs, and if so, how many OpenVPN configs does your FW make available? Until this new release, the 3200's NVRAM was stuck at 64KB. RMerlin's release reduced the number of OpenVPN clients to only allow 2 tunnels so as not to overload the 64kbs of NVRAM. With the new official Asus FW expanding NVRAM to 128kbs, if you're not using more than one or two OpenVPN tunnels, you should have enough resources to continue using TM if you like it, as long as your router and bandwidth make the router responsive enough for your needs. Didn't intend to inundate you with irrelevant data and hope this helps. Cheers.

 

[st3v3n]

Just a has been, I forgot to ask if you were using any firewall clients on your devices, Cheers

 

[just a has been]

st3v3n, Thanks for taking the time to consider my problem. Perceptive of you to guess I was a retired IT professional but unfortunately not in networks, just took in enough to get by, so not a strong area for me at all !.
Can answer some of your questions and will dig around and look into other things you have mentioned soon.
Do not run any firewall Clients.
As for the location/source of the inrusions they vary, ip locations such as, Warsaw. New Jersey, South African Cape, Paris and so on, looking up the MAC I am getting things like, Applied Micro Systems Corp and also F5 Networks among others so am guessing it is hiding behind some VPN server ?.
I dont use a VPN all the time but use Cyber Ghost now and then if I feel the need. My router is now under a very light load and it seems to not matter if anything is connected at all. last night left nothing on the router and still got exploits flagged up through the nightevery hour or two with just the router sitting on the WAN/internet doing nothing, allways directed at the Router WAN IP. Explots still happen when only 1 client on Router and connected through Cyberghost VPN.
This problem has only been flagged up because the latest firmware update displays the stats and may have been going on for some time.
I am presuming the stock firmware update available here in the UK is the same as anywhere but it is the latest 19466.
I use every bit of Rouer security that is available such as Firewall and DOS protection. All my clients connect Via WiFi and utilise the MAC address Filter to accept only My clients, all strong passwords Etc.
Dont mind my traffic going through TM if it keeps me safe and not had any signs yet of anything bad.
Will do more digging around and may even put router back to factory default and try again with latest FW when I get time, not sure if this will delete anything nasty that may have got into the NVram but maybe worth a go, may even try Merlin Firmware ?
Will post anything I find that may be of interest.
Many Thanks

 

[outlaw78]

Having the same issue as well and using Merlin firmware. I checked the source of the IP's on your picture and they are coming from a place called "Digital Ocean". Mine mostly come from Germany, but I did have one that came from a "Digital Ocean" IP as well. I accidentally cleared my Top Client list so I can't see the clients anymore. My topic is posted here.

 

[outlaw78]

What internet provider are you using just_a_has_been if I may ask.

 

[st3v3n]

Just A: With all respect to network experts, my pro days are long-time past; I never wore the honorable network wizard or code monkey hats, and these days try to keep up enough so our LAN/machines stay out of trouble.

Just a guess that you're getting brushed by traffic from everywhere through your ISP when you aren't connected with OpenVPN over CyberGhost. The best solution is to have all of your traffic protected by a good VPN tunnel at all times, any time your system is online. Don't know that your N66 has Cyber Ghost's OpenVPN config installed onto the router. It may slow the N66 down a bit especially with TM running. Some of the brushes TM displays will drive you batty, but if it shows as malicious, it should be assumed to be bad. As doctors say right before surgery, there are no guarantees no matter how hard you try to secure your end, but your odds improve a great deal if you remain connected to a good VPN at all times.

As long as you don't download infected or questionable content, most commercial VPN providers offer OpenVPN configs you can install on an Asus router, will do a good job protecting your traffic. Be sure the VPN provides their own firewall/A-V in their infrastructure. We run an older firewall client on a Win7 host behind the router, but the OpenVPN tunnels on the router handle all we throw at it. The MS firewall works for some, not for others. If you haven't gone to W10, 'Private Firewall' is very decent free solution, light on memory and the OS, and the interface is easy to deal with. A/V, we've had good luck with Avast, but pull all the extras out of it, running a full scan on installation, then leave it in passive mode, restricting it to scanning downloads and manually updating each day. There are a couple of good free spy/malware scanners for windows but was beyond the scope of your question for now.

The gent who runs the following site doesn't play favorites or take VPN money; he's upfront with all of his VPN info; https://thatoneprivacysite.net/

You likely can access most VPN options in Her Majesty's Kingdom, and Cyber Ghost, Torguard, Express, Nord are well thought of. Express, Torguard and Nord may be able to help with video streaming. We like Torguard and LiquidVPN followed by Nord and Express. All things are not equal these days, but a good VPN installed on your router is your best defense to keep the digital forces of darkness getting in. To be clear, the last sentence doesn't include the gov (sigh), since they're inside everyone's fence. The more responsive a VPN is in their replies to your technical queries, means you'll probably get decent customer service, always worth paying a bit more for. I don't know how effective HMA is these days on your side of the pond, but many seem to like it.

A bit off track, re the recent announcement of Meltdown/Spectre exploits (same name as the James Bond flick) grab any mitigation patches your mobile or OS vendor offers, and more will be coming. iOS v11.2.1 has a patch and MS released patches you can download directly from them most Windows variants.

I like Asuswrt-Merlin v380.68 to V380.68_4, on our routers but am holding off for a while on higher versions. V380.68_4 is stable, but with work beginning on integrating most routers with the new Asus code, decide what's best for you. Plenty of information on the v382 threads. Any of these will provide you with good performance and security patches which takes Asus longer to issue.

If you want to dig deeper, there are two possibilites you may want to check out; the AB Soution (ad-blocking) http://www.ab-solution.info/ and the SkyNet firewall add-on https://www.snbforums.com/threads/s...mic-malware-country-manual-ip-blocking.16798/

Couldn't pull up a TMobile link on amazon.com/UK so am not certain it available in UK. The AC66U-B1 is 89 in your funds, and would be the lowest/best performance what of what I'd go for. The AC66 is not as capable as the AC68, but can run any of the forks with OpenVPN client and server. The full-fledged Asus RT-68 is about 40 pounds more and if money isn't the issue, go for it. The link for the US TM-AC1900 refurbished/re certified was $47 USD last week but now is up to $59 USD. If the VAT/import fees and taxes weren't prohibitive, the brand-new US TM-AC1900 is currently $69.00 US, here, https://www.amazon.com/dp/B01MYTAURW/?tag=snbforums-20
Cheers.

 

[just a has been]

oulaw78 I am with Talktalk ISP
Did cross my mind it may be my ISP sending out something but then thought why would the source location jump around all over the Globe.
It would probably be from their servers in UK

 

[st3v3n]

Just, Are you connected on a single DSL type of hookup or in a shared node? Our ISP claims we're isolated from what other subscribers do, but I tend to believe what I see, not what they say. There are times when there's no interference, but when their system is at capacity locally, I can see strange things brushing past if I have the VPN dropped for a very brief time while testing, but I try to avoid doing that. A long time ago, the ISPs said it was impossible for anyone to hack a cable modem, and that was quickly disproved. The more the complex the system, the harder it is for we small fry to secure our ends of it.

 

[bilboSNB]

Interesting, I have the same entries on my AC86U, I also use cyberghost.

 

[just a has been]

Decided to contact Asus Support and reply is below.
From their reply it looks like this is just normal hack attempts that are flagged up by the TM Software so will keep an eye on it but not be as concerned as they seem confident it is all blocked and no backdoor access.
Thanks to all for replies.

Thank you for contacting Asus support

The reports do show it was blocked and there is no backdoor access.

It might be cocerning exploits used previously, but get secured with firmware updates and security patches

So we would advise to periodically check if there are new firmware updates available to ensure all security patches are applied


Kind regards,
Peter S.
Asus Customer Service
Asus Technical Support Site: http://support.asus.com