[RT-AC87R] AiProtection Two Way IPS define "Top Client"

[Sky]

Greetings, all! Sky here.

I'm wondering if someone can help me decipher the AiProtection reports from our RT-AC87R's. We run a couple of these on two separate LANS. Most of the report(s) I "get" but one I don't quite understand.

• What is "Top Client"? It seems to be the "conduit" vs. the originating "source" or the ultimate "destination/victim". It also appears said "conduit" in not necessarily infected in and of itself (see Infected Devices=0 above). Is "conduit"correct?

Here's some background:

• Small business, geographically diverse
• RT-AC87R routers on both L-1 and L-2
• Firewall: both on
• DoS Protection: both off (slowed throughput too much, no discernible benefit)
• L-1=LAN 1 (home office - VPN Server)
• L-2=LAN 2 (remote site - VPN Client)

Attacks all display on the Two-Way IPS tab, which is described as:

"Two-Way Intrusion Prevention System prevents spam or DDoS attacks on any device connected to the network. It also blocks malicious incoming packets to protect the router from network vulnerability attacks. Additionally, it will detect suspicious outgoing packets from an infected device, preventing attacks from botnets."​

• [Infected Device Prevention and Blocking] tab reports -zero- infected devices.
• [Malicious Sites Blocking] tab occassionally reports for spam junk.

We own the SB6183 modem on L-1, the ISP owns the Cisco modem on L-2. The L-1 ISP took control of all FW for all modems connected to their "plant" a year or two ago, thus I am unable to update or restore the FW on that modem. As I understand it this was a concerted action by ISPs across the USA.

On the AiProtection > Network Protection > [ Two-Way IPS ] tab:

• The "Top Client" on L-1 is the modem for L-1
• The "Top Client" on L-2 is the modem for L-1 <<<
• The "Destination" for all attacks on L-2 is the L-2 ISP-assigned IP address
• The "Destination" for most attacks on L-1 is the L-1 ISP-assigned IP address
  • L-1 "Destination" exceptions:
    • One (WEB Remote Command Execution via Shell Script -1.a) attacked the modem proper at it's LAN-side address 192.168.1.1.
      • The "Source" for that attack, 212.237.044.151, appears to have been taken down.
    • A few were user PW errors trying to connect to the VPNs NAS.
• The "Source" for L-1/2 vary with some repitition.
  • I ran these down through 25-May to notify ISP's abuse lines, but got dead air so I quit wasting my time with that.
  • They do follow a pattern:
  1. [EXPLOIT Netcore Router Backdoor Access] (1-to-x times) >
  2. [EXPLOIT Remote Command Execution via Shell Script-2] (1-to-x times) >
  3. [ CVE ].
  • The CVE's have ranged from 2014-2016 and included
    • LAN Backdoor;
    • SSL Heartbeat;
    • NTP DOS;
    • WEB Apache Struts; and
    • WEB Remote Command.
  • The "CVE's" generally originated from the expected places: Brazil, Czech Republic, Singapore, and Ukraine;
  • The "introductory attacks" generally originated from Britain, Netherlands, Scotland, and the USA.

My assumption and understanding:

These attacks have all been thwarted by the RT-AC87R's on L-1 & L-2 via the built-in 2-way IPS.
​

My question (repeated):

What is "Top Client"? It seems to be the "conduit" vs. the originating "source" or the ultimate "destination/victim". It also appears said "conduit" in not necessarily infected in and of itself (see Infected Devices=0 above). Is "conduit"correct?​

Thanks!

 

[OzarkEdge]

I'd say Top Client is the client with the most detected activity.

OE

 

[Sky]

I'd say Top Client is the client with the most detected activity.

OE

OE, thanks for the reply. I'm sorry, but I'm still confused. I was thinking the same thing (I think) and AiP is identifying the modem on LAN-1 as the "top client" -- but it's also identifying the same modem as the "Top Client" for LAN-2 after connecting via VPN.

That led me to think the L-1 modem's FW might have been compromised. Unfortunately the only things I can do are (a) restart the modem either remotely or by power-fail cold boot; or (b) ask the ISP to reprovision the modem, but their version of doing that is to do (a) above -- remote order to restart. To my understanding neither of these overwrites the FW with a known-good version.

If Top Client = device with most detected activity that could be because it's the "pipeline/conduit", or because it's compromised, or I suppose maybe just because it's connected to the WAN and bad stuff "floats" by? But if it's not pipeline, then IDK -- maybe the FW is compromised and I'm stuck.