Trend Micro Two Way IPS Hits

[outlaw78]

Checked my Asus router this morning and found this in its AiProtection section under Two Way IPS. Says they are out of Germany. The hits came in last night but this router has been "up" for days with no other hits.

What would cause this? Is it a bot sniffing out IP's or could an infected device be sending out my IP address? None of the other sections showed any alerts (like an infected device). I changed my external IP address since then.

 

[ColinTaylor]

Same thing reported here.

 

[outlaw78]

Same thing reported here.

Thanks!

 

[outlaw78]

Ok I changed my IP and still getting the "attacks". The mac address it shows under "Top clients", is that the mac of the attacking device? I don't have a device with that MAC address.

 

[outlaw78]

Ok I've been watching this all day, called the cable company and such because of some similarities between logs...

I've captured the top device list this time and the device that is currently listed in the TOP DEVICES list matches a device in the modem event log except for the last two numbers (00:01:5c:95:5A:46 vs 00:01:5C:95:5A:5B) which when searched, 00:01:5c :**:**:** belongs to CADENT (aka ARRIS) which is what my cable modem is. At first I thought it was something my cable provider was trying to "write" to my modem given the security alert and the router is blocking it but they said there is no updates therefor not writing anything to the cable modem. They also said there is no problems in my area (although there has been with the new speed increase)

Am I being the actually attacked or is someone spoofing my IP (or something like that) to gain access elsewhere? I've been reading about how because they are spoofing, DNS packets are being sent back to me or something and they are being rejected (or something like that) which I was reading here https://www.snbforums.com/threads/something-is-leaking-my-dns.30378/.

I know networking basics, but not the technical stuff. Is there something I can do to check/verify what's going on?

My bandwidth doesn't seem to be affected, other than my ping times are significantly higher than normal when I leave my area for speed tests.

 

[degrub]

script kiddies

 

[outlaw78]

You can run an OpenVPN client on router & these exploits & mass scanning activity alerts will stop.

What would you suggest for a VPN Client? I have only looked at ExpressVPN. What's a good one, free to inexpensive? I've never dabbled in VPN so I am completely clueless and would appreciate any advice on which one to use.

Will a VPN slow my connection down? Eg. Ping times, bandwidth, etc...?

 

[Fresh.Batch]

What would you suggest for a VPN Client? I have only looked at ExpressVPN. What's a good one, free to inexpensive? I've never dabbled in VPN so I am completely clueless and would appreciate any advice on which one to use.

Will a VPN slow my connection down? Eg. Ping times, bandwidth, etc...?

I'm new to using an VPN Client on my new router Asus rt-ac86u that i upgraded from an asus rt- n66u.
I've brought an month subscription to test expressvpn out. Without an VPN i was getting speeds of 63/20 mb, when i applied the vpn to my old router n66u i was getting speeds of 3mb download, after doing some research and Merlin's great work, i decided to upgrade my router to the Ac86u. When i applied the vpn to the router i now get speeds of

DOWNLOAD
45.98Mbps

UPLOAD
4.95Mbps

Considering im based in the UK but im connected to an US New Jersey VPN (for Netflix purposes) i think that really good.
I can't fault ExpressVPN , but i've just been made aware of an deal for Torguard 2 years for £38 with an free router, if you're looking around for an VPN service.

I've not notice any slow down on my network everything is running fine.

Setting up the VPN on the router was simple if you're using an Asus router i can help you set up as the set up guide on Expressvpn's website is outdated.

ps. i also got an Trend Micro Two Way IPS Hits alert which was from Germany after analysing the IP address.

 

[outlaw78]

The thing that puzzles me is we, as a household, are pretty good about our network security. Our son spent a lot of time with the grandparents over the holidays and finally came home Friday. That's when the "hits" started happening. I've had the latest beta Merlin firmware installed since the 12th of December with absolutely nothing from 12-12-17 to 1-4-18.

I scanned his phone with malwarebytes and checked the apps manually myself as well. Didn't see anything out of the ordinary. I disconnected his phone from the network and we'll see what happens over the course of this week.

As stated before, I even made the cable modem pull a new IP address and shortly after another hit came in. When the attacks are detected, are they blocked or are they getting through? I would assume they are blocked since the firmware detected what it was.

I was hoping that the Merlin firmware would solve the VPN issue with my router, as I have been reading up on it.

 

[AndyBlak]

I'm so incredibly relieved that I'm not the only one. I found this forum/thread while desperately trying to research this issue, myself. I've had the same sort of experience with my RT-AC5300 since the beginning of this month. I've saved logs and history of all of the attacks, and I've even swapped my ISP modem to get a new MAC address and external IP. That slowed the frequency of the attacks, but I am still getting them. I would be happy to post all of the data that I have, if it's useful/helpful.

 

[outlaw78]

I'm so incredibly relieved that I'm not the only one. I found this forum/thread while desperately trying to research this issue, myself. I've had the same sort of experience with my RT-AC5300 since the beginning of this month. I've saved logs and history of all of the attacks, and I've even swapped my ISP modem to get a new MAC address and external IP. That slowed the frequency of the attacks, but I am still getting them. I would be happy to post all of the data that I have, if it's useful/helpful.

I've determined that I am getting my hits from my DDNS service. I switched from no-ip.org to the asuscomm.com service and they stopped for a few weeks, then boom. They were back. Not near as frequent though. I have even received some NTP denial of service attacks.

My question is though, if the router is detecting them, are they being blocked?

 

[RMerlin]

I've determined that I am getting my hits from my DDNS service. I switched from no-ip.org to the asuscomm.com service and they stopped for a few weeks, then boom. They were back. Not near as frequent though. I have even received some NTP denial of service attacks.

Interesting. That would imply that hackers are able to farm the list of existing no-ip.org subdomains, and use them as targets, unless it's simply that your IP address happens to have changed at about the same time you switched DDNS.

My question is though, if the router is detecting them, are they being blocked?

Yes. And chances are that you aren't susceptible to most of these attacks anyway. I notice a fair amount of attacks on my router that are targeting older vulnerable Asuswrt releases for instance.

This is a case where the IPS provides too much technical information for the average home user to be able to evaluate. Most of what they see reported is just your usual background noise on the Internet of 2018.

What would be more interesting is to know how quickly Trend Micro updates their signature files when new attacks appear in the wild.

 

[outlaw78]

Interesting. That would imply that hackers are able to farm the list of existing no-ip.org subdomains, and use them as targets, unless it's simply that your IP address happens to have changed at about the same time you switched DDNS.

I've done both. Switched IP without switching DDNS subdomain, then did a subdomain switch without IP change. Still got the hits. Then switched IP and subdomain together. The stopped for a few days. Then changed by DDNS provider to asuscomm.com AND changed IP. That's when I got a couple of weeks before the hits started arriving again.

Yes. And chances are that you aren't susceptible to most of these attacks anyway. I notice a fair amount of attacks on my router that are targeting older vulnerable Asuswrt releases for instance.

This is a case where the IPS provides too much technical information for the average home user to be able to evaluate. Most of what they see reported is just your usual background noise on the Internet of 2018.

That's good to know! I figured it was blocking them but just wanted to make sure.

 

[AndyBlak]

I've determined that I am getting my hits from my DDNS service. I switched from no-ip.org to the asuscomm.com service and they stopped for a few weeks, then boom. They were back. Not near as frequent though. I have even received some NTP denial of service attacks.

My question is though, if the router is detecting them, are they being blocked?

I think you may be onto something here. I recently switched my DNS server to Quad9 and OpenDNS. I've reverted to Google's DNS, and have seen a significant drop in the frequency and number of attacks. I am still seeing some, though.

This is a case where the IPS provides too much technical information for the average home user to be able to evaluate. Most of what they see reported is just your usual background noise on the Internet of 2018.

What would be more interesting is to know how quickly Trend Micro updates their signature files when new attacks appear in the wild.

Very valid point here. I've definitely wondered when/how the signature files are updated. I would assume they're stored in NVRAM or /etc/. I suppose using Telnet we could see that info somewhere.

 

[RMerlin]

Very valid point here. I've definitely wondered when/how the signature files are updated. I would assume they're stored in NVRAM or /etc/. I suppose using Telnet we could see that info somewhere.

Signatures are stored in the /jffs/ partition. They don't seem to have a pre-determined release schedule, but your router will check once per day for the availability of new signatures.

 

[AndyBlak]

Signatures are stored in the /jffs/ partition. They don't seem to have a pre-determined release schedule, but your router will check once per day for the availability of new signatures.

Thanks for the info, good sir!

 

[DiGriz]

Where are the logs of these hits located Id like to delete them.

 

[AndyBlak]

Where are the logs of these hits located Id like to delete them.

Try these buttons. Otherwise, it would involve resetting NVRAM info from Telnet.

 

[DiGriz]

Therein lies the rub. That screen is where it locks. I cant do that. I deleted the AiProtect db file.

I Mine crypto and AI thinks its malware, so it had 3000 alerts. Which froze the routers interface.

Was just throwing it out there, as others may encounter this.

 

[RMerlin]

You might want to report it to router_feedback <at> asus dot com.