Anyone catch traffic from this?

[nayr]

the open source firmware alternatives are superior to anything running stock; most power users look for compatible routers and then immediately flash them to dd-wrt/tomato without even setting up the oem firmware.. infact Linksys even makes special models with extra flash storage just for the open source projects (denoted by an L suffix for linux)

hardware wise they are often adequate enough for at least 20Mbit of VPN throughput, which exceeds most people's outbound speeds.. most of these lil embedded computers have crypto acceleration hardware, I benchmarked a Raspbery Pi 2 @ ~40Mbps.. Unless you need some serious speeds it should be more than adequate for most residental video systems unless the hardware is an antique.

 

[CaliGirl]

Thanks nayr. That clears up so much for myself and hopefully many others. I want to switch over to open source firmware for my home router after hearing this. Just to need to find a compatible router to purchase.

40mbps is more then enough. Most consumers would have a hard time pulling 10mbps with their normal uploads speed on cable internet. I have 120mbps download/12mbps upload at home and that feels super fast compared to some set ups and is high end for XFinity home internet.

Dare I ask, but how does an internet provider so easily adjust the speeds for a consumer. Is it as easy as a button on the screen to adjust their download/upload speeds? Are we all capable of fast speeds but they limit them?

 

[nayr]

A bit of googling shows the R7000 is a really good choice for VPN, does ~37Mbps w/OpenVPN (~43Mbps Overclocked)... the RT-ACU66U does over 20Mbps.. they are popular w/the open source distro's.

the older and slower routers can only do about ~5-6Mbps, but even that is plenty for many people's upload speeds.. at least in the US.

and yeah, they just push a new config out to your modem and its got more speed.. unless the modulation techniques change, then new transceivers are needed.. ie, 3G to 4G for Mobiles, DOCSIS for Cable Internet, etc.. many people are hiting ceilings now with there own hardware, Comcast will sell you 100Mbit internet but then people will use routers or wifi that gives em 20Mbit if they are lucky.

 

[BLKMGK]

While having the cameras on a VPN is a good idea you need to make sure they cannot talk out on their own. I know some of you get this but allow me to hammer it home. Port forwarding leaves a window open for someone to climb through from the outside. Allowing the camera itself to beacon out allows the camera itself to phone home and allow someone in. Almost all of us are going to be using a single public IP address for network access with the rest of our computers running on non-routable private IP addresses that require Network Address Translation to talk out. Port forwarding sends traffic from the outside going to a specific port to a specific computer - sort of bypassing the NAT and putting that port on the 'net. By allowing a camera to talk out the camera itself will open a tunnel to whatever address it was programmed to phone home to. This is how much of the malware botnets and rootkits work - since they cannot be directly addressed they're built to phone home! Checking for updates? Yup, that software just phoned home and asked for instructions!

I have a Dahua turret camera I've yet to mount but have been playing with and testing out BI. Digging through it's menus I find that is capable of talking to a Chinese "cloud service", that it was *enabled*, and it had apparently checked in! (rs.lechange.cn) My solution to this has been to setup a firewall rule that blocks the camera's IP address from talking out and a DHCP record that prevents the camera from getting anything but that IP address when it asks for an IP. Ideally I'd have a firewall rule to block the MAC!

VPNs are the way to but man they're a hassle to setup! I had PPTP setup previously on my iPhone and while I know they're less secure it was easier to setup than IPSEC for me - Apple has dropped support and I've changed to a firewall that doesn't allow it (PFsense). I have DDNS setup just fine but my VPN doesn't want to complete the endpoint (okay it's worked before then stopped working...) and even when I was able to complete the endpoint it didn't want me to be able to see machines on my network. It doesn't surprise me at all that folks have trouble setting this stuff up! I'll get it eventually but it's been a painful road with fits and starts...

 

[Lance]

How would you know if you got attacked? Slow internet or what? What bad things could come from it?

 

[CaliGirl]

VPNs are the way to but man they're a hassle to setup! I had PPTP setup previously on my iPhone and while I know they're less secure it was easier to setup than IPSEC for me - Apple has dropped support and I've changed to a firewall that doesn't allow it (PFsense). I have DDNS setup just fine but my VPN doesn't want to complete the endpoint (okay it's worked before then stopped working...) and even when I was able to complete the endpoint it didn't want me to be able to see machines on my network. It doesn't surprise me at all that folks have trouble setting this stuff up! I'll get it eventually but it's been a painful road with fits and starts...

You make really good points about ports that open my eyes.

Open VPN was very hard to set-u,p but after the work is done it is easy. Let me know if you need any help. It is certainly a barrier for people to do it.

With Open VPN and a compatible ASUS router: I was able to install an VPN server for $100 and create a security key. Anyone with that key can load it into their VPN client program. That program still requires a username and passwords as well.

Once it is all setup, you can simply open Open VPN iOS app, then log into your VPN with one click, then access your cameras and network on the local address (192.168.1.20 for example). And same idea on a Mac computer.

It takes 2-3 more steps or about 20secs. longer to access IP cameras on iOS IPhone via VPN vs. port forwarding. The annoying part is remembering to turn it off after so that you don't run all your internet access through the vpn when you are done.

 

[nayr]

It takes 2-3 more steps or about 20secs. longer to access IP cameras on iOS IPhone via VPN vs. port forwarding. The annoying part is remembering to turn it off after so that you don't run all your internet access through the vpn when you are done.

This is actually preferred if your on an unencrypted public WiFi, with the VPN routing all your traffic that means your encrypted and nobody nearby, nor any of the network operators, can snoop on your traffic.. all the'll see is a encrypted bi-directional stream from your device to your VPN Server and nothing else.. also if your at work it keeps your internet activity safe from there eyes (presuming its your device).

It is also possible to define your own routes, so only your LAN Subnet (192.168.1.0/255.255.255.0 for example) goes over VPN and all the other traffic still goes out the default gateway..

I dont have any data limitation, so i just leave the VPN on all the time and have it auto-reconnect.. takes no more steps and no more time, then push notifications work without p2p or open ports.

 

[sumguy]

No need to go through the hassle of VPN.

Just use port-forwarding on your router and set the camera to use some other port other than 80. I watch bots try to hit my residential IP address and beyond a few standard ports (like 80 or 8080) they rarely try anything else. I've operated many cheap web-cams over the past 10 years on port numbers between, say, 83 to 99 and the IoT scanning bots never try those ports. It's too time consuming for them to try every IPv4 address *and* every port combination. To access your camera via browser, just type in your IP address and add colon-port as part of the url. So if you set your camera up on port 85, and the IP address is 1.2.3.4, then you access it with a browser from somewhere else on the web with http://1.2.3.4:85

Also, turn off uPnP on your router. That way, no device you connect to your network will hi-jack port 80 without you knowing about it. Practically all of the multi-camera security recorder boxes (at least the cheap ones for consumer use, Zmodo, etc) will try to have port-80 forwarded to it and that's how many people's CCTV systems become accessible to the internet-at-large.

 

[nayr]

^^ dont be like this guy.. changing the port number does not remove the backdoors and remote exploits that exist in your cameras.. You do get deep port scanned, and any random ports do get found.. its not too time consuming when you have a botnet army of several million devices..

Relying on obscurity for security is for chumps

from a remote host in Europe, this is how long it took to do a full scan of all 65k ports: 191s

# nmap -p- -sS -A dispatch.nayr.net

Starting Nmap 6.00 ( http://nmap.org ) at 2016-10-08 10:11 MDT
Nmap scan report for dispatch.nayr.net (173.164.61.34)
Host is up (0.14s latency).
Not shown: 65530 filtered ports
PORT      STATE  SERVICE VERSION
22/tcp    open   ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
80/tcp    open   http    nginx 1.6.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
| http-title: 301 Moved Permanently
|_Did not follow redirect to https://dispatch.nayr.net/
443/tcp   open   http    nginx 1.6.2
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=dispatch.nayr.net
| Not valid before: 2016-01-06 00:00:00
|_Not valid after:  2019-01-05 23:59:59
32400/tcp closed unknown
50667/tcp closed unknown
Device type: general purpose|specialized|WAP|media device|storage-misc
Running (JUST GUESSING): Linux 2.6.X|2.4.X|3.X (91%), Crestron 2-Series (89%), Netgear embedded (89%), Western Digital embedded (89%), HP embedded (89%), Linksys Linux 2.4.X|2.6.X (87%)
OS CPE: cpe:/o:linux:kernel:2.6 cpe:/o:crestron:2_series cpe:/o:linux:kernel:2.6.22 cpe:/o:linksys:linux:2.4 cpe:/o:linux:kernel:2.4 cpe:/o:linux:kernel:3 cpe:/o:linux:kernel:2.6.18
Aggressive OS guesses: Linux 2.6.22 - 2.6.36 (91%), Linux 2.6.39 (91%), Crestron XPanel control system (89%), Netgear DG834G WAP or Western Digital WD TV media player (89%), HP P2000 G3 NAS device (89%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (88%), Linux 2.6.23 - 2.6.38 (87%), Linux 2.6.31 - 2.6.35 (87%), Linux 2.6.9 - 2.6.27 (87%), OpenWrt White Russian 0.9 (Linux 2.4.30) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 16 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel


TRACEROUTE (using port 50667/tcp)
HOP RTT       ADDRESS
1   0.31 ms   1-14-236-151.static.edis.at (151.236.14.1)
2   1.47 ms   81.20.72.17
3   1.46 ms   be2499.ccr41.ams03.atlas.cogentco.com (130.117.1.149)
4   80.65 ms  ae-5.r23.asbnva02.us.bb.gin.ntt.net (129.250.6.162)
5   85.31 ms  ae-20.r06.asbnva02.us.bb.gin.ntt.net (129.250.2.133)
6   97.89 ms  be2090.ccr21.yyz02.atlas.cogentco.com (154.54.30.205)
7   97.64 ms  be2994.ccr22.cle04.atlas.cogentco.com (154.54.31.233)
8   96.46 ms  be-10114-cr02.56marietta.ga.ibone.comcast.net (68.86.85.10)
9   129.94 ms be-11424-cr02.dallas.tx.ibone.comcast.net (68.86.85.22)
10  100.42 ms be-202-pe04.350ecermak.il.ibone.comcast.net (23.30.206.133)
11  101.91 ms hu-0-5-0-4-cr02.350ecermak.il.ibone.comcast.net (68.86.87.129)
12  142.97 ms ae-0-sur02.aurora.co.denver.comcast.net (162.151.50.34)
13  146.97 ms te-7-0-acr02.aurora.co.denver.comcast.net (68.85.220.242)
14  134.34 ms ae-0-sur02.aurora.co.denver.comcast.net (162.151.50.34)
15  136.27 ms te-7-1-acr02.aurora.co.denver.comcast.net (68.85.220.246)
16  142.10 ms dispatch.nayr.net (173.164.61.34)


OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.68 seconds

not to mention many of the command interfaces (ONVIF, PISA, CGI, etc) dont work with the camera software if you put them on non-standard ports, so leave one of them on the same port and you'll be identified as a potential target and given a more through scan.

 

[sumguy]

> dont be like this guy.. changing the port number does not
> remove the backdoors and remote exploits that exist in
> your cameras..

If you have a backdoor or remote exploit *ALREADY* on your camera then it's too late and you need your IT ass kicked.

> You do get deep port scanned, and any random ports
> do get found..

Complete bull crap. I've been watching my router's logs for years (many consumer modem/router/gateway hubs will not log incoming traffic and show you what's coming in or trying to come in, from which IP and on what port, but mine does). The random ports are all above 10k and they're looking for systems that have already been hacked. Or they're looking for legacy TOR or torrent clients that no longer operate on your IP. There are maybe a few dozen "standard" ports below 10k (almost all of them below 5k) and very few under port 100 that get probed.

> its not too time consuming when you have a botnet army
> of several million devices..

Anti-DDos mechanisms run by backbone providers or ISP's will kick in when they see the avalanche of traffic that you will generate if you probe all 65k ports on a given IP and then you repeat that for every IP you scan. And I have *NEVER* seen that. I have *NEVER* seen consecutive port scanning even a few dozen let alone all 65k ports on my IP. I doubt you've seen it either.

> Relying on obscurity for security is for chumps

It's a fact. You put your device on a port other than 80 or 8080 (or 25, 110, 53, 21, etc) and you've just hidden yourself from all bot-scanning, IoT scanning systems that are operating today.

You do that, and you change your device's user-name/pw from the factory default and you've just made your device fully protected in today's bot-scanning internet environment.

> from a remote host in Europe, this is how long it took to do a full
> scan of all 65k ports: 191s

Too long. Repeat that a few billion times. DDoS mechanisms will kick in. It is not an ergonomic scanning method for your average (and even non-average) bot.

A state-sponsored bot operator will probably do that (scan all ports) and will do it to very specific IP CIDR's owned/operated by gov't agencies (DoD, .gov, .mil, etc). All major gov'ts are running bots like this currently against each other. They could give a rat's ass to residential (dsl, cable) IP addresses though.

 

[nayr]

If you have a backdoor or remote exploit *ALREADY* on your camera then it's too late and you need your IT ass kicked.

get prepared to get your ass kicked, because assuming these devices dont come with them out of the box mean its too late.. they are not designed to be exposed to the internet, they dont give a fuck about security.. none of em.

yes the constant auto scans are rarely looking for uncommon ports, but that dont mean that automated deep scanning does not occur just because you never seen it.. you can do it slowly and or distributed among a botnet without triggering alerts on targeted networks likely to be operating the systems your looking to compromise.. if your looking for poorly configured IoT devices to compromise you can focus on residental consumer blocks in areas likely to have high throughput and you just reduced it by several orders of magnitude.. I guess hiding out in the middle of Arkansas might keep you safe for a few years.

Ive had brute force honeypot attempts on non-standard ports before, it dont take much to catch someone's attention or to become targeted.. particularly when you participate in online discussions.. all I have to do is embed an image off my webserver here then correlate your post time with my access and referrer logs and wam, I have your IP address.. then I can do my deep scan since I know you have cameras.

 

[james99]

What good are firmware updates if you purchase a camera through aliexpress? They can't be updated, can they? You are stuck with the version that it is shipped with, right?

 

[nayr]

who cares, they dont patch security issues.. this is not like your self updating windows box or iphone that when an update fails you just reinstall and restore backups.. when a firmware update fails, your options for recovery are minimal if they even exist at all.. all options require high technical skill, much higher than installing windows.

there is no cert response team checking security disclosures against the versions they package up, then backport fixes and release updated firmware in a timely manner like is expected with anything thats been designed to be exposed to the harsh nature of the internet head on.

When they do release firmware its just to fix a critical bug that has nothing to do w/security.

Every single IoT security disclosure Ive witnessed in the last 5 years has contained the terms: contacted vendor, heard no response.. they are all still basically 0-day exploits even years later.. when you agree to licensing terms by simply using it you absolve them of any liability so they have absolutely no incentive to make it secure in the first place.

 

[james99]

who cares, they dont patch security issues.. this is not like your self updating windows box or iphone that when an update fails you just reinstall and restore backups.. when a firmware update fails, your options for recovery are minimal if they even exist at all.. all options require high technical skill, much higher than installing windows.

there is no cert response team checking security disclosures against the versions they package up, then backport fixes and release updated firmware in a timely manner like is expected with anything thats been designed to be exposed to the harsh nature of the internet head on.

When they do release firmware its just to fix a critical bug that has nothing to do w/security.

Every single IoT security disclosure Ive witnessed in the last 5 years has contained the terms: contacted vendor, heard no response.. they are all still basically 0-day exploits even years later.. when you agree to licensing terms by simply using it you absolve them of any liability so they have absolutely no incentive to make it secure in the first place.

Thanks, Nayr. I depend ALOT on your expertise. I think that your comments here are among the top 10 most helpful. Thanks again for clearing that up. Will continue to buy from Ali. LOL.

 

[sumguy]

> but that dont mean that automated deep scanning does
> not occur just because you never seen it..

So-called "automated deep scanning" is just a theoretical concept you invented.

I've never seen it, and you've never admitted to seeing it either.

> you can do it slowly and or distributed among a botnet
> without triggering alerts on targeted networks likely
> to be operating the systems your looking to compromise..

You do it slowly and you'll never finish it. You do it distributed and the target gateway sees a flood of incoming traffic that coincidentally covers a range of ports with no overlap, and you're probably going to make the target router fall over, requiring the owner to power-cycle it and presto - he's got a new dynamic IP and what-ever you learned with your port scan is now useless. I've never seen a coordinated port-hit from individual IP's that add up to a complete port scan. Not even close. I see maybe a dozen hits an hour, and even a month's worth of hits still only focus on maybe a few dozen of the same ports. No effort or intent to scan all 64k ports.

> if your looking for poorly configured IoT devices to
> compromise you can focus on residental consumer blocks
> in areas likely to have high throughput

And you'll still only be hitting them on port 80 and 8080 half the time, the other half will be any one of only a couple-dozen ports.

> and you just reduced it by several orders of magnitude..
> I guess hiding out in the middle of Arkansas might keep
> you safe for a few years.

Bots and bot-operators don't care and by and large they don't even know where any given IP is. They just plug away at IP's to see if they've found an infected system, device, gateway or router they can re-establish control over or if it's something they can take over.

> Ive had brute force honeypot attempts on non-standard ports
> before, it dont take much to catch someone's attention or to
> become targeted..

That sentence contains no information. No idea what your point is.

> particularly when you participate in online discussions..
> all I have to do is embed an image off my webserver here then
> correlate your post time with my access and referrer logs and
> wam, I have your IP address.. then I can do my deep scan
> since I know you have cameras.

Good luck with coordinating that, and picking me off vs everyone else (and bots, search engines, etc) that will follow the same link. But using whois and nslookup I'll be able to see where you and your server are.

 

[nayr]

i just posted up my IP earlier, enjoy.. I dont have to hide like you to remain secure.. my home automation server is running on port 80/443 on the host above.

ooh scanning a couple dozen IP addresses that might have hit that image at the exact same min you made a post.. thats going to take eons I suppose.. what about the admins of this site? you trust them for what reason?

This botnet here was rather unsophisticated, but there are many out there far more complex than this and have proven to be quite a challenge to dismantle.. You dont even have to bother scanning for hosts on port 80, google will do that for you.. but yes the vast majority of automated attacks are simply looking for default configurations; congrats for not being default.. but if you think that makes you secure you just being delusional.

Many Video Surveillance software wont let you define custom ports for backend control and video, yeah you can change the WebUi to another port but if you want your app to work you leave the RTSP stream on 554 and the ONVIF on 9000.. those alone will identify you by response and trigger a further in-depth scan.

Security is not about just not becoming part of an automated botnet, but yes I have seen automated deep scanning of large networks, I am a Cloud Infrastructure Engineer.. I see it all the time, dont take much to become a target.

VPN is not hard, millions of idiots use it every day to check work email without the slightest clue how it works.. if you get a consumer router with a built in VPN Server its often easier to get running than forwarding ports for a total noobie. @CaliGirl never setup an IP Camera or a VPN Server before she came here, and she managed to figure it out, what exactly is your excuse?

 

[rotorwash]

I just saw this come across my desk: https://threatpost.com/when-dvrs-attack-a-post-iot-attack-analysis/121179/

It talks about the vulnerability in the DVR and IP cameras and the backdoor used to gain access. Anyone relying soley on port forward with username/password needs to rethink this strategy.

 

[sumguy]

> I dont have to hide like you to remain secure.

We're all "hiding" when our internet connection is a dynamically-assigned residential IP address.

> my home automation server is running on port 80/443 on the host above.

At home, I operate nothing on port 80 or 443 or any standard port. Right off the bat that makes my situation far more secure that yours.

Bots and other malicious actors know that 99.999% of residential device owners don't have a clue as to how to configure specific port-forwarding so they can access their device from off-site, and the bots know what the standard ports are for these devices (80, 8080, a very few others). So the bots only scan for those very few ports.

> This botnet here was rather unsophisticated, but there are many
> out there far more complex than this and have proven to be quite
> a challenge to dismantle.

You equate the complexity to dismantle a botnet with what the botnet is actually doing, and that's the wrong equation. There is NO comprehensive effort on the part of anyone (black hat or white-hat) to scan all 64k port on all in-use IPv4 addresses. The reason is beyond obvious.

> You dont even have to bother scanning for hosts on port 80
> google will do that for you.

Google does not hit naked IP's on port 80 by IP address and with no page target. I know this because I've been running a corporate web server for 15+ years and I read the logs frequently and web servers are almost universally set to not respond with their working site if you just hit them at their IP address. You need to hit them at their domain. I've never seen google's bots hit my home IP, for example, to see if there's a web server operating there. You hit a working web-server by hitting it's IP address and you'll get "page not found" or "invalid request" or something like that, which for google is useless because there's no content to index when you do that.

> but yes the vast majority of automated attacks are
> simply looking for default configurations; congrats
> for not being default.. but if you think that makes
> you secure you just being delusional.

Truth be told, I've been operating a half-dozen IP cams on alternate ports with the default UN/PW (which usually means no PW) for years and nothing or nobody except me hits them. These cams just send email when they detect motion so I don't interact with them with any apps or shit like that. When I want to talk to them, I'll bring up a browser (like ie6, because it's fast and simple) and contact the camera.

> Many Video Surveillance software wont let you define
> custom ports for backend control and video, yeah you
> can change the WebUi to another port but if you want
> your app to work

Don't care / don't use apps.

Your router can re-map alternate external port numbers (on the WAN side) to standard/fixed ports on the LAN side (if you can't change port numbers on your device). At least with most routers you can do that.

> you leave the RTSP stream on 554 and the ONVIF on 9000
> those alone will identify you by response and trigger
> a further in-depth scan.

So re-map them on the WAN side or don't forward those in the first place.

> Security is not about just not becoming part of an
> automated botnet, but yes I have seen automated deep
> scanning of large networks,

Have you seen a comprehensive scan of all 64k port numbers on a single IP address?

Answer yes or no to that question.

> I am a Cloud Infrastructure Engineer.. I see it all
> the time, dont take much to become a target.

You don't get it. It takes nothing to become a target because every routable IPv4 address IS a target. Bots don't care and generally have no for-knowledge about which IP's they should scan next. They're given a range or a CIDR and they just bang away.

> VPN is not hard, millions of idiots use it every day
> to check work email without the slightest clue how it works

My home mail client checks for pop mail on a non-standard port to my $dayjob server where the router maps the non-standard-port to port 110 on the lan. Simple un/pw is used, no tls or crap like that. The SMTP server is circa 1999 (Post.Office by now defunct Software.com). Great software - it's been running on our NT4 server for the past 17 years.

I'm not swayed at all by new / shiney things or the IT peer pressure that forces others upgrade. Ever here of "The Emperor's New Clothes" ? By the way, I'm reading this forum and posting this on my home PC - Windows 98se with KernelEx, 2 GB ram, and 3.5 TB installed SATA hard drives with a P4-3.5 ghz CPU.

 

[nayr]

I have a static IP Address at home, infact I have a dozen of em... that IP I posted earlier has been mine for over 5 years, and will be mine for another 5 years or more..

My WebServer running only accepts connections w/X509 Authentication, my automation process is not exposed to the internet but Nginx is and its been hardened.. I am far more secured than you hiding behind a random port number.

Oh google dont index IP's do they? Click this: https://www.google.com/search?q=inurl%3A%22ViewerFrame%3FMode%3D%22&start=0&ie=utf-8&oe=utf-8 leme see, first page I spy a result on port 8083, 82, etc.. thats not standard is it?

Have you seen a comprehensive scan of all 64k port numbers on a single IP address?

Yes, all the time.

Windows98? ok everyone take this guy's advice.. he clearly knows wtf he is doing when it comes to technology and internet security.

 

[nayr]

https://github.com/ebux/AVTECH

Impacts: Every Avtech device (IP camera, NVR, DVR) and firmware version.
Disclosed to manufacturer: Over a year ago, with no response