Back to Help and Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Why did a UDP port scan get through THG3000 hub?

tonygibbs16
4: Newbie

‎11-11-2023 09:27 AM

Hello,

I have another router with a firewall connected to a THG3000 Vodafone hub.

My additional firewall detected a UDP port scan attack from an IP address on the Internet.

Network_scanning_attack_via_Vodafone_router_231109.JPG

The THG3000 hub says that the firewall is turned on.

How was this UDP port scan able to get in?

Kind regards Tony 

0 Thanks
35 REPLIES 35

tonygibbs16
4: Newbie
In response to CrimsonLiar

‎12-11-2023 01:40 PM

Hello @CrimsonLiar and @Cynric 

When I looked yesterday morning at the status page of the THG3000, I could see my secondary router and some of the devices connected to it were visible on the LAN of the TG3000.

The setup I have is that the WAN port of my Zyxel NBG7510 is connected to a LAN port on the THG3000.

The NBG7510 does show some things being as NAT, and there is only 1 IP address allocated to the WAN port which says it is using IPoE.

I don't think that it is doing NAT or PAT as would necessary to go onto the Internet, but just ordinary routing.

I will post a screenshot of the LAND attack log entry later.

    - a standard router would probably just process the outer most IP header, so I think it might be fooled if an attacker crafted a special datagram with two IP headers on it.

I might be confused, but this is what I understand to be happening.

Kind regards Tony 

0 Thanks

tonygibbs16
4: Newbie
In response to tonygibbs16

‎12-11-2023 01:55 PM

Hello @CrimsonLiar and @Cynric 

Thanks very much for your mails.

Below is a screenshot of what my Zyxel NBG7510 logged as a LAND attack.

tonygibbs16_0-1699797125310.png

I will try to analyse it more later.

Kind regards,

    Tony

0 Thanks

tonygibbs16
4: Newbie
In response to tonygibbs16

‎12-11-2023 03:17 PM

The MAC addresses seem the same as the previous screenshot I posted, I.e. for the Zyxel and Technicolour as the 2 communicating devices.

Kind regards Tony 

0 Thanks

Jayach
16: Advanced member
16: Advanced member

‎12-11-2023 03:51 PM

You say the Zyxel is running as a router, but you say you are not double NATing?

However, if devices connected to it are showing on the THG3000's LAN it must be running in access point mode, otherwise the only device the THG3000 should be aware of is the Zyxel itself.

Unless I'm totally misunderstanding.

tonygibbs16
4: Newbie
In response to Jayach

‎12-11-2023 04:48 PM

Thanks for your email @Jayach 

I will try to capture a screenshot of the THG3000 status screen sometime.

My Zyxel NBG7510 says it is running as a router.

I don't think that double NAT or not is relevant though to why the THG3000 seems to be allowing unsolicited traffic through from the Internet to attack attached devices, especially it seems if UDP is used.

Kind regards Tony 

0 Thanks

Cynric
16: Advanced member
16: Advanced member
In response to tonygibbs16

‎12-11-2023 09:43 PM

@tonygibbs16 UDP is usually enabled because the router is set to allow it, a conned device has requested it, or it's one of the ports the THG3000 will not close. Earlier I pointed out that the source was apparently coming from port 443 and if my memory is right that port can't be closed.

If this is still being reported in the logs you may be able to find out if a program is making these requests.