Feeds

back to article Plusnet shunts blame for dodgy DNS traffic onto customers' routers

BT-owned telco Plusnet has blamed subscribers who use third-party routers for a rise in hostile DNS traffic that has been crashing its way through the ISP's system. The rebuff came after Sheffield-based Plusnet suffered a nasty outage last Tuesday relating to an unspecified "network error". A Reg reader claimed on Sunday, in …

COMMENTS

This topic is closed for new posts.

Page:

M_W
Big Brother

I know it's contentious in a free internet

But if most ISP's have some rudimentary content filtering enabled now as per the govt's requirements, blocking access to specific websites which are deemed 'unsavoury', why aren't they adding rules to block access to these DNS pharming IP addresses?

I know those of us who are IT savvy are smart enough to sort these issues ourselves, but the majority of the populous who have no idea at all about DNS addresses and patching routers probably could do with a bit of hand holding and this wouldn't be heavy handed.

Agreed - it will increase the level of calls to the ISP's due to people's internet connections stopping working, but in some cases what that might do is force people to actually look at their router config or prompt them into seeking assistance to fix the problem?

0
3
Silver badge

Re: I know it's contentious in a free internet

Probably because it would break everything.

If you actually WANT to use a different router to your ISP then you probably need to be allowed to.

Its alarming just how many routers one can find in the internet with open admin logins and for which the name 'admin'; and the password '1234' will actually work..

The default should be 'no remote admin allowed' for ALL domestic routers NOT supplied by an ISP.

Or at least even the noddy setup routines supplied by them should ask them to set an admin password and enable remote admin as a direct user choice, not as a the default option.

13
0
Anonymous Coward

Re: I know it's contentious in a free internet

"why aren't they adding rules to block access to these DNS pharming IP addresses?"

Because ISP's responding to Simpleton Dave's web filtering demands aren't blocking the sites, they are simply making them invisible. The way that most ISPs seem to have opted to block things is through setting customer cable modems and routers to use the ISP's own "clean" DNS. Change the DNS on the router and that approach doesn't work, just as you can still access a nominally blocked site by typing in the site's IP address to a browser.

There's other ways of blocking traffic, but the Cameronfilter won'tstop router hijacking, nor will it stop the tech savvy working around it. But it was never intended to do either.

3
1
Silver badge

Re: I know it's contentious in a free internet

Its alarming just how many routers one can find in the internet with open admin logins and for which the name 'admin'; and the password '1234' will actually work..

This only became a problem when ISPs forced/cajoled router makers to allow the possibility of remote logins by your ISP. There should be no management interface of your router on your WAN iface. Ever.

22
1
Anonymous Coward

Re: I know it's contentious in a free internet

"as per the govt's requirements"

No such thing. http://revk.www.me.uk/2014/02/porn-filters-no-it-is-not-law.html

5
0
Bronze badge

Re: I know it's contentious in a free internet

The governments requirements are "filter things well enough that Mumsnet will leave us alone", backed up by the threat of legislation

6
1
Silver badge

Re: I know it's contentious in a free internet

"There should be no management interface of your router on your WAN iface. Ever."

Careful, "Ever" is a big word.

Sometimes WAN ports are not actually connected to the outside world.

In fact I use simple routers to control traffic in a certain way on WiFi Access points, because it's cheaper than a vlan capable access point and radius server to do the same job. Dollar for dollar, it's cheaper for "price-sensitive" applications. Ironically, the fastest growing IT sector in the work I'm doing now.

Any routers I have that are connected to the outside world have their management interface disabled as one would expect. Your statement would certainly hold true if you said "outside world", but "WAN interface" is a port that may be connected within an intranet which still needs to be managable. In any case, passwords are never factory defaults, and secure passwords are generated with something like PWGen in all cases.

6
0
Anonymous Coward

Re: I know it's contentious in a free internet

"Its alarming just how many routers one can find in the internet with open admin logins and for which the name 'admin'; and the password '1234' will actually work.."

Ah, it's 1234...

Thanks!

0
0
Anonymous Coward

Wan side access to the router

Quote

"changing the administrator password and disabling WAN side access to the router may also prevent this from happening again."

For any manufacturer to ship a device where this is enabled by default in this day and age is simply stupid.

The number of hack attacks my router gets on a daily basis is frankly amazing. The last week saw more than 100,000 attacks (103481 to be exact). I do have a couple of domain names pointing at my IP addy so I shouldn't be too surprised but still...

I wouldn't say that PlusNet is totally innocent here but if their supplied router is not vunerable to these attacks, they would seem on the surface of it to be doing something right.

2
0

Re: Wan side access to the router

I think "in this day and age" sums up the problem, which is that most of these routers were purchased in another day and age, and haven't been touched since.

3
0
TRT
Silver badge

Re: Wan side access to the router

They supplied Thompson devices. Is that still the case?

0
0
Silver badge
Thumb Up

Re: Wan side access to the router

They supplied Thompson devices. Is that still the case?

No, they supply Technicolor devices now :)

But yeah, it's the boxes you mean. Usually functional, nice CLI but the UIs tend to look a bit too 'Fisher Price' for my tastes :)

0
0
Anonymous Coward

Re: PlusNet supplied devices

I have a Netgear supplied by PlusNet ... for Fibre

0
0
Gav

Re: Wan side access to the router

What I can't fathom is why any home router would ever have a need to provide admin access over WAN.

What possible circumstances would anyone have where they need to reconfigure their home router remotely?

0
0

Found this on a tp link router last night

Funny Bing was not effected ,

Google Facebook all asked my chromebook to update flash,

went to bing no issue at all,

couldnt find any usefull facts, although it did try to sell me a

tplink router !

1
0
TRT
Silver badge

Re: Found this on a tp link router last night

Some browsers have built in DNS settings, like Comodo Dragon & IceDragon.

0
0
Silver badge

Re: Found this on a tp link router last night

I actually started using comodo recently. Can't exactly remember why, never even heard of iceDragon before, so I'll give it a look.

I've actually been caught out by this problem a few times in the past, and by I I mean my family and I've had to go through and change settings for them. As a note, Orange routers are terrible, at one point were were having the DNS changed on us almost monthly.

0
0

For me there is a basic question

Why are Plusnet users not using the Plusnet provided routers? Is it because they weren't provided with one, or perhaps the one they had is some what ancient and could really have done with a replacement when the owner extended their contract with Plusnet?

Trying to get users to do something more technical then plugging in the router in the first place is a waste of time and money. As the old adage goes "if you want something doing, do it yourself". Perhaps all ISPs should think about their strategy around routers and perhaps look at the cost benefit analysis of doing a users router replacement every other contract extension. Wouldn't stop the problem but might mitigate it.

0
0

Re: For me there is a basic question

The Thomson routers Plusnet provided were prone to simply seizing and needed rebooting about 2-3 times a day, due to a VOIP scanning issue; a probe for VOIP services would freeze the router.

I discovered this because I had to run up and down two flights of stairs every time it happened, several times a day.

I bought a Cisco router to replace it. Problem still occurred. Most vexed, I turned to Cisco support forums, and discovered the firmware the Cisco router came with suffered from exactly the same problem as the shitty consumer Thomson router.

The crucial difference was *the Cisco router could be patched*. And so all my troubles finished.

1
0
Silver badge

Re: For me there is a basic question

Most likely because ISP supplied routers are all a pile of shite. I never use an ISP supplied router for anything except confirming to them that I have tried another router and the line fault I am reporting is still there.

5
0

Re: For me there is a basic question

'The crucial difference was *the Cisco router could be patched*.'

The supplied Thompson device is actually firmware upgradable, though it's a faff on to do it. I had to flash the stock manufacturer's FW onto mine to allow my firewall to do PPPoE itself. The btchered firmware it came with was truely dire.

0
0
Anonymous Coward

Re: For me there is a basic question

Me, I wasn't provided with one and anyway mine is better than theirs because it has blue flashing lights on top. :-) Also I have changed the admin logon from the ludicrous default of admin/admin. (It's now admin/password.)

A more relevant question might be, why are so many of PlusNet's customers not using PlusNet's DNS? I've been using OpenDNS for over a year because PlusNet's own servers were so frequently slow and unreliable (that's unreliable as in intermittently just not responding to DNS requests, not as in rerouting me to the wrong URL). I'd rather PlusNet invested more in its DNS servers rather than handing out new routers to replace perfectly good boxes.

1
0
Anonymous Coward

Re: For me there is a basic question

Last three routers I've had from on all came with complex passwords for both admin interface and wireless and the wan admin interface was disabled

0
0
Bronze badge

Re: For me there is a basic question

I dont use ISP provided routers either. I have a nice fast one that does all I need. Why would I want to use a provided router? I remember this argument with sky. I could buy from them a locked down router which had gbit lan support or the one I already bought and configured myself.

0
0

Re: For me there is a basic question

I swapped the router PN supplied what I started with 'em years ago, for something more capable. They've never tried to update me since, so I've stuck with my own routers, ta. And I don't set DNS at all on the routers, I run my own server in-house which very definitely doesn't have dodgy passwords. In the interests of greening the household's IT infrastructure, it's currently running on a RaspberryPi.

And incidentally, although there does seem to be a bit of opportunistic PN bashing going on here, my own experience over the last few years is that their standards are dropping, more so recently. My last couple of line issues have taken days to sort out, with me doing most of the legwork.

0
0
Meh

Re: For me there is a basic question

I can confirm the Plusnet supplied router is a pile of shite.

At least they do let you change it unlike some ISPs.

3
1
Silver badge
Stop

Re: For me there is a basic question

Why are Plusnet users not using the Plusnet provided routers?

I already had a perfectly capable Billion router (prolly more capable) and didn't fancy reconfiguring everything (I host a couple of servers so need to set up port forwarding). I also didn't want to have to pay £10 p&p (or whatever it was) for my free router.

0
0

Re: For me there is a basic question

When you say a Cisco router, do you mean a Linksys by Cisco router, because I don't know of any issues like that with my big arse enterprise grade cisco router I have?

As for Plusnet, I love them, I get 72/19, use my Cisco 3845 to shift bits and I never have any reliability issues with them.

0
0
AOD

Re: For me there is a basic question

Why are Plusnet users not using the Plusnet provided routers?

Simples, because I wanted something that was more capable and had gigbit ports, oh and would support VPN access and could be easily moved to something like DD-WRT if required.

As for using an ISP's own DNS servers. I stopped doing that years ago when I got my first USB Fujitsu ADSL modem courtesy of Pipex.

In my experience, ISPs DNS servers were usually a point of failure at the most inopportune times. OpenDNS was/is my preferred choice but YMMV.

The PN router is retained as a backup device and for troubleshooting if my ASUS goes belly up.

For the record, my WAN side access is disabled in addition to WAN side ping responses.

0
0
Bronze badge

Re: For me there is a basic question

I have not had any problems with the Plusnet-supplied router, although it doesn't seem to have any way of manually setting the DNS server. For example, the Google public DNS server. That has been occasionally useful.

I'm getting decent performance with some demanding software, so I am not inclined to replace it. Some of the big-name brands are known to sell models which struggle with the software I use. The wifi may have a little less range than my old hardware.

Plusnet seem to pre-set a reasonable wifi and admin-access password.

I wonder if the problem is people who have moved to Plusnet and chosen not to replace existing hardware. They make the changes to login, but leave the rest unchanged. It's a tempting option; I have a couple of things I still need to change the wifi settings on.

I know enough to be dangerous, but I also have a well-honed streak of paranoia.

0
0
Anonymous Coward

Re: For me there is a basic question

re:- And incidentally, although there does seem to be a bit of opportunistic PN bashing going on here, my own experience over the last few years is that their standards are dropping, more so recently. My last couple of line issues have taken days to sort out, with me doing most of the legwork.

I agree. My cctv operating via a ddns router to give me a nominally fixed ip, clapped out on Friday last. When I run a tracert from the US,I get as far as a London Plusnet server, then the trace stops. Plusnet claim all is well! As I'm in Houston for the next 6 weeks, there seems to be nothing I can do apart from look for a different ISP. This is the 4th problem in 3 months. The line is OK as I can phone home, so there is a problem somewhere in their network.

0
0

Well my TP link router is patched to prevent WAN side UPNP access, has WAN admin access disabled and a good random password. I resolved the loss of connectivity by changing the DNS to Google's open servers. I don't know whether Plusnet considers this to be malicious traffic.

0
0
Anonymous Coward

How is this Plusnet's fault?

0
0

Dunno, seems to be bash PN month at the reg.

3
0
Silver badge
Happy

Awwwww!

Yeah, it's weird. They're nice to every other ISP, hardware manufacturer and software company, yet for some inexplicable reason the tone of this article is negative. Clearly there's a vendetta going on.

0
1

http://www.opendns.com/

Just get an account with OpenDNS - free. Includes filtering for nasties too. You choose how nasty rather than the government.

1
0
Silver badge
Thumb Down

Re: http://www.opendns.com/

If PlusNet are anything like their BT masters, then their routers won't allow you to change the DNS server settings, rendering OpenDNS worthless.

0
0

Re: http://www.opendns.com/

and Virgin are the same

for this reason none of them will ever get my business, *I* decide what is safe for my kids not those idiots

0
0

Re: http://www.opendns.com/

I'm with PlusNet. Use my own router. No problem.If that changed, I'd probably leave as their standard router doesn't do enough.

0
0
Bronze badge

I'm not quite clear why Plusnet is being tied in with this.

It's nothing to do with them.

2
0

Re: I'm not quite clear why Plusnet is being tied in with this.

Call me cynical but this could be a prelude to banning own routers and you are forced to accept the shite ISP one that is free but cost £500 for p&p.

1
0
Anonymous Coward

Re: I'm not quite clear why Plusnet is being tied in with this.

Plusnet appear to have a DNS problem which they are blaming on customers routers. As Plusnet claimed that my 6 year old router was not operating correctly, I went through 2 more new BT routers which also didn't work, before a Netgear(non BT) one did. When I looked at the numbers, the reason the routers didn't work was that the BT line signal was crap. I suspect that Plusnet have a major DNS cock up which no one will admit to. I hate having to turn into a test engineer when I just want to buy a service.

2
1

You can do it... you just need to know your way around a telnet and command line interface.

Still not something that your average punter is willing or capable of doing though.

1
0
WTF?

don't get this - what's it got to do with plusnet?

So, some users of an ISP use badly designed insecure router eh? And that's the ISP's fault how exactly? The article seems to suggest that PlusNet were returning dodgy addresses, because of customers' routers. I don't get this at all. The routers surely didn't actually affect plusnet?

And yes, the routers most ISPs supply are complete bollocks. A friend of mine had his DNS repeatedly modified despite him disabling remote admin and changing his admin password. And that was a Thomson router supplied by TalkTalk!

1
0

This post has been deleted by its author

Anonymous Coward

So the routers are crap so these people go out and buy a new router and configure it to work with PN but apparently are not clever enough to change admin passwords or turn off any wan admin interface.. But apparently this is PNs fault?

0
0
Silver badge

I had a BT Business customer hit with this last week.

As Plusnet are a part of BT.

It was a TP-Link router but it didn't have the default password active or for that matter any remote admin access.

0
0

yep so basically update your router's firmware.

the ISP does this automatically when using their rubbish equipment.

teach all the tech's not to update their firmware

0
0

And they just changed their security - mail received

On 06/03/2014 17:29, support@plus.net wrote:

In order to us to maintain a high level of service, and protect our network against potential attacks, we need to make a change which affects your account.

This change is related to the broadband firewall which all of our customer accounts have access to.

We'll be making a change to block incoming traffic on ports 53, 111, 135, 137, 138, 139, 445, 515, 1080, 1433, 3128, 3306, 6000.

In most cases these ports will already be blocked by your local firewall however in the event of a compromised router, the ports may be unblocked or used in a potential attack.

It is unlikely you will need these inbound ports open, if you do you please visit http://contactus.plus.net and let us know by responding to this support ticket.

There's nothing you need to do, and your connection should continue to work as normal apart from a brief disconnection whilst we make these changes. In the vast majority of cases your router will automatically reconnect. If you experience problems getting reconnected following this maintenance please try a single reboot of your router.

Kind Regards,

Chris Parr

Customer Support

This email has been sent as it contains important information about your service from Plusnet. Please do not reply to this email, as this is an unmonitored address.

PlusNet PLC

Registered Office: The Balance, 2 Pinfold Street, Sheffield, S1 2GU

Registered in England no: 3279013

0
0

Re: And they just changed their security - mail received

I think this is simply a change to the ports blocked by the network level software firewall implemented on the Juniper E-Series access routers when a customer chooses to activate it for their broadband PPP connections and selects the "Low" setting in the "Member Centre" control panel. There's no change if you elect not to use that firewall, or use one of the other settings.

We certainly haven't had any problems with blocked ports running our own recursive resolvers locally.

But we have had problems with randomly sluggish performance despite running our own DNS.

There is more to this story. A relatively small number of compromised 3rd party routers does not explain the recent halting network performance.

PlusNet's own PowerDNS platform frequently performs very badly for a number of reasons, at least partly to do with the load balancing scheme. However, I suspect that something is going on with UDP traffic, or port 53 UDP traffic, more generally within PN's network or peering arrangements at the moment. UDP traffic to Level3 DNS servers has been slow and unreliable, for example.

0
0

Page:

This topic is closed for new posts.