back to article Plusnet shunts blame for dodgy DNS traffic onto customers' routers

BT-owned telco Plusnet has blamed subscribers who use third-party routers for a rise in hostile DNS traffic that has been crashing its way through the ISP's system. The rebuff came after Sheffield-based Plusnet suffered a nasty outage last Tuesday relating to an unspecified "network error". A Reg reader claimed on Sunday, in …

COMMENTS

This topic is closed for new posts.
  1. M_W
    Big Brother

    I know it's contentious in a free internet

    But if most ISP's have some rudimentary content filtering enabled now as per the govt's requirements, blocking access to specific websites which are deemed 'unsavoury', why aren't they adding rules to block access to these DNS pharming IP addresses?

    I know those of us who are IT savvy are smart enough to sort these issues ourselves, but the majority of the populous who have no idea at all about DNS addresses and patching routers probably could do with a bit of hand holding and this wouldn't be heavy handed.

    Agreed - it will increase the level of calls to the ISP's due to people's internet connections stopping working, but in some cases what that might do is force people to actually look at their router config or prompt them into seeking assistance to fix the problem?

    1. itzman

      Re: I know it's contentious in a free internet

      Probably because it would break everything.

      If you actually WANT to use a different router to your ISP then you probably need to be allowed to.

      Its alarming just how many routers one can find in the internet with open admin logins and for which the name 'admin'; and the password '1234' will actually work..

      The default should be 'no remote admin allowed' for ALL domestic routers NOT supplied by an ISP.

      Or at least even the noddy setup routines supplied by them should ask them to set an admin password and enable remote admin as a direct user choice, not as a the default option.

      1. Tom 38

        Re: I know it's contentious in a free internet

        Its alarming just how many routers one can find in the internet with open admin logins and for which the name 'admin'; and the password '1234' will actually work..

        This only became a problem when ISPs forced/cajoled router makers to allow the possibility of remote logins by your ISP. There should be no management interface of your router on your WAN iface. Ever.

        1. John Tserkezis

          Re: I know it's contentious in a free internet

          "There should be no management interface of your router on your WAN iface. Ever."

          Careful, "Ever" is a big word.

          Sometimes WAN ports are not actually connected to the outside world.

          In fact I use simple routers to control traffic in a certain way on WiFi Access points, because it's cheaper than a vlan capable access point and radius server to do the same job. Dollar for dollar, it's cheaper for "price-sensitive" applications. Ironically, the fastest growing IT sector in the work I'm doing now.

          Any routers I have that are connected to the outside world have their management interface disabled as one would expect. Your statement would certainly hold true if you said "outside world", but "WAN interface" is a port that may be connected within an intranet which still needs to be managable. In any case, passwords are never factory defaults, and secure passwords are generated with something like PWGen in all cases.

      2. Anonymous Coward
        Anonymous Coward

        Re: I know it's contentious in a free internet

        "Its alarming just how many routers one can find in the internet with open admin logins and for which the name 'admin'; and the password '1234' will actually work.."

        Ah, it's 1234...

        Thanks!

    2. Anonymous Coward
      Anonymous Coward

      Re: I know it's contentious in a free internet

      "why aren't they adding rules to block access to these DNS pharming IP addresses?"

      Because ISP's responding to Simpleton Dave's web filtering demands aren't blocking the sites, they are simply making them invisible. The way that most ISPs seem to have opted to block things is through setting customer cable modems and routers to use the ISP's own "clean" DNS. Change the DNS on the router and that approach doesn't work, just as you can still access a nominally blocked site by typing in the site's IP address to a browser.

      There's other ways of blocking traffic, but the Cameronfilter won'tstop router hijacking, nor will it stop the tech savvy working around it. But it was never intended to do either.

    3. Anonymous Coward
      Anonymous Coward

      Re: I know it's contentious in a free internet

      "as per the govt's requirements"

      No such thing. http://revk.www.me.uk/2014/02/porn-filters-no-it-is-not-law.html

      1. teebie

        Re: I know it's contentious in a free internet

        The governments requirements are "filter things well enough that Mumsnet will leave us alone", backed up by the threat of legislation

  2. Anonymous Coward
    Anonymous Coward

    Wan side access to the router

    Quote

    "changing the administrator password and disabling WAN side access to the router may also prevent this from happening again."

    For any manufacturer to ship a device where this is enabled by default in this day and age is simply stupid.

    The number of hack attacks my router gets on a daily basis is frankly amazing. The last week saw more than 100,000 attacks (103481 to be exact). I do have a couple of domain names pointing at my IP addy so I shouldn't be too surprised but still...

    I wouldn't say that PlusNet is totally innocent here but if their supplied router is not vunerable to these attacks, they would seem on the surface of it to be doing something right.

    1. Dr Who

      Re: Wan side access to the router

      I think "in this day and age" sums up the problem, which is that most of these routers were purchased in another day and age, and haven't been touched since.

    2. TRT Silver badge

      Re: Wan side access to the router

      They supplied Thompson devices. Is that still the case?

      1. AndrueC Silver badge
        Thumb Up

        Re: Wan side access to the router

        They supplied Thompson devices. Is that still the case?

        No, they supply Technicolor devices now :)

        But yeah, it's the boxes you mean. Usually functional, nice CLI but the UIs tend to look a bit too 'Fisher Price' for my tastes :)

        1. Anonymous Coward
          Anonymous Coward

          Re: PlusNet supplied devices

          I have a Netgear supplied by PlusNet ... for Fibre

    3. Gav

      Re: Wan side access to the router

      What I can't fathom is why any home router would ever have a need to provide admin access over WAN.

      What possible circumstances would anyone have where they need to reconfigure their home router remotely?

  3. James Boag

    Found this on a tp link router last night

    Funny Bing was not effected ,

    Google Facebook all asked my chromebook to update flash,

    went to bing no issue at all,

    couldnt find any usefull facts, although it did try to sell me a

    tplink router !

    1. TRT Silver badge

      Re: Found this on a tp link router last night

      Some browsers have built in DNS settings, like Comodo Dragon & IceDragon.

      1. wowfood

        Re: Found this on a tp link router last night

        I actually started using comodo recently. Can't exactly remember why, never even heard of iceDragon before, so I'll give it a look.

        I've actually been caught out by this problem a few times in the past, and by I I mean my family and I've had to go through and change settings for them. As a note, Orange routers are terrible, at one point were were having the DNS changed on us almost monthly.

  4. Bluenose

    For me there is a basic question

    Why are Plusnet users not using the Plusnet provided routers? Is it because they weren't provided with one, or perhaps the one they had is some what ancient and could really have done with a replacement when the owner extended their contract with Plusnet?

    Trying to get users to do something more technical then plugging in the router in the first place is a waste of time and money. As the old adage goes "if you want something doing, do it yourself". Perhaps all ISPs should think about their strategy around routers and perhaps look at the cost benefit analysis of doing a users router replacement every other contract extension. Wouldn't stop the problem but might mitigate it.

    1. Caspian Prince

      Re: For me there is a basic question

      The Thomson routers Plusnet provided were prone to simply seizing and needed rebooting about 2-3 times a day, due to a VOIP scanning issue; a probe for VOIP services would freeze the router.

      I discovered this because I had to run up and down two flights of stairs every time it happened, several times a day.

      I bought a Cisco router to replace it. Problem still occurred. Most vexed, I turned to Cisco support forums, and discovered the firmware the Cisco router came with suffered from exactly the same problem as the shitty consumer Thomson router.

      The crucial difference was *the Cisco router could be patched*. And so all my troubles finished.

      1. djack

        Re: For me there is a basic question

        'The crucial difference was *the Cisco router could be patched*.'

        The supplied Thompson device is actually firmware upgradable, though it's a faff on to do it. I had to flash the stock manufacturer's FW onto mine to allow my firewall to do PPPoE itself. The btchered firmware it came with was truely dire.

      2. Callam McMillan

        Re: For me there is a basic question

        When you say a Cisco router, do you mean a Linksys by Cisco router, because I don't know of any issues like that with my big arse enterprise grade cisco router I have?

        As for Plusnet, I love them, I get 72/19, use my Cisco 3845 to shift bits and I never have any reliability issues with them.

    2. Irongut

      Re: For me there is a basic question

      Most likely because ISP supplied routers are all a pile of shite. I never use an ISP supplied router for anything except confirming to them that I have tried another router and the line fault I am reporting is still there.

      1. 0laf
        Meh

        Re: For me there is a basic question

        I can confirm the Plusnet supplied router is a pile of shite.

        At least they do let you change it unlike some ISPs.

      2. Dave Bell

        Re: For me there is a basic question

        I have not had any problems with the Plusnet-supplied router, although it doesn't seem to have any way of manually setting the DNS server. For example, the Google public DNS server. That has been occasionally useful.

        I'm getting decent performance with some demanding software, so I am not inclined to replace it. Some of the big-name brands are known to sell models which struggle with the software I use. The wifi may have a little less range than my old hardware.

        Plusnet seem to pre-set a reasonable wifi and admin-access password.

        I wonder if the problem is people who have moved to Plusnet and chosen not to replace existing hardware. They make the changes to login, but leave the rest unchanged. It's a tempting option; I have a couple of things I still need to change the wifi settings on.

        I know enough to be dangerous, but I also have a well-honed streak of paranoia.

    3. Anonymous Coward
      Anonymous Coward

      Re: For me there is a basic question

      Me, I wasn't provided with one and anyway mine is better than theirs because it has blue flashing lights on top. :-) Also I have changed the admin logon from the ludicrous default of admin/admin. (It's now admin/password.)

      A more relevant question might be, why are so many of PlusNet's customers not using PlusNet's DNS? I've been using OpenDNS for over a year because PlusNet's own servers were so frequently slow and unreliable (that's unreliable as in intermittently just not responding to DNS requests, not as in rerouting me to the wrong URL). I'd rather PlusNet invested more in its DNS servers rather than handing out new routers to replace perfectly good boxes.

      1. Anonymous Coward
        Anonymous Coward

        Re: For me there is a basic question

        Last three routers I've had from on all came with complex passwords for both admin interface and wireless and the wan admin interface was disabled

    4. codejunky Silver badge

      Re: For me there is a basic question

      I dont use ISP provided routers either. I have a nice fast one that does all I need. Why would I want to use a provided router? I remember this argument with sky. I could buy from them a locked down router which had gbit lan support or the one I already bought and configured myself.

      1. Return To Sender

        Re: For me there is a basic question

        I swapped the router PN supplied what I started with 'em years ago, for something more capable. They've never tried to update me since, so I've stuck with my own routers, ta. And I don't set DNS at all on the routers, I run my own server in-house which very definitely doesn't have dodgy passwords. In the interests of greening the household's IT infrastructure, it's currently running on a RaspberryPi.

        And incidentally, although there does seem to be a bit of opportunistic PN bashing going on here, my own experience over the last few years is that their standards are dropping, more so recently. My last couple of line issues have taken days to sort out, with me doing most of the legwork.

        1. Anonymous Coward
          Anonymous Coward

          Re: For me there is a basic question

          re:- And incidentally, although there does seem to be a bit of opportunistic PN bashing going on here, my own experience over the last few years is that their standards are dropping, more so recently. My last couple of line issues have taken days to sort out, with me doing most of the legwork.

          I agree. My cctv operating via a ddns router to give me a nominally fixed ip, clapped out on Friday last. When I run a tracert from the US,I get as far as a London Plusnet server, then the trace stops. Plusnet claim all is well! As I'm in Houston for the next 6 weeks, there seems to be nothing I can do apart from look for a different ISP. This is the 4th problem in 3 months. The line is OK as I can phone home, so there is a problem somewhere in their network.

    5. AndrueC Silver badge
      Stop

      Re: For me there is a basic question

      Why are Plusnet users not using the Plusnet provided routers?

      I already had a perfectly capable Billion router (prolly more capable) and didn't fancy reconfiguring everything (I host a couple of servers so need to set up port forwarding). I also didn't want to have to pay £10 p&p (or whatever it was) for my free router.

    6. AOD

      Re: For me there is a basic question

      Why are Plusnet users not using the Plusnet provided routers?

      Simples, because I wanted something that was more capable and had gigbit ports, oh and would support VPN access and could be easily moved to something like DD-WRT if required.

      As for using an ISP's own DNS servers. I stopped doing that years ago when I got my first USB Fujitsu ADSL modem courtesy of Pipex.

      In my experience, ISPs DNS servers were usually a point of failure at the most inopportune times. OpenDNS was/is my preferred choice but YMMV.

      The PN router is retained as a backup device and for troubleshooting if my ASUS goes belly up.

      For the record, my WAN side access is disabled in addition to WAN side ping responses.

  5. AdamK

    Well my TP link router is patched to prevent WAN side UPNP access, has WAN admin access disabled and a good random password. I resolved the loss of connectivity by changing the DNS to Google's open servers. I don't know whether Plusnet considers this to be malicious traffic.

  6. Anonymous Coward
    Anonymous Coward

    How is this Plusnet's fault?

    1. djack

      Dunno, seems to be bash PN month at the reg.

      1. sabroni Silver badge
        Happy

        Awwwww!

        Yeah, it's weird. They're nice to every other ISP, hardware manufacturer and software company, yet for some inexplicable reason the tone of this article is negative. Clearly there's a vendetta going on.

  7. AMBxx Silver badge

    http://www.opendns.com/

    Just get an account with OpenDNS - free. Includes filtering for nasties too. You choose how nasty rather than the government.

    1. Lamont Cranston
      Thumb Down

      Re: http://www.opendns.com/

      If PlusNet are anything like their BT masters, then their routers won't allow you to change the DNS server settings, rendering OpenDNS worthless.

      1. Maverick

        Re: http://www.opendns.com/

        and Virgin are the same

        for this reason none of them will ever get my business, *I* decide what is safe for my kids not those idiots

        1. AMBxx Silver badge

          Re: http://www.opendns.com/

          I'm with PlusNet. Use my own router. No problem.If that changed, I'd probably leave as their standard router doesn't do enough.

  8. CAPS LOCK

    I'm not quite clear why Plusnet is being tied in with this.

    It's nothing to do with them.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm not quite clear why Plusnet is being tied in with this.

      Call me cynical but this could be a prelude to banning own routers and you are forced to accept the shite ISP one that is free but cost £500 for p&p.

    2. Anonymous Coward
      Anonymous Coward

      Re: I'm not quite clear why Plusnet is being tied in with this.

      Plusnet appear to have a DNS problem which they are blaming on customers routers. As Plusnet claimed that my 6 year old router was not operating correctly, I went through 2 more new BT routers which also didn't work, before a Netgear(non BT) one did. When I looked at the numbers, the reason the routers didn't work was that the BT line signal was crap. I suspect that Plusnet have a major DNS cock up which no one will admit to. I hate having to turn into a test engineer when I just want to buy a service.

  9. Rustywarrior

    You can do it... you just need to know your way around a telnet and command line interface.

    Still not something that your average punter is willing or capable of doing though.

  10. Anthony Hegedus Silver badge
    WTF?

    don't get this - what's it got to do with plusnet?

    So, some users of an ISP use badly designed insecure router eh? And that's the ISP's fault how exactly? The article seems to suggest that PlusNet were returning dodgy addresses, because of customers' routers. I don't get this at all. The routers surely didn't actually affect plusnet?

    And yes, the routers most ISPs supply are complete bollocks. A friend of mine had his DNS repeatedly modified despite him disabling remote admin and changing his admin password. And that was a Thomson router supplied by TalkTalk!

  11. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      So the routers are crap so these people go out and buy a new router and configure it to work with PN but apparently are not clever enough to change admin passwords or turn off any wan admin interface.. But apparently this is PNs fault?

  12. jason 7

    I had a BT Business customer hit with this last week.

    As Plusnet are a part of BT.

    It was a TP-Link router but it didn't have the default password active or for that matter any remote admin access.

  13. txt3rob

    yep so basically update your router's firmware.

    the ISP does this automatically when using their rubbish equipment.

    teach all the tech's not to update their firmware

  14. Securitymoose

    And they just changed their security - mail received

    On 06/03/2014 17:29, support@plus.net wrote:

    In order to us to maintain a high level of service, and protect our network against potential attacks, we need to make a change which affects your account.

    This change is related to the broadband firewall which all of our customer accounts have access to.

    We'll be making a change to block incoming traffic on ports 53, 111, 135, 137, 138, 139, 445, 515, 1080, 1433, 3128, 3306, 6000.

    In most cases these ports will already be blocked by your local firewall however in the event of a compromised router, the ports may be unblocked or used in a potential attack.

    It is unlikely you will need these inbound ports open, if you do you please visit http://contactus.plus.net and let us know by responding to this support ticket.

    There's nothing you need to do, and your connection should continue to work as normal apart from a brief disconnection whilst we make these changes. In the vast majority of cases your router will automatically reconnect. If you experience problems getting reconnected following this maintenance please try a single reboot of your router.

    Kind Regards,

    Chris Parr

    Customer Support

    This email has been sent as it contains important information about your service from Plusnet. Please do not reply to this email, as this is an unmonitored address.

    PlusNet PLC

    Registered Office: The Balance, 2 Pinfold Street, Sheffield, S1 2GU

    Registered in England no: 3279013

    1. Pan Handle Door Handle With Care

      Re: And they just changed their security - mail received

      I think this is simply a change to the ports blocked by the network level software firewall implemented on the Juniper E-Series access routers when a customer chooses to activate it for their broadband PPP connections and selects the "Low" setting in the "Member Centre" control panel. There's no change if you elect not to use that firewall, or use one of the other settings.

      We certainly haven't had any problems with blocked ports running our own recursive resolvers locally.

      But we have had problems with randomly sluggish performance despite running our own DNS.

      There is more to this story. A relatively small number of compromised 3rd party routers does not explain the recent halting network performance.

      PlusNet's own PowerDNS platform frequently performs very badly for a number of reasons, at least partly to do with the load balancing scheme. However, I suspect that something is going on with UDP traffic, or port 53 UDP traffic, more generally within PN's network or peering arrangements at the moment. UDP traffic to Level3 DNS servers has been slow and unreliable, for example.

  15. Anonymous Coward
    Anonymous Coward

    www.opendns.com and Google DNS.

    And should you have no DNS at all at a given moment (especially when setting a site up, or your neighbours router... YMMV), try to remember 8.8.8.8 and 4.4.4.4, which are Google's DNS, then you navigate to opendns.com to read their IP and put theirs as secondary. Google is 'not evil', but theirs is surely easier to remember than opendns... and you can sort things out once your side is up, and put any designated DNS, or your ISP DNS since it usually is lag-free, being very close to you.

    Google DNS solves problems in a pinch, until you can retrieve more 'correct' settings. My ISP tends to have frequent DNS failures, for reasons unknown, so I memorized this little gem.

    You're welcome.

  16. Anonymous Coward
    Anonymous Coward

    This is the first time plusnet have pissed me off.

    First I haven't been guilty of having any of the problems plusnet talk about with rogue DNS

    Second, the plusnet router, like the Be router is a bag of f*cking shit, it is horrendous, 10 minutes to boot, no Gbe lan, restarts or hangs as much as three times a day, obscure featureless GUI, so those of us with some infrastructure to support will always go to Draytek/Cisco enterprise class devices, and to criticise customers, many of whom just want a reliable connection, and who chose carefully spending £150 or more is a joke, especially as in almost all cases the problems stop, immediately.

    Third, Plusnet DO have a DNS problem, very occasionally DNS lookups will fail, and this is f*ck all to do with having a hacked router, I haven't seen it in a few months, but they did have a dodgy DNS, which exploded with crystal clear clarity a month or so ago, so stop bu**sh*tting, you'll get a lot more respect and a lot more customers, as the service is very good

  17. Securitymoose

    Plusnet continue to blame the customer

    I fail to see how a router configured for dynamic DNS and IP and security protected (the passwords were not default and complex) can be responsible for the hijacking. Is it mere coincidence that Plusnet had put through a 'security' upgrade only a few days before? I would not like to think that this is another of those cover-ups so prevalent in modern services.

    Either way, the reply (see below) I got from the supplier does not give me confidence and I will be certainly looking for an alternative in the near future.

    From Plusnet customer support:

    "Unfortunately we are unable to offer any sort of refund for this. The router is a third party router and as such we bear no responsibility for any vulnerabilities that result from using it.

    If you wish to have one of our routers you can do so in one of the following ways:

    Either paying for the router up front (£40) or agreeing to a new 12 month contract which would make the router free.

    Either way there would be a £5.99 postage and packaging charge which would apply.

    This is exactly the same as when you first took out the service.

    I hope this resolves your query however you can respond to this message if you are still having issues."

    1. Ian P

      Re: Plusnet continue to blame the customer

      (Some) TP-LINK routers can be hacked www.youtube.com/watch?v=wy4n8a3dy0Q

This topic is closed for new posts.

Other stories you might like