Question About SRM and Security

Currently reading
Question About SRM and Security

2
0
Router
  1. RT2600ac
Operating system
  1. Linux
  2. macOS
  3. Windows
  4. other
Last edited:
Hi SynoFans,

Excuse my ignorance, but I'm a first time poster and new to Synology tech. Not 100% sure where to post this, but thanks for any help in advance. Please move to another thread if not applicable.

RT2600AC / SRM 1.2.3-8017 Update 4

I installed ntop-ng (network monitoring) on a linux box at home to play around with and discovered some of my IP's talking to an unknown IP address. My IP space is 192.168.x.x and the offending IP was 10.254.2.1. After scanning the IP address with nmap, ports 80 (Apache httpd), 443, and 8080 (reported as http-proxy) as well as SIP ports were open. The OS was reported as Google Android 4.1.1. No Mac address was reported back. Scanning my internal SRM GW IF, the results were similar but lacked all the detail, certs, etc,

I ran a traceroute to 10.254.2.1 and got weird results. Why would the traceroutes go 13 hops one day to IP's to (reported) DC / San Jose, CA - then a single hop the next day - then back again? The IP's are 98.124.174.77 (ae1-300.cr0-pao1.ip4.gtt.net) and 154.24.30.33 (be3573.agr21.sjc01.atlas.cogentco.com). Neither of these IP's are known to me, nor do they map back to Synology.

A wireshark dump reveled certificate handshakes, but I'm no networking whizz and having issues to figure out what's going on.
So, it appears that someone popped my router and were possibly rerouting traffic through it.

So - my question is, has anyone else experience this? Am I scanning a part of SRM that is proxing traffic and tracing connections back to systems and supporting services, or have I been popped?

I am not running any external access (no SSH, etc,) at all, so I'm scratching my head as to how they got in? Password is 50+ chars, complex. Any suggestions welcome.

Thanks.
 
Hi MadBrit,

That's a real good question!

Actually 10.0.0.0/8 is defined as a private IP range (see Private network) and as such cannot be routed through the public Internet...

Therefore my expectation would have been, that SRM does not forward such traffic to the ISP but drops it...

I suggest to open a ticket at Synology Support. They are usually very helpful. If you do so, please let us know Synology's response.

At least I can confirm that using SRM's traceroute tool with 10.254.2.1 also leaves my router but stops after two hops. I guess my ISP is not forwarding the traffic out of its LAN (as per definition it cannot be routed through the internet anyway). I am using an RT2600ac with SRM 1.2.3-8017 Update 4 as well.

Please note that I'm also not a network expert. If there are network experts, could/should we add some firewall rules to drop traffic from LAN to private IP ranges?

Best Regards,
Roger
 
While 10.0.0.0/8 is a reserved IP range (see here and link within to RFC 1918) and not routable across the Internet that doesn't mean that your ISP doesn't use these reserved ranges within its private networks. If the ISP has direct connections to some content providers then these could use reserved ranges too.

As for why the path to a destination may be different from one day to the next: IP routing can take whichever path it likes but will generally take the best path. If there is a problem then the path may pass through a different set of routers to get to the destination. There could have been a problem in the ISP's network that they had to setup a temporary route while they fixed it.

The SRM router will also have multiple internal IP addresses for its different VPN services (if you are running these). These IP will be that service's gateway IP between VPN clients and the LAN/WLAN.

As for SRM FW rules ... only add LAN/WLAN/VPN LAN source IP to 'any' for the subnets you are actually using: don't put blanket rules for the whole of RFC 1918 ranges as that could let in your ISP's private traffic.
 
Thanks fredbert,

So I guess we do not have to worry about the requests (unless we do not trust our ISP ;)).

Thanks also for the reminder regarding SRM FW rules for the whole private IP ranges, as I was considering doing this but I realise that I have to take more care to distinguish router and NAS...

Many thanks,
Roger
 
Thanks fredbert,

So I guess we do not have to worry about the requests (unless we do not trust our ISP ;)).

Thanks also for the reminder regarding SRM FW rules for the whole private IP ranges, as I was considering doing this but I realise that I have to take more care to distinguish router and NAS...

Many thanks,
Roger
Hey Guy's,

Many thanks for taking the time to respond.

My first impression was that the 10.254.1.2 / .3 IP's were for Synology's router services until I did the traceroute. I do use a VPN provider and thought that those systems might be associated to their network. Disconnecting the VPN provider and the systems are still there. My 3rd idea was that it is part of the AT&T wifi calling capability. Scanning the 10.254.1.0 network identifies 254 hosts, all the same services and (except 1.2 /1.3 ). They all run the same OS, OpenWRT services, etc. and all have port 80 open. 1.2 / 1.3 also have 443 open. My thought was a honeynet...but they're on my own network? Also found a route to 198.18.72.253 - another private IP address and again, not mine.

Running wireshark, these 10.254 IP's are communicating with systems my 192.168.1.0 network.

I think a neighbor is (at minimum) stealing bandwidth and has a pretty sophisticated setup running. We've had phones and systems hacked, IMSI catchers used as rogue cell towers, etc. over the past few years and I believe this is all part of their counter-surveillance operation to protect their drug trade.

Any suggestions welcome, but at this point I don't get any MAC addresses to block them from my network. IP blocking on the FW doesn't seem to help. Traffic is getting MitM, blocked, or rerouted I think.

Whatever they are, these systems shouldn't be there. I realized they're private IP's, which was where my initial concern stemmed from. These addresses shouldn't be routable - and if they're on my network, they're mine to do whatever I want with, right?

I've changed the wifi auth passwords and they're still there. Just don't understand it.

Any suggestions welcome, or perhaps pointing me in another direction. I'm at a loss.
 
Things you can test to see if these connections stop:
  • Disable WLAN: WiFi is not constrained by the physical limits of your property.
  • Reduce the WiFi power.
  • Disable 2.4GHz WiFi: it has a longer range.
  • WPA3 if your devices support it
  • WPAn Enterprise: set up RADIUS Server and have WiFi logins per user (username/password auth) but don't use your admin user account for WiFi login!! Force local users to refresh passwords
  • Exclude non-essential devices from your LAN/WLAN: could these be running additional software?
  • Exclude IoT: placing these on the Guest WiFi with no LAN device access could be a good idea for later too.
If you get some useful information from this lot of tests then you can decide what to do next. Build a Faraday [RF; TEMPEST] cage around your property may be a big task but then it may be the only solution ... but you'll have to have wired ingress/egress for every other electronic device at home!

I notice that my iPhone [iOS13] when connected by USB to the Mac will use the Mac's LAN connection in preference to its own WiFi and the homescreen icon goes to 4G data. When disconnected the iPhone reverts to its WiFi and so does the icon. Many mobile phone networks use the 10.x.x.x network for their phone connections, as many network utility apps will reveal if you have one. It could be that there is some heartbeat, etc., happening down the wrong route?
 
I'm having a similar issue with 10.254.1.2. However, it poisoning my DNS. It's redirected facebook.com to 10.254.1.2
which is a defaced website.

I factor reset the router. It no longer positions my DNS but 10.254.1.2 still brings up a webpage.

Any Ideas?

Thanks,
John
 

Attachments

  • tracert.png
    tracert.png
    21.6 KB · Views: 24
  • dnsposining.png
    dnsposining.png
    49.8 KB · Views: 27
  • nslookup.png
    nslookup.png
    44.3 KB · Views: 26

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Nope. As far as I can tell it’s all under the hood. In business doing quality or class of service helps to...
Replies
3
Views
1,222
Now I'm not looking on my phone.... The best you can do is to split the single 192.168.1.0/24 subnet and...
Replies
6
Views
2,056
Mr. T! You are Correct! I just learned this elsewhere!! Those IP’s Does unexpected things with pings and...
Replies
5
Views
1,443
Per your initial reply..."Then sell it... which is what I guess prompted this question." 😊
Replies
4
Views
4,386
Update: Yes that worked, but Googling: “Pros & Cons of blocking ICMP” Made me realize I’m barking up...
Replies
5
Views
2,401
I've already posted this in Synology official forum, but maybe here I get more help, or quicker :-) I'm...
Replies
0
Views
1,036

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top