NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

GUDECO_IT's avatar
GUDECO_IT
Aspirant
Mar 27, 2019
Solved

Network flooding from ReadyNAS Pro 6

Hello there!

We are using a ReadyNAS Pro 6 in our company. But today it suddenly decided to go haywire.

It flooded our network with more than 60.000 Sessions, all to chinese ip addresses. Does anyone here experienced a similar problem? We had the same problem a year ago with another Netgear NAS but solved it by just denying internet access for this specific NAS.

 

I tried to analyse the problem we experienced today:

Looking at the firewall logfiles it started up to 10 unique connections a second to only one ip address (43.227.183.37) which eventually exhausted the NAT port on our firewall, disconnecting our remote offices and vpn users.

We tried to check the logfiles from the NAS itself but there is no reference about massive network-flooding actions.

Does anyone have any idea what the hell happened there? Keep in mind that the connections were started by the NAS itself which is especially fascinating.

  • StephenB's avatar
    StephenB
    Mar 27, 2019
    GUDECO_IT wrote:

     

    It was not another NAS that made the same problems a year ago, ... It's almost like a haunted device.

     

    Shell-in-the-box could be the vector, especially if web access over the internet is possible.  

     

6 Replies

Replies have been turned off for this discussion
  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Mar 27, 2019

    What firmware is this NAS running?

    what apps (if any) are running on it?

    Is access to the NAS over the internet allowed?

     

    In general, if the NAS has been compromised then I suggest doing a factory reset, rebuilding the configuration, and then restoring data from backup.

    • GUDECO_IT's avatar
      GUDECO_IT
      Aspirant
      Mar 27, 2019

      Thanks for your quick answer.

      The NAS runs firmware version 6.10.0 (RC2)

      Enabled Apps are:

      - Shell in a box (1.0.0)

      - SMB Plus (1.0.8)

      - Tftp Server for Readynas (1.0.3)

       

      The internet access was cut off around 4 hours ago via firewall policy.

      Resetting the device is currently not an option because we first have to move something around 3TB of data.

       

      But I just got new intel from my colleague:

      It was not another NAS that made the same problems a year ago, it was this very NAS. And it was resetted a year ago. It's almost like a haunted device.

      • StephenB's avatar
        StephenB
        Guru - Experienced User
        Mar 27, 2019
        GUDECO_IT wrote:

         

        It was not another NAS that made the same problems a year ago, ... It's almost like a haunted device.

         

        Shell-in-the-box could be the vector, especially if web access over the internet is possible.  

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More