Modem Router DDOS Vulnerability - help change settings

Hello pjudle_roany

If your not seeing anything in the logs of the D6000 then it could be some other device on the network sending these attacks out. Does the email not indicate what type of device maybe doing this?

DarrenM

Hi Darren,

Thanks for your reply.

The ISP says that they can't see inside the home network to any of the individual devices so can't even tell me if it is an iphone or a macbook that they are complaining about. But I've run malwarebytes on the Macbooks, and MobiShield on the iPhones and they have all come up clear. 

Besides, I took all our devices off the internet 5 days ago, and have not used any wifi since 28th Jan. I got another email from my ISP today to say that the problem is still there, so I guess it must be the router itself. There doesn't seem to be any other explanation.

I'm thinking of taking the router back to where I bought it today and asking for a refund, or maybe exchanging for another brand. I only bought it last August (can't believe Netgear only give 90 days phone support!), so surely the shop will come to the party. It has all been such a waste of time and energy.

Thanks

I have this issue. My ISP, Skymesh, is obligated to forward emails from ACMA stating that my router is prone to being exploited in DDoS attacks. Exact email message:

SkyMesh participates in the Australian Internet Security Initiative
(AISI) which is a service provided by the Australian Communications and
Media Authority (ACMA) to assist in reducing spam and to improve the
security level of the Australian Internet.

We recently received an AISI report from the ACMA indicating that a
computer connected to your SkyMesh broadband service has been
compromised and might be infected with malicious software.  The
following details were provided to us:

IP Address:  ***.***.***.**
Date: 2017-07-13 00:48:15 UTC (GMT+0)
Type: Vulnerable Service: DDoS Amplifier (DNS)

Using http://openresolver.com/ I get the result:

Open recursive resolver detected on ***.***.***.**
IP address ***.***.***.** is vulnerable to DNS Amplification attacks.

I once contacted my ISP about this, and they told me to contact at you but that they'd never disable my service because of this issue.

Please help Netgear.

Is ***.***.***.** the IP address assigned to your Netgear modem router?  If yes, then it's a bad sign that http://openresolver.com/ has reported it vulnerable.  Your modem router be used to launch DDoS attacks.  Worse, if you have a data cap on your service, the attacks will count against it.  It's the ultimate double whammy.

There have been other reports that some of Netgear's modem router have this DNS vulnerability but they were never substantiated.  This is the closest thing to a smoking gun.  You can further test this by running the following command from a Windows, Linux or Mac from outside your home network.

nslookup google.com ***.***.***.**

If this command succeeds, then the modem router is improperly responding to DNS queries from the Internet.  😞

Hi Jeckyll,

I was also with Skymesh and getting the same emails as you. The Skymesh help person told me that if I ignored their emails that they WOULD eventually suspend my account. I couldn't get any real help from anyone.

In the end, I threw the Netgear router out, and bought another brand. The Skymesh emails stopped immediately, and I haven't had any problems since. 

Was an expensive fix, but worth it to stop the stress and anxiety that the Skymesh emails were giving me.

Good luck with it. Hope you have better luck than me, but if all else fails, I can recommend chucking your Netgear router away and starting again. 

I'm on firmware V1.0.0.61_1.0.1 - I am still experiencing this issue, so I can't call this post a 'solution'.

What was your router model?

Hi Jeckyll

My modem Netgear D6000-AUS I loaded firmware version V1.0.0.64_1.0.1. to resolve the vulnerability problem.

Oh, stupid mistake sorry, I see I upgraded to V1.0.0.61_1.0.1, not V1.0.0.64_1.0.1

Thanks for pointing this out!

Sadly I can't find a download for this firmware version either automatically via the router UI, nor from netgear's download centre. Latest version appears to be V1.0.0.64_1.0.1   

The downloads for the D6000 are here. Unless the D6000-AUS is something special, provided by your ISP, this is probably the place to find firmware.

>>>>> D3600 | Product | Support | NETGEAR <<<<<

The D3600 and D6000 seem to be the same thing.

That shows that you have the latest firmware.

Where did you read about V1.0.0.64?

Hi Michael

This version info was copied directly from my D6000 modem router configuration page

and pasted here:-

 Router Firmware Version
V1.0.0.64_1.0.1

The modem updated and installed the firmware during configuration, I did not download it first, so I don't know where it came from. I have looked for the firmware version V1.0.0.64_1.0.1 at netgear.com but could not find it.

Your question regarding D3600 and D6000 modem routers I don't know if they are the same

I think the D6000-AUS is packaged for Australia I don't know if there are any internal modifications or it just comes with sockets and plug packs to suit Australia.

Hi Michael

I have found another thread that refers to V1.0.0.64_1.0.1 and D3600 it looks like some users are having problems after installing this firmware version. This version solved the vulnerability problem for me but I might loose my router configuration if I reboot the router. If you do a search using "V1.0.0.64_1.0.1" you might get an answer to your question.

---

@adee56 wrote:
If you do a search using "V1.0.0.64_1.0.1" you might get an answer to your question.

 

---

Happy to look at any link you can provide.

After all, you have been there before. You already know what my search found.

Hi Michael

Here is the link:- https://www.netgear.com/search-netgear.aspx?q=V1.0.0.64_1.0.1

The tread is discussing D3600 & firmware V1.0.0.64_1.0.1

Hopefully someone in that thread will be able to help you locate the latest firmware.