Zyxel Security Log Attack?

Hi, ive just noticed in the security log of my Zyxel XMG3927-B50A router over the past couple of weeks there are alerts for an attack (see link)
Screen Capture

Ive reset my router & changed the password but as you can see these logs still appear. Googling brings up an Zyxel announcement for brute force attacks Brute force attacks? Zyxel to tighten protection on routers and CPE

My Firewall is set to Medium (Recommended)

This is what i have enabled in Remote Management. I have enabled Ping on WAN to be able to run a TBB monitor.
Remote Management

Edited by Natty (Sun 23-Aug-20 22:13:32)

Are you not able to configure the router to reject all remote access or perhaps only allow it from a particular subnet?

Its a pretty high end router with no end of features i could play with, much of which is beyond my understanding. I only needed the basic features to get it to work. I dont even need to set up port forwarding as i dont torrent or stream online games.

My main priority is what is that security log reporting? Is it something to be concerned about or is it mistaking pings for an attack? Having reset the router so far today that is the only attack log, whereas previously there were frequent log reports every 5 minutes. Im just a regular home user, im not a business so what is there to gain from attacking my router?

It's probably logging connection attempts against a closed port. This is normal firewall behaviour because it allows administrators to see if there are persistent threats from a particular source and block that from other services which may be open to the outside world.

Edit: in this particular case the log shows a protocol of UDP, a source port of 5121 and a destination port of 4399. Port 5151 is associated with;

https://www.speedguide.net/port.php?port=5121

Are you a gamer? Is UPnP enabled?

Edited by caffn8me (Mon 24-Aug-20 09:39:01)

Yes, I also believe this to be the case with blocked port.

If indeed the original poster is a gamer and is playing certain games or using applications that require certain ports then this can show a false DDoS Attack alert.

We can see the log shows 9:58 assuming that's the time you were playing a game or using an application that lead to this alert.

Remember, you need port forwarding not necessarily for streaming online games. You need to open ports to join the online game servers and host servers from your end. You may get frequent server disconnections and lag issues if your ports are blocked.

This may be what's happening right now. If you don't know how to open ports, you can test by enabling DMZ to have all ports opened temporarily and test if the alert is occurring again. If that resolves it, it would mean port is unblocked and no longer signalling the Log Attack. Most likely this is a false positive caused by blocking of ports.

Nothing to be worried about, you would expect to see this sort of behaviour all the time, by which I mean like practically every second of every day. Least ways I do on all the machines I have at work and at home.

In this case it appears to be coming from a cloud provider in the Netherlands. Probably a hacked machine so you might actually get some traction from their abuse team

[email protected]

To be fair the only time I have ever had any success on that is when the IP address was from some sort of incubator business park run by the University where I work. I got a surprise when I ran the whois is on the IP address as it was not from our standard class B block so I didn't immediately recognise it. Quick email to our cyber security ream and head of networks put a stop to things (to be clear the probes where on my home router)

Normally this stuff originates from China, or Russia so it's a complete waste of time doing anything. If I was not a a University I would just drop all Chinese and Russian IP addresses at the firewall and make them connect via VPN. However that won't fly yet. Another HPC hack from China though and it probably will.

No im not a gamer. UPnP was enabled so i have now turned that off. I should also note i do use Cloudfare DNS rather than Vodafones in case its relevant.

Ive contacted Zyxel support with that log, i had many others this past few weeks but i lost them due to resetting my router & forgetting to save them. But so far today there have been no more security logs.

Edited by Natty (Tue 25-Aug-20 03:26:50)

I was a bit premature. More logs just came through.

(Edit)
1 Aug 25 08:11:13 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.148.121.28 DST=84.64.*. * LEN=432 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=5120 DPT=4399 LEN=412 MARK=0x10000000

# Time Facility Level Category Messages
1 Aug 25 04:48:47 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.143.220.66 DST=84.64.*. * LEN=441 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=5200 DPT=5080 LEN=421 MARK=0x10000000
2 Aug 25 04:48:47 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=45.143.220.66 DST=84.64.*. * LEN=439 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=5200 DPT=5070 LEN=419 MARK=0x10000000
3 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3353 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
4 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3354 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
5 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*. * LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3356 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
6 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3361 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000
7 Aug 25 02:07:35 kern alert attack kernel: IN=ppp1.3 OUT= MAC= SRC=87.251.75.124 DST=84.64.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=123 PROTO=TCP SPT=65533 DPT=3352 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x10000000

(Edit) The first two attacks via
Port 5200 Details

known port assignments and vulnerabilities threat/application/port search:

search
Port(s) Protocol Service Details Source
5200 tcp,udp targus-getdata TARGUS GetData, Echolink, EchoMac (TCP)

Siemens SpeedStream 5200 with NetPort Software 1.1 allows remote attackers to bypass authentication via an invalid Host header, possibly involving a trailing dot in the hostname.
References: [CVE-2008-6916], [BID-32203]
https://www.speedguide.net/port.php?port=5200

(Edit) It appears Zyxel are no strangers to these botnet attacks. I wonder if other Zyxel router users are experiencing this? Zyxel security advisory for the recent botnet attacks targeting PK5001Z

Edited by Natty (Tue 25-Aug-20 08:46:48)

A long time after the event but....

...mentions of 87.251.75.124 are a Russian based scanning network trying to find open ports which can then be exploited.

The 45.143.220.66 IP address is listed as belonging to voniq.eu in the Netherlands, with a map location here;

colombia:~$ whois -h whois.ripe.net 45.143.220.66
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '45.143.220.0 - 45.143.220.255'

% Abuse contact for '45.143.220.0 - 45.143.220.255' is '[email protected]'

inetnum:        45.143.220.0 - 45.143.220.255
netname:        VONIQ-NL-DSRV
descr:          VONIQ SERVER HOSTING LTD
country:        NL
geoloc:         52.6921234 6.1937187
admin-c:        VN3508-RIPE
tech-c:         VN3508-RIPE
org:            ORG-VSHL1-RIPE
status:         ASSIGNED PA
mnt-by:         VONIQ-MNT
remarks:        Send all abuse complaints to [email protected]
created:        2019-10-13T10:27:10Z
last-modified:  2020-09-12T12:16:22Z
source:         RIPE

organisation:   ORG-VSHL1-RIPE
org-name:       VONIQ SERVER HOSTING LTD
org-type:       OTHER
address:        98409 Marty Corner, Borermouth, Seychelles
geoloc:         -4.6574977 55.4540146
abuse-c:        VN3508-RIPE
mnt-ref:        VONIQ-MNT
mnt-by:         VONIQ-MNT
created:        2020-09-12T11:58:29Z
last-modified:  2020-11-05T16:53:39Z
source:         RIPE # Filtered

role:           VONIC NOC
address:        29442 Ronaldo Drive, Stann Creek District, Belize, BZ
abuse-mailbox:  [email protected]
nic-hdl:        VN3508-RIPE
mnt-by:         VONIQ-MNT
created:        2020-09-12T11:54:56Z
last-modified:  2020-09-12T11:58:24Z
source:         RIPE # Filtered

% Information related to '45.143.220.0/24AS213371'

route:          45.143.220.0/24
origin:         AS213371
mnt-by:         VONIQ-MNT
created:        2020-05-18T02:50:33Z
last-modified:  2020-09-12T12:16:44Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.98 (HEREFORD)

There isn't a website for voniq.eu and there seems to be no record of the company "VONIQ SERVER HOSTING LTD" existing anywhere - other than as a name attached to IP addresses. You can see that they're trying to hide something with addresses in Belize and the Seychelles.

If we look at the bottom we see 'origin: AS213371' - this tells us who is responsible for this block of IP addresses and it turns out to be;

aut-num:        AS213371
as-name:        SQUITTER-NETWORKS
org:            ORG-SQTR1-RIPE

role:           SQUITTER NETWORKS
address:        Krzhizhanovskogo Ul., bld. 15/39, appt. 52, Sankt-Peterburg
abuse-mailbox:  [email protected]
nic-hdl:        SN8949-RIPE
mnt-by:         SQUITTER-MNT
created:        2020-04-13T10:51:05Z
last-modified:  2020-04-15T06:26:49Z
source:         RIPE # Filtered

So not very EU at all - it seems to be a grim residential apartment block in St. Petersburg, Russia.

The Russians are actively scanning to try to find a way in but your router is blocking it because the ports are closed - which is good.

I see about 4-5,000 attempted connections overtly from Russia in the course of a week and 6-7,000 from China. The stats for Russia are under-representing the true number because the Russians frequently register their IP addresses in other countries as in the example above.

It would seem that GRC's old 'Shields Up' test might still be useful. Just to see how your router's ports react to probes, although if WAN ping is enabled, it'll always be seen from that 'direction'.