Brute force causing router corruption?

DJFuji

Diamond Member
Oct 18, 1999
3,643
1
76
Hey all,

Weird occurrence happened the other day. Was at my desktop when I noticed it started lagging HARD. Checked task manager and noticed logon processes spawning like crazy and sucking up CPU resources. Googled it and realized someone had found my RDP port and was brute forcing it trying to find a way in.

I banned the IP range through my software firewall and then turned off terminal services altogether until I looked further into it.

Then something weird happened. I found out I could only sporadically pull up websites. The actual physical connection seemed solid because skype and other non-web page services were fine. But every 2 or 3 tries, a website wouldn't resolve, almost as if DNS were being flakey. Pings also couldn't resolve to IPs, so I assumed it was DNS.

So I change to google DNS and the exact same thing happens. Also occurs on my ipad, my laptop, and my phone, so it def wasn't just this machine. Used different DNS servers on 2 diff machines and same thing. Weird.

Called Tier3 tech support with my ISP and the sr tech was basically like "yeah dude good luck with that, i have no f'ing idea either."

Then on a whim, I decided to hard reset my router/cable modem to default settings, even though both of us looked through config and everything seemed to be fine. Amazingly, it worked.

My question is:

a) Did the brute force attack have anything to do with the router malfunction or was it a big coincidence?

b) Is it possible to actually corrupt router software/firmware with a brute force attack? Keep in mind terminal services would boot remote connections after a few bad attempts so it's not like they were hammering hundreds of tries a minute.

Thoughts?
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
My initial reaction is that you blocked the attack at the software firewall on your computer, so the router (upstream from your computer) was still busy handling all of the attack traffic and you were basically getting DoS'd because of the volume. You rebooted the router, and all of a sudden your IP address wasn't up anymore and the script/bot that was attacking you moved on to someone else. You should always block attacks as far upstream as possible.

To answer your specific question, I would say yes it's possible that the attack caused a problem in the software of a SOHO router.
 

DJFuji

Diamond Member
Oct 18, 1999
3,643
1
76
Yeah my time warner-supplied router doesn't have the ability to block IPs or ranges. I called them and they would not help with blocking the traffic at their level.

I see what you mean about the router having to handle all the incoming traffic because it's being blocked at software level. The weird thing is, after I closed the port on the router, it was still experiencing the quasi-DNS issues (even after multiple soft reboots).

It wasnt until I hard reset it that everything went back to normal.

I guess my last question is whether it would be worth it to buy another (industrial strength) router and use the time warner device as a modem only.

In the past, FIOS techs said consumer routers couldn't handle the throughput of fiber/FTTP (15-30mbps) and at least one i tested indeed couldn't handle that kind of data. This was 8 years ago, though. Are new routers (especially ones that can use firmware like DD-WRT) able to keep up with today's high-bandwidth connections?
 

VirtualLarry

No Lifer
Aug 25, 2001
56,570
10,205
126
I had a problem with my DSL line and router(s). I used to run an open hotspot, but someone apparently had started to torrent through it.

Well, I had all unsolicited incoming requests forwarded from my primary router to my secondary. (Open wifi on primary router, protected subnet on secondary).

I couldn't even pull up my secondary router's config pages, the incoming traffic was so bad, after I shut off the primary router's wifi.

So yeah, I could see this happening.
 

Geofram

Member
Jan 20, 2010
120
0
76
In the past, FIOS techs said consumer routers couldn't handle the throughput of fiber/FTTP (15-30mbps) and at least one i tested indeed couldn't handle that kind of data. This was 8 years ago, though. Are new routers (especially ones that can use firmware like DD-WRT) able to keep up with today's high-bandwidth connections?

I think most new ones can. You can always use an old computer as a router, as well, and that will certainly handle the traffic without a problem. I use an Intel Atom based PC as my home router, just because of this kind of limitation on many of the SOHO ones.