Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 4
Registered: ‎05-12-2015
Kudos: 2
Accepted Solution

Incapsula article smearing Ubnt products

Have you guys seen this: https://www.incapsula.com/blog/ddos-botnet-soho-router.html

 

Incapsula is calling Ubnt out on what appears to be an ISP or VAR in thailand/brazil using extremely bad practices for making up the majority of a router based botnet...

 

 


Accepted Solutions
Highlighted
Ubiquiti Employee
Posts: 7,391
Registered: ‎11-27-2007
Kudos: 4220
Solutions: 167
Contributions: 45

Re: Incapsula article smearing Ubnt products

[ Edited ]

 


bw1 wrote:

I think there should be a "if {device} = AirRouter|AirRouterHP then enable [block WAN access]" in the AirOS install.

 

Any professional, including myself, knows to disable this, but with these for sale all over eBay and Amazon with your average home user buying them, it's just asking for trouble.

 


Hi guys,

The UBNT airRouter is not a traditional SOHO router. These are sold to WISPs & professional integrators that should be responsible for protecting their equipment, not Home users. This "report" was not limited to "SOHO devices", as there were APs, PTP devices, CPEs also vulnerable. UBNT devices are sold with the intention that out of the box they can be easily and mass provisioned for the WISP to deploy to customers. The configuration is 100% up to the WISP.

 

With that said, we did add security improvements in v5.5.2: 

  • Nagging reminder that the user is still using default credentials -- this has to be dismissed to do anything. 
  • We disabled management access to WAN interface

After we disabled management to WAN interface by default, there were many many complaints. Many WISPs still need access to the WAN interface for: provisioning the devices, and management -- even when in place at customer's home, the WISPs still want access. In v5.5.4 we changed to disable this by default, but it is still an option to easily enable. 

 

Our general recommendation is that any ISP deploying our products should definitely change default credentials, as well as block unnecessary management access. However, we try to strike a balance of imposing security best practices without limiting the functionality & ease of the use for our target customers (ISPs -- technical users, not "home users"). 

 

Hope this helps; we can look at other things as well such as not allowing a configuration change if default credentials are used, etc. Other suggestions are welcome!

 

Thanks,
Matt

View solution in original post


All Replies
SuperUser
Posts: 16,222
Registered: ‎06-23-2010
Kudos: 5088
Solutions: 76

Re: Incapsula article smearing Ubnt products

Uhhhhh....

" However, further inspection revealed that all units are remotely accessible via HTTP and SSH on their default ports. On top of that, nearly all are configured with vendor-provided default login credentials."

Yeah, that's pretty much how just about every router on the planet operates. Nothing to see here but bad end-user deployments. This could be any router, the Ubiquiti routers just happen to run DD-WRT and allow for easy Linux apps to be loaded.
New Member
Posts: 4
Registered: ‎05-12-2015
Kudos: 2

Re: Incapsula article smearing Ubnt products

I agree it's a whole bunch of bad practices.  My issue is that they're singling out Ubnt.  

 

e.g. look at their resolution advice: "...You can download these user guides to learn how to do so on Ubiquiti routers. If you have other routers you should contact the vendor for the applicable user guide."

 

or their description of the botnet: "What makes this specific DDoS campaign stand out is the botnet from which it’s being launched, one consisting of a large number of SOHO routers, predominantly ARM-based Ubiquiti devices."

 

 

 

SuperUser
Posts: 16,222
Registered: ‎06-23-2010
Kudos: 5088
Solutions: 76

Re: Incapsula article smearing Ubnt products

I agree... my first thought was SkyNet... but even close...
Veteran Member
Posts: 7,703
Registered: ‎04-21-2011
Kudos: 2680
Solutions: 168

Re: Incapsula article smearing Ubnt products

[ Edited ]

I can't see that UBNT would be at any fault for this!  If you see a lot of the Newbie posts on here, regarding people that are installing large WISP networks, and their network skills are shoddy to say the least.  In some countries, they have every thing bridged to the customers, with direct Internet addresses on it.  This is another reason our network is "NAT Routed", and the customer has "Private" IP addresses and not Public ones.

 

That is only asking for trouble.  First thing we do is change the ports on our devices when we program them to other port numbers. Port 22 (SSH), is probably the most scanned port in the world. If you do not have Port 22 open, in most cases the bots will keep on going down the IP list. Most will not take time to sit there and scan other ports for SSH use.  (Too many other people have 22 open, and time is of the essence for a Bot)

 

To come out and state that UBNT is responcible for this is very UN-ETHICAL for a publication !

 

 

Allthough it probably won't hurt at all, to insert a "Run Once" script upon initial programming of the device, to have the programmer change the default password to something else?

New Member
Posts: 4
Registered: ‎05-12-2015
Kudos: 2

Re: Incapsula article smearing Ubnt products


wtm wrote:

 

 

To come out and state that UBNT is responcible for this is very UN-ETHICAL for a publication !

 

 


My thoughts exactly, if I had to guess... It's probably a WISP or an ISP using ubnt equipment as part of their standard customer rollout; and are configuring their kit like this to make it easy for them to manage.  It's all kind of the wrong way to do it, but short of ubnt reaching out to the WISP/ISP... i'm not sure there's much they can do.

 

As far as Incapsula biasing their article to cast blame on ubnt, it comes off as clickbaity.  I think ubnt should at least comment ont he articule... Incapsula is one of the big 3 DDoS mitigation providers, that blog has more reach than it should.

Veteran Member
Posts: 7,703
Registered: ‎04-21-2011
Kudos: 2680
Solutions: 168

Re: Incapsula article smearing Ubnt products

I would go beyond that to say that it is probably a WISP that doesn't know the first thing about how to setup a good network, and is just handing the router to the customer.

 

Then, because they do not know how to setup or protect their network, they give the router a direct Internet IP address !

 

BINGO !   You have the next Bot in the chain !

Regular Member
Posts: 502
Registered: ‎02-13-2014
Kudos: 309
Solutions: 13

Re: Incapsula article smearing Ubnt products

[ Edited ]

I disagree on one principle:

 

The majority of home routers on the internet are using the default user/pass EVEN IF they have wireless encryption enabled, and in most cases, it's not a big deal. It's not like it's publicly accessible.

 

A simple AirRouter, if not manually disabled, allows public/WAN access to the user interface, and even if the default credentials were never changed.

 

This is different than most ANY other router operates, where you have to ENABLE remote management manually yourself if you want it, and I imagine that thousands of these devices are in operation outside of any WISP networks just plugged into your average Comcast connection.

 

I think there should be a "if {device} = AirRouter|AirRouterHP then enable [block WAN access]" in the AirOS install.

 

Any professional, including myself, knows to disable this, but with these for sale all over eBay and Amazon with your average home user buying them, it's just asking for trouble.

 

I don't like to bash Ubiquiti, but this really is a horrible default setup, and I've thought so for a long time.

Established Member
Posts: 1,086
Registered: ‎11-16-2010
Kudos: 740
Solutions: 13

Re: Incapsula article smearing Ubnt products

Bah...CoolgleamA

"No Guts, No Glory!"
Veteran Member
Posts: 7,703
Registered: ‎04-21-2011
Kudos: 2680
Solutions: 168

Re: Incapsula article smearing Ubnt products

Need new firmware, to turn off the WAN access as default, and also to have a "Run First" software that makes you change the admin password when you first turn it on!

Highlighted
Ubiquiti Employee
Posts: 7,391
Registered: ‎11-27-2007
Kudos: 4220
Solutions: 167
Contributions: 45

Re: Incapsula article smearing Ubnt products

[ Edited ]

 


bw1 wrote:

I think there should be a "if {device} = AirRouter|AirRouterHP then enable [block WAN access]" in the AirOS install.

 

Any professional, including myself, knows to disable this, but with these for sale all over eBay and Amazon with your average home user buying them, it's just asking for trouble.

 


Hi guys,

The UBNT airRouter is not a traditional SOHO router. These are sold to WISPs & professional integrators that should be responsible for protecting their equipment, not Home users. This "report" was not limited to "SOHO devices", as there were APs, PTP devices, CPEs also vulnerable. UBNT devices are sold with the intention that out of the box they can be easily and mass provisioned for the WISP to deploy to customers. The configuration is 100% up to the WISP.

 

With that said, we did add security improvements in v5.5.2: 

  • Nagging reminder that the user is still using default credentials -- this has to be dismissed to do anything. 
  • We disabled management access to WAN interface

After we disabled management to WAN interface by default, there were many many complaints. Many WISPs still need access to the WAN interface for: provisioning the devices, and management -- even when in place at customer's home, the WISPs still want access. In v5.5.4 we changed to disable this by default, but it is still an option to easily enable. 

 

Our general recommendation is that any ISP deploying our products should definitely change default credentials, as well as block unnecessary management access. However, we try to strike a balance of imposing security best practices without limiting the functionality & ease of the use for our target customers (ISPs -- technical users, not "home users"). 

 

Hope this helps; we can look at other things as well such as not allowing a configuration change if default credentials are used, etc. Other suggestions are welcome!

 

Thanks,
Matt

Veteran Member
Posts: 7,703
Registered: ‎04-21-2011
Kudos: 2680
Solutions: 168

Re: Incapsula article smearing Ubnt products

@UBNT-Matt

 

Might be better, rather than have a "Warning Banner" pop up, that can easily be dismissed, to have a box pop up asking for a new password?  One that is not the current "ubnt" !

 

And complies with the minimum 8 character standard mix of Upper, Lower, Numbers, and symbols.

 

I know when we program the ASUS router's we use, that is the first box that comes up in the programming wizard.

SuperUser
Posts: 11,337
Registered: ‎12-08-2008
Kudos: 8105
Solutions: 508
Contributions: 1

Re: Incapsula article smearing Ubnt products

[ Edited ]

Some of this comes down to the question of how idiot-resistant do you want to make your product.  Which also raises the complexity and possibly the cost.    Can't ever make it idiot-proof...

Jim

" How can anyone trust Scientists? If new evidence comes along, they change their minds! " Politician's joke (sort of...)

"Humans are allergic to change..They love to say, ‘We’ve always done it this way.’ I try to fight that. "Admiral Grace Hopper, USN, Computer Scientist
SuperUser
Posts: 16,222
Registered: ‎06-23-2010
Kudos: 5088
Solutions: 76

Re: Incapsula article smearing Ubnt products

Exactly Jim,
If an idiot installs, it will be installed by an idiot.

I was one of the ones that complained when WAN access was blocked. I can't tell you how useful it is to be able to access a customer's router to help them, reset a WPA2 key, etc.

It's up to the WISP to know how they are setting up a network and install it professionally.
Regular Member
Posts: 502
Registered: ‎02-13-2014
Kudos: 309
Solutions: 13

Re: Incapsula article smearing Ubnt products

[ Edited ]

I agree that WAN access is incredibly useful by default, but maybe that's the key; by default have them WAN accessible, and once someone pulls up the config page and agrees to the terms, Block WAN Access is a (selected by default) option. I'd keep it right next to the "Choose a Country" field -- no extra "idiot guide" pages or anything.

 

At least that way it would be open by default, but closed (if left) during the country selection process that everyone does anyway. If you're a Wisp and want WAN access, you uncheck it. Done.

 

@UBNT-Matt, you can't say it's a Wisp-only product when this is available all over eBay and Amazon. Anyone can and does buy them. I'm not saying I like having to cater to that, but that's the situation you're in.

Established Member
Posts: 2,424
Registered: ‎01-07-2009
Kudos: 626
Solutions: 20

Re: Incapsula article smearing Ubnt products

Leave it as is.

I block external access at our border for the ports we use to manage devices. Stuff works well as is.

Its up to the ISPs responsible to provision the devices with the correct configuration

Taylor Broadband
A powercode billing system user
Regular Member
Posts: 502
Registered: ‎02-13-2014
Kudos: 309
Solutions: 13

Re: Incapsula article smearing Ubnt products

Ray, you're missing the point. You're correct as far as ISP usage of all of this goes, which I'll admit is probably the majority of it, but the case with AirRouters (and likely -some- other products) is that they do end up being used outside of any ISP provider offering. Since this can't be prevented, and since these products are wide-open on default ports with default credentials, it does seem that -something- should be considered here, although I'm not for dumbing things down any more than necessary either.

Emerging Member
Posts: 63
Registered: ‎10-03-2014
Kudos: 30
Solutions: 1

Re: Incapsula article smearing Ubnt products

[ Edited ]

It's all very well for us all here to fanboy our favourite router vendor ( hi UBNT :-) but is anyone here claiming it is okay for any vendor to ship routers with a default password on an external port?

 

We know some vendors do it, that doesn't make it ok! Better vendors have a default only on the internal port(s). Even better vendors use a random default password that is printed physically on the unit or packaging. Even the piece of cr*p router Comcast shipped me (and I shipped back with my someone rude opinion of it, replaced it with an EdgeMAX) had a vendor-installed, internal-only random password.

 

*IF* UBNT is/was shipping AirOS routers with a default password on an external port, then no excuses from me: shame on them.

 

@UBNT-Matt IMHO that's a lame attempt to shift blame to the WISPs. Sure, the WISP should have fixed this before shipping to customers, but UBNT should also have been shipping secure-by-default in the first place.

Established Member
Posts: 2,424
Registered: ‎01-07-2009
Kudos: 626
Solutions: 20

Re: Incapsula article smearing Ubnt products


bw1 wrote:

Ray, you're missing the point.


No no I see your point but I choose to ignore it because I like things the way they are - it suits some internal processes within my business. Making the internet safer may be awesome for you, but it means I have to spend time changing my processes within my business which I do not like and therfore any argument I make will be heavily weighted in my favour. I therefore cannot be trusted.

 

A middle ground I woudl be willing to accept: config file upload option on the initial login screen as an alternative to the current time consuming "accept terms" tickbox and login+reboot+click+click+click before you can upload config files.

Taylor Broadband
A powercode billing system user
Regular Member
Posts: 507
Registered: ‎10-28-2013
Kudos: 283
Solutions: 6

Re: Incapsula article smearing Ubnt products

Locking down WAN access makes sense for a consumer router, but these are not consumer routers. Ubiquiti has a choice, they can keep it as-is to make life easier for their customers, or they can make changes that only make life easier for people that buy "the internet box" on Amazon. 

 

Businesses generally want to act in the best interest of their customers.

Reply