MikroTik – CCR1072-1G-8S+ – PPPoE testing preview – 30,000 connections and queues.

 

[adrotate banner=”5″]

 

Why we chose PPPoE as the next test

First of all, thanks to everyone for all the positive feedback, comments and questions about the CCR1072-1G-8S+ testing we have been posting in the last few months.  Even MikroTik has taken an interest in this testing and we have gotten some great feedback from them as well.

We received more questions about the PPPoE capabilities of the CCR1072-1G-8S+  than any other type of request. Since we have already published the testing on BGP, throughput and EoIP, we have decided to tackle the PPPoE testing to understand where the limits of the CCR1072-1G-8S+ are. This is only a preview of the testing as we are working on different methods of testing and config, but this will at least give you a glimpse of what is possible.

30,000 PPPoE Connections !!!!

30k-pppoe

Overview of PPPoE connections and CPU load

30k-PPPoE-overview

PRTG Monitoring

We have started using PRTG in the StubArea51.net lab as it makes monitoring of resource load over time much easier when we are testing. Check it out as it is free up to 100 sensors and works very well with MikroTik

https://www.paessler.com/prtg/download

PRTG CPU Profile 

30k-PPPoE-CPU-total-prtg

 

PRTG PPPoE connection count over time

It took us about 20 minutes to reach 30,000 connections…we are working on tuning the config to see if we can shorten the time it takes to build the connections. In the graph here, you can see it go form a 24 hour stable load of 30k connections donw to nothing as we prepare for a load test. At about 10:07 AM is when we started the full load test and you can see the time it takes to get to 30k.

30k-PPPoE-conns-total-prtg

More on the way!!!

This is just a small preview of our full PPPoE testing. We will be completing testing and should be publishing the results within the next week.

MikroTik and Ubiquity routers being Hijacked by Dyre Malware?

[adrotate banner=”4″]

Came across several interesting articles that claim there is a change in the way Dyre aka Upatre malware is spreading. Dyre seems to be getting a lot of press as it is used in browser hijacks to compromise online banking credentials and other sensitive private data. However, most recently – instead of infecting hosts, it appears to be compromising routers as well.  Blogger krebsonsecurity.com writes:

Recently, researchers at the Fujitsu Security Operations Center in Warrington, UK began tracking Upatre being served from hundreds of compromised home routers — particularly routers powered by MikroTik and Ubiquiti’s AirOS.

As I first started researching this, I was wondering how they determined the router itself is compromised and not a host that sits on a NAT behind the router. Certainly different devices leave telltale signs visible in an IP packet capture that help point towards the true origin of a packet, so it’s possible that something was discovered in that way. It’s also possible the router isn’t being compromised via the Internet, but rather on the LAN side as it would be much easier for malware to scan the private subnet it sits on and attempt to use well known default credentials to login and take control of a router. While concerning, this LAN attack vector theory relies on the user not properly securing the router and doesn’t indicate a vulnerability in the operating system of either router.

However…I then came across this thread at the Ubiquity forums:

https://community.ubnt.com/t5/Installation-Troubleshooting/Attack-Malware/m-p/1285726/highlight/true#M83358

Apparently the attackers are taking advantage of routers that are in fact open and have storage that can be utilized so that it can serve as a distribution point for the malware and also as a C&C point to initiate attacks. In the thread the vulnerable code version that is mentioned is firmware version XW.v5.5.6. It’s not exactly clear what makes this vulnerable, but from reading the forum it seems likely that the firewall may not be enabled by default and with the credentials unchanged, it becomes a target for Dyre. Somebody with more experience in Ubiquity may be able to comment further as I don’t spend enough time with Ubiquity to know for sure across the various code versions.

Example of Dyre using an ubiquity router to initiate attacks…the ./win9 processes are Dyre

Mem: 58492K used, 3632K free, 0K shrd, 764K buff, 6588K cached
CPU:   0% usr   2% sys   0% nice  92% idle   0% io   0% irq   4% softirq
Load average: 0.03 0.06 0.01
  PID  PPID USER     STAT   VSZ %MEM %CPU COMMAND
15472 15355 ubnt     R     1992   3%   1% top
 2746  2724 ubnt     S    25400  41%   0% ./win9
 2742  2724 ubnt     S    25400  41%   0% ./win9
 2739  2724 ubnt     S    25400  41%   0% ./win9
 2744  2724 ubnt     S    25400  41%   0% ./win9
 2745  2724 ubnt     S    25400  41%   0% ./win9
 2738  2724 ubnt     S    25400  41%   0% ./win9
 2743  2724 ubnt     S    25400  41%   0% ./win9
 2737  2724 ubnt     S    25400  41%   0% ./win9
 3128  2919 ubnt     S    94836 152%   0% ./i
 3112  2919 ubnt     S    94836 152%   0% ./i
 3103  2919 ubnt     S    94836 152%   0% ./i
 3106  2919 ubnt     S    94836 152%   0% ./i
 3102  2919 ubnt     S    94836 152%   0% ./i
 3087  2919 ubnt     S    94836 152%   0% ./i
 3129  2919 ubnt     S    94836 152%   0% ./i
 3137  2919 ubnt     S    94836 152%   0% ./i
 3104  2919 ubnt     S    94836 152%   0% ./i
 3113  2919 ubnt     S    94836 152%   0% ./i
 3135  2919 ubnt     S    94836 152%   0% ./i

MikroTik’s response

There is a thread on this at the MIkroTik forums and MikroTik’s official response below is that this is mostly hype and there isn’t a major threat. Which seems to be true if your router is properly secured with a firewall and you change the default credentials.  MikroTik routers definitely come with the firewall enabled to protect the less tech-savvy or forgetful users.

http://forum.mikrotik.com/viewtopic.php?t=98127

Conclusion

Neither vendor seems to have a vulnerability that exposes serious code flaws. The answer to this is an oldie but a goodie – be sure to properly set the firewall and use complex credentials on Internet facing routers.

References:

http://krebsonsecurity.com/2015/06/crooks-use-hacked-routers-to-aid-cyberheists/#more-31364

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf