Hub 3.0 permitting inbound traffic from Internet when it shouldn't

I've noticed what looks like a bug with the VM Hub 3.0 firewall / NAT state table.

Had anyone else seen this before?

Model: Compal CH7465LG (The white tower, cable, DOCSIS 3.0)

Firmware: LG-RDK_CH7465LG-NCIP-6.18-2406.17-NOSH

Some network scan traffic from the Internet is making it through the router and hitting my internal devices. I have no port forwarding configured or anything like that. In theory this traffic should not be permitted by the router due to standard stateful network device behaviour (NAT state table, stateful firewalling)

The destination ports are all in the high range (49152-65535, typically used as ephemeral source ports)

Because of the high range destination ports, I had a suspicion that maybe the router was letting through traffic that was destined to existing source ports in table.

I did some packet captures on my laptop and lo-and-behold, I found examples of this inbound traffic from malicious public IPs, where the destination port was matching the source port of some existing outbound connection I had from my laptop.

Ex.

Existing outbound: source IP 192.168.0.123, source port 53000, destination IP 165.223.54.56, destination port 443

Malicious inbound: source IP 5.5.5.5, source port 61000, destination IP 192.168.0.123, destination port 53000

No connection is actually completed as there isn't actually a service listening on my laptop on that ephemeral source port. So in the packet capture it's just a TCP SYN and then retransmissions as the malicious public IP retries a few more times.

But there's 100% traffic sourced from the Internet getting through my router that there shouldn't be.

I checked with a couple of friends who have the same device, but they have it in bridge mode and use their own router, they don't have this issue. I also checked with a family member who has the same device as me in router mode and the same thing is happening for them.

Seems like a security concern.

Roger_Gooner
2 months ago
The hub 3 behaving as a full‑cone NAT, not strict but not a security issue because nothing is bound to that port. It could be made more secure but VM wants it this way as it makes NAT traversal easier for P2P, VoIP, gaming, etc. and get fewer complaints about things such as multiplayer games and Smart TVs “not working”. There's always a balance when it comes to security and I think VM's got it about right for the millions of customers it has. A symmetric (strict) NAT by default would cause huge problems for the average non-technical user and lead to clogged up support lines.

9 Replies

Replies have been turned off for this discussion

Steven_L
Forum Team
2 months ago
Hello eoghanc,

Welcome to the Community, and thanks for taking the time to post here on the forums. I’m sorry to hear of the issues that you’re experiencing with your connection at the moment. I will get this passed on to our security team to see if this is anything that they know of and how to resolve the issues.

Kind Regards,

Steven_L
- -tony-
  Alessandro Volta
  2 months ago
  Hello eoghanc,
  Welcome to the Community, and thanks for taking the time to post here on the forums. I’m sorry to hear of the issues that you’re experiencing with your connection at the moment. I will get this passed on to our security team to see if this is anything that they know of and how to resolve the issues.
  Kind Regards,
  Steven_L
  why would you do that - maybe reading the thread would be a start rather than a few lines of the first post
  its been established that this is not a problem for VM UK as the poster is in the ROI - look it up if you dont know where that is
Client62
Alessandro Volta
2 months ago
Model: Compal CH7465LG (The white tower, cable, DOCSIS 3.0)
Firmware: LG-RDK_CH7465LG-NCIP-6.18-2406.17-NOSH

This is not the VM UK model number or firmware of Hub 3

Is this a VM ROI question ?
- eoghanc
  Tuning in
  2 months ago
  Sorry yes, ROI.
  I don't think there's an ROI forum though is there?
Roger_Gooner
Alessandro Volta
2 months ago
The hub 3 behaving as a full‑cone NAT, not strict but not a security issue because nothing is bound to that port. It could be made more secure but VM wants it this way as it makes NAT traversal easier for P2P, VoIP, gaming, etc. and get fewer complaints about things such as multiplayer games and Smart TVs “not working”. There's always a balance when it comes to security and I think VM's got it about right for the millions of customers it has. A symmetric (strict) NAT by default would cause huge problems for the average non-technical user and lead to clogged up support lines.
- eoghanc
  Tuning in
  2 months ago
  Thanks for mentioning full cone NAT. Was reading up on it there.
  I work in IT but have never heard of it. I've worked with other forms like static NAT, source NAT, destination NAT, PAT, NAT overload etc.
  So sounds like this is actually expected behaviour based on the full cone behaviour. The only thing I'd disagree with you on is the security aspect, it's definitely a security concern.
  - Roger_Gooner
    Alessandro Volta
    2 months ago
    The good thing about being with VM is that there is an alternative if you have a security concern: put your hub into modem mode and use your own router for stricter security - but you'll need to know how to configure it for all your apps to work.
Tudor
Very Insightful Person
2 months ago
One of the very many reasons a growing number of users are using their own routers with added firewalls. I use a Unifi UDM Pro with CyberSecure Enhanced by Proofpoint and Cloudflare.
legacy1
Alessandro Volta
2 months ago
Likely the only way they could get performance out of the hub router mode that firewall option in the hub living up to its name.

Forum Discussion

Hub 3.0 permitting inbound traffic from Internet when it shouldn't

9 Replies

Related Content

Black friday internet upgrade.

wifi connected, but no internet

Internet keeps dropping out

Hub 3 internet light flashing green and no internet

internet