Hub 3.0 permitting inbound traffic from Internet when it shouldn't

Question

I've noticed what looks like a bug with the VM Hub 3.0 firewall / NAT state table.

Had anyone else seen this before?

Model: Compal CH7465LG (The white tower, cable, DOCSIS 3.0)

Firmware: LG-RDK_CH7465LG-NCIP-6.18-2406.17-NOSH

Some network scan traffic from the Internet is making it through the router and hitting my internal devices. I have no port forwarding configured or anything like that. In theory this traffic should not be permitted by the router due to standard stateful network device behaviour (NAT state table, stateful firewalling)

The destination ports are all in the high range (49152-65535, typically used as ephemeral source ports)

Because of the high range destination ports, I had a suspicion that maybe the router was letting through traffic that was destined to existing source ports in table.

I did some packet captures on my laptop and lo-and-behold, I found examples of this inbound traffic from malicious public IPs, where the destination port was matching the source port of some existing outbound connection I had from my laptop.

Ex.

Existing outbound: source IP 192.168.0.123, source port 53000, destination IP 165.223.54.56, destination port 443

Malicious inbound: source IP 5.5.5.5, source port 61000, destination IP 192.168.0.123, destination port 53000

No connection is actually completed as there isn't actually a service listening on my laptop on that ephemeral source port. So in the packet capture it's just a TCP SYN and then retransmissions as the malicious public IP retries a few more times.

But there's 100% traffic sourced from the Internet getting through my router that there shouldn't be.

I checked with a couple of friends who have the same device, but they have it in bridge mode and use their own router, they don't have this issue. I also checked with a family member who has the same device as me in router mode and the same thing is happening for them.

Seems like a security concern.

Steven_L · Answer

Hello eoghanc,
Welcome to the Community, and thanks for taking the time to post here on the forums. I’m sorry to hear of the issues that you’re experiencing with your connection at the moment. I will get this passed on to our security team to see if this is anything that they know of and how to resolve the issues.
Kind Regards,
Steven_L

Client62 · Answer

Model: Compal CH7465LG (The white tower, cable, DOCSIS 3.0)Firmware: LG-RDK_CH7465LG-NCIP-6.18-2406.17-NOSHThis is not the VM UK model number or firmware of Hub 3Is this a VM ROI question ?&nbsp;

Roger_Gooner · Answer

The hub 3 behaving as a full‑cone NAT, not strict but not a security issue because nothing is bound to that port. It could be made more secure but VM wants it this way as it makes NAT traversal easier for P2P, VoIP, gaming, etc. and get fewer complaints about things such as multiplayer games and Smart TVs “not working”. There's always a balance when it comes to security and I think VM's got it about right for the millions of customers it has. A symmetric (strict) NAT by default would cause huge problems for the average non-technical user and lead to clogged up support lines.

Tudor · Answer

One of the very many reasons a growing number of users are using their own routers with added firewalls. I use a Unifi UDM Pro with CyberSecure Enhanced by Proofpoint and Cloudflare.

legacy1 · Answer

Likely the only way they could get performance out of the hub router mode that firewall option in the hub living up to its name.&nbsp;&nbsp;

Forum Discussion

Hub 3.0 permitting inbound traffic from Internet when it shouldn't

7 Replies

Related Content

Black friday internet upgrade.

Internet keeps dropping out

Internet Connection Drops

Hub 3 internet light flashing green and no internet

wifi connected, but no internet