Hi, from today we have noticed an important download / upload traffic on several users. I think it could be a ddos attack … sending continuous upload traffic up to 2mbit.
The antenna performs pppoe authentication and can be reached via public ip.
Obviously the admin and installer passwords have changed, the snmp key has changed.
The problem also occurs on the latest firmware (4.5.5, 4.5.6). Has anyone had a similar problem?
If device is reachable through public IP than firmware is not the problem, do you have any firewall in your design in front of your network? Each wisp/isp must have some kind of firewall on the edge of the network (wan).
1 Like
Sounds like someone bruteforced your password they may be trying to make lateral movement in your network.
Time to start changing passwords on all of your subscriber modules and infrastructure that the password was used on.
if you have cnMaestro deployed you should be able to use a configuration template to change all of them on your SMs
First, are you running some form of firewall on your gateway routers? If not ask yourself why not?
Second, management IP does not need to be a public IP and shouldnt be! Setup a vlan and a private ip range for this.
Third, use RADIUS for all logins, its like LDAP but nicer and can be setup to auth both your techs logins and your users pppoe sessions. It also can be coupled with eap-ttls auth for your radios so that an ebay special doesnt brute force your access password and have free access to everything.