Nightmare on E Street (Modem and Me Against the World)
by Emily Saunders
All I want to do is be able to read my library e-books, surf Amazon and Target, and search topics that interest me, like current events and the weather.
I don't think that's so much to ask. But apparently it is. I am somewhat tech-savvy compared to my parents, but I am a rookie when it comes to anything Internet beyond browsing and basic security, like setting up a Wi-Fi password. This nightmare has turned into a never-ending saga.
One night, I was exploring my modem.
I remembered that every modem had a local IP address (local being a range of IP addresses assigned specifically to your home Wi-Fi network and devices connected to it) that provided access to the modem settings where you set your Wi-Fi password. That IP address is in the range of 192.168.X.X. I went there and it led me right to the Zyxel modem settings, which I hadn't looked at since last year. I have moved since then. I went ahead and changed my Wi-Fi password, and then noticed that I could put a username and password on the modem settings. So I did that, and the next time I typed in 192.168.X.X, I got a login screen. Good.
Nightmare Begins
This Zyxel modem had in the settings a web activity log.
It showed the site history of every device connected to my Wi-Fi network. I noticed names of websites I never went to and didn't recognize at all. Many of them. I typed in three random site names from these, and they all led to sites I had never visited nor seen before. A site on brain development, what looked like a virus website, a "superuser computer forum," and a blank page that said "Nothing to see here. Move on."
Some of the websites weren't even decipherable. Like y.timg.com and art-0.nflximg.net and sr.symcd.com. I started printing the logs. I also noticed that there was a lot more activity in the web history than I could account for.
In one week, I had gone to maybe ten or fifteen websites. There were pages and pages here. I was becoming slightly alarmed, but not too much, because I knew I had limited technical knowledge.
I start reading up on network security by Googling it - security, firewalls, ports, pings, all the while feeling clueless.
That never changes. It's a lot to take in and too much to fully understand on my own. I learned that information to the router came in on something called "ports" and that they had numbers and specific purposes. The only ports I'd heard of at that point were the ones boats came into. I learned that vulnerable or "open" ports were one of the ways network intrusions/hackers get in. Some commonly exploited ports were 80 (HTTP) and 135-140. There were over 40 port options in my CenturyLink modem settings, with their functions listed and incoming/outgoing boxes to check or uncheck.
Some of these were:
POP3 Mail Service 110 Windows Messaging Chat Service 1024-1030 Xbox Gaming Console 53 TCP/UDP, 88 UDP, 3074 TCP/UDP DirecTV STB1 Multimedia Control 27161-27163 NNTP Newsgroup 119 VNC Remote Management 5500, 5800, 5801, 5900, 5901 (Anything labeled "Remote Management" sounded iffy. I turned everything with that label off.)
After reading up on commonly exploited ports, I finally went to my modem settings, logged in, and started blocking off vulnerable port numbers.
These included 80 (HTTP), 21 (FTP), 135 (Windows RPC), and 137 to 139 (Windows NetBIOS).
As I was blocking off ports, suddenly I was at the login screen once more. I logged in (again) and kept going. Blocked a port, clicked "Apply". Login screen again. I typed in my username and password, but this time it told me they were incorrect. Tried again. Incorrect. Now I was locked out of my modem settings.
Suddenly it dawned on me. Whoever or whatever was stealing my Wi-Fi caught me blocking off port access and kicked me out before I could finish. Wow.
I was prompted for my login three times in less than five minutes. I remembered the last time I changed the password, as soon as I clicked "Apply", I was returned to the login screen because instantly the old password was invalid and the new password was required to log back in.
There was no reason why my username and password would work and then suddenly stop being accepted unless the password was changed. And I didn't change it. I didn't think my modem settings were compromised; I just thought someone hacked my Wi-Fi password to mooch Wi-Fi. I was pissed. I yanked my modem cord out of the wall and left it off for the rest of the night.
During this time, I worried.
Being kicked off my modem settings as I was closing off vulnerabilities had brought this situation sharply into reality, yanked away from tentative suspicion and mild paranoia. Something or someone really didn't want those ports blocked. I worried that it was someone in my building. I worried that they had my information and knew who I was, but I didn't know who they were. I worry that a cybercriminal or a virus out of my wireless signal's range had found a different way into my network. I worried about my bank account information, my email, my Facebook, my identity. I was aware that paranoia was creeping in. Not being technical enough to know exactly what was going on or how far the intrusion reached left me feeling anxious and overwhelmed.
I read a book called Hate Crimes in Cyberspace which put me on edge a little more. In the past, I once received threats on my Facebook account from someone who perceived I had wronged them, when in fact I hadn't. Since then, I had been fiercely protective of my privacy and extremely cautious of who I gave my information to. I also worried that my devices had been hacked, or perhaps my documents, apps, email or photos had been accessed.
Even though I was not into anything explicit, had never sent a naked photo, was not a whistleblower of any sort, and thought cyberbullying was cowardly, I still believed in the right to digital privacy, and I was aware of the harm that could come to someone who accidentally exposed their information to someone who derived pleasure from causing harm.
Unfortunately, there were too many people like that out there.
Nightmare Turns Real
During this time, I had a whole host of problems.
I had difficulty accessing my Gmail, my Wi-Fi symbol said I was online when my screen told me I wasn't, and I was unable to factory reset a device (getting a message that said I didn't have the right software).
I tried not to brood and fret, and to focus on finding solutions instead. Then, during a call to CenturyLink about an issue, I found out that the email address listed for me on my CenturyLink account had been changed. I had two email addresses, one Yahoo! and one Gmail. It had been changed to a combination of the emails put together - the letters in one, and the numbers in the other. I stopped breathing... my head spun... I did not do that. Alarm bells were sounding. And I was beyond the beyond pissed.
I remembered that in order to change the email address for my CenturyLink account, certain personal information was required for verification purposes.
I didn't even want to think about what that meant. I couldn't remember accessing my online CenturyLink account except to set it up and check it a few times. That was at my old place. I hadn't accessed it at all since I moved.
Yet somehow, the account was accessed and the email address changed. It stood to reason that if my CenturyLink account contact email was changed to an address that wasn't actually mine, it was someone else's and it was created for the purpose of intercepting my CenturyLink account notifications. Why?
Because if someone hacked my Wi-Fi and was regularly using it, it would be in their interest to know what was going on with my account. CenturyLink was apparently (they said) unable to tell me when the email address was changed or if it was done by phone or over the Internet. They didn't seem all that concerned.
I typed the fraudulent address into the Gmail sign-in page and got a message saying it wasn't valid.
My guess was that if there was an account with this email address, it had been deleted. I hadn't exactly been stealthy about this whole situation, and if I was right, it was deleted because whoever created that address realized I was onto them. There was also a possibility that someone hacked me for thrills and then changed the email address either to mess with me or just to see if they could. This really brought it home to me that something was going on. I changed my modem and Wi-Fi passwords again. And again. And again.
Weeks later, I still couldn't factory reset my laptop, and my modem's Internet light was not on when it should have been.
I went to the modem settings and found the login requirement that I set had completely disappeared. My surprise meter was on empty. I immediately set it again, then tried to login with the new password, and was told it was incorrect. Again. Although this time, I had to assume that I just mistyped the new password when I set it. I hoped.
I called Best Buy Geek Squad. Closed. I called CenturyLink and they told me that all I could do was what I had already done: change modem and Wi-Fi passwords. If I needed further assistance, I would have to hire a tech expert. What a load of garbage. My frustration was growing and my patience was rapidly shrinking.
Hoping for Answers
I tried the Best Buy Geek Squad again. They told me it costs $99.99 to see me in-store, and $249.99 to come to my home.
I took a gamble that they wouldn't charge me a hundred bucks just to ask a few questions, so I prepared a list. I brought along my notes, modem, laptop, and tablet. My hopes were high that not only would my questions be answered, but that I would go home with a definitive solution that would put an end to this. I wanted to start living my life again.
1.) Is this someone in my building? "It is someone within 100 feet of your router." (Because the traffic came from my device's IP address.)
2.) In what capacity is my ISP obligated to help me and what should I do if they refuse? "Demand better service."
3.) What do the web history logs look like? "It looks like someone was using your Wi-Fi to research more hacking."
4.) Do I need to change my MAC addresses? Can they be spoofed? "Yes, they can. MAC filtering doesn't really do anything."
5.) If I change my network name and block the SSID broadcast, they won't be able to connect or see it, right? "They can scan for hidden networks."
I spent an hour at Best Buy asking questions until my ride said we had to leave.
I was told to make sure I was using HTTPS instead of HTTP when I surfed and to change the HTTP password. What HTTP password? I was told to get a more secure (or secure, period) modem if I could. At the end of the consult, I was told that Geek Squad members couldn't be hired to secure my network and give me a crash course on cyber security. I was told that with what I'd taught myself so far, I was already more advanced than the average lay person, and that the answers he'd given me were as much as they could help me. I had to hire a tech expert if I needed further assistance. (Where had I heard that before?) My questions were answered. I did not get a definitive solution.
Flailing
Back at a family member's house (who I'd deemed as having "safe(r)" Wi-Fi), I called Apple and received a case number.
I called CenturyLink and spoke to a kind senior advisor who seemed reassuring and told me that they would begin an investigation. The next day, I talked to CenturyLink again and received another case number.
Days later, I called CenturyLink and they said if I hadn't heard anything about the investigation by the end of the week to call back.
When I did that, they told me that they don't do investigations and that I would have to go to a computer repair store because the intruder may have changed the software in the modem. Well, well, passing the buck again. And completely reneging on a senior advisor's assurances. I decided to rent a modem from CenturyLink instead, after confirming that assistance would be provided in the event of any security issues. (The first modem was brought by the CenturyLink installation guy.)
A week later, I got my new (rented) CenturyLink modem in the mail. Zyxel PK5001Z.
I connected the modem to the electrical outlet and to the Ethernet adapter on my computer, but did not plug it into the phone jack. I then reset the modem username and password, and reset the Wi-Fi password from the default as well. (They come with a default, which is stupid beyond stupid.) Then I tried connecting to the Internet and found that I couldn't go to some websites, possibly because I'd turned off a bunch of ports - including HTTP, all gaming, remote management, and FTP. I tried turning HTTP back on when Netflix wouldn't work. I left on Secure File Transfer, HTTPS, DNS, remote printing, VPN, and some message protocol. Turned off Yahoo!, Chat, Xbox, and Windows.
After checking the new CenturyLink modem's web activity log, I saw more activity than I could again account for, it having had it less than 12 hours.
I called CenturyLink and asked them what the site aia.entrust.net was. They informed me that it was a virus and that I needed to get the "free Norton Anti-Virus," but they didn't address the rest of the unfamiliar web activity or the obvious question of how my computer was visiting websites on its own. I got another ticket number.
By now, I had changed my Amazon, email, bank, computer, Apple, and modem passwords.
I had created a recovery key. I added two-step authentication. I learned how to change the name of my Wi-Fi network (the SSID), as well as how to hide it from the average Joe looking for an open Wi-Fi network (turn off SSID broadcast). I had learned how to use Media Access Control (MAC) filtering, which takes the unique ID attached to each of my physical Internet devices, and blocks any and all devices with different IDs (MAC addresses), allowing only mine to connect to the network. However, I'm told these addresses can be spoofed. An intruder can change their MAC address to whatever they want, even copying mine, which will result in their device having access to my Wi-Fi network, which makes the whole MAC address filtering function seem like a bad joke.
Sayonara CenturyLink
I decided to switch to Comcast/Xfinity Internet, even though it was pricier.
I strongly hoped I would be provided with better and more responsive customer service and technical support.
The Comcast/Xfinity installation guys arrived, and I was feeling relieved. It was a breath of fresh air in between constant anxiety, anger, and uncertainty. I gave the installation guys the short version of why I left CenturyLink, and they helped me set up passwords. Aside from that, they had no new suggestions, although they were sympathetic. I forced myself to be O.K. with that. I was starting over with a whole new system. Over the following few days, I used my Comcast Internet tentatively, but with a tiny bud of hope.
Unfortunately, my Comcast modem had only firewall logs, event logs, and system logs. No web activity log. I couldn't monitor for unfamiliar websites anymore. So I got the list of websites that I didn't recognize from the CenturyLink modem web activity log and blocked them on the Comcast modem, using parental controls. There were so many that I couldn't possibly block them all and there were probably new ones that I didn't know about. But it was a start.
Rude Awakening
After some days or weeks, I checked the firewall logs. My stomach dropped.
Many of the websites I blocked were listed next to a number of attempts made to reach them. 125 attempts, 13 attempts, 1671 attempts. WTF?!! !#%*@!! Hair-pulling, wall-punching, jaw-clenching frustrating. What is making all these attempts? A bot? A hacker? A virus?
I reviewed my CenturyLink web activity logs and added even more unfamiliar sites to the blocked list on the Comcast modem.
I spent time exploring the Comcast modem firewall. The firewall options were much more limited. IPv4 had "Custom, Minimum, Typical, and Maximum" security options, all with preset blockable ports or applications, no more than about six options each. IPv6 had only "Custom and Typical" security options.
The CenturyLink modem gave me access to every port.
The Comcast modem was a big disappointment. I fiddled with it for a while and apparently accidentally blocked various websites I didn't mean to block. Suddenly my Netflix menu thumbnails had no graphics, no picture, and I couldn't access some of my favorite retail sites. I changed various settings around, each time trying to get the missing functionality back, but not wanting to reduce my firewall's security, which was set on high. Something was obviously still not right, even though I changed ISPs and factory reset all my devices.
Comcast/Xfinity Internet comes with both 2.4 GHz and 5 GHz networks, as well as a guest network.
The guest network didn't concern me. You needed an Xfinity account and password to use it, even though I'd rather have had the option of turning it off. I think not having that option is an insult to paying customers.
After extensively Googling, Bing-ing, and Duckduck Go-ing, I learned that the 2.4 GHz network was more crowded because it was more widely used and that the 5 GHz network was likely to have a stronger signal because it was less crowded.
The 2.4 GHz network also had a farther range, meaning the Wi-Fi signal could reach a greater distance. Because the 5 GHz network had a stronger, denser signal, it had a shorter range. That's what I wanted - a shorter range. All I was able to find were Wi-Fi signal extenders for people with bigger homes who wanted more of a range, but I wanted the smallest range available because I didn't want my network to reach anyone but me. I wasn't sure this was possible. I was still operating according to what the Geek Squad guy said: It's someone within 100 feet of your router."
So I got out my measuring tape.
I found info online that said "A general rule of thumb in home networking says that Wi-Fi routers operating on the traditional 2.4 GHz band reach up to 150 feet indoors and 300 feet outdoors. Older 802.11a routers that ran on 5 GHz bands reached approximately one-third of these distances."
Physical obstructions in homes, such as brick walls and metal frames or siding, reduce the range of a Wi-Fi network by 25 percent or more. Due to the laws of physics, 5 GHz Wi-Fi connections are more susceptible to obstructions than are 2.4 Ghz ones.
Newer 802.11n and 802.11ac routers that operate on both 2.4 GHz and 5 GHz bands vary in their reach similarly. A standard wireless router will have a range of about 120 feet indoors and about 300 feet outside. However, an IEEE 802.11n class router will have an outdoor range of roughly 400 feet and an indoor range of approximately 900 feet. Aaah. Sweet knowledge. Sort of.
I got down and started measuring: 380 inches from bedroom to front door and 260 inches from the window to the bookshelf.
I logged into my Comcast modem settings, and there was an option to completely turn off the 2.4 GHz network. I did so. I took the network with the better signal and the shorter range, still not trusting anyone. If my Wi-Fi signal didn't even reach into the next apartment, that would be another way in eliminated. I walked as far away from the router as I could get and checked the signal. Still there.
I couldn't be certain if the signal reached anyone else, because obviously I couldn't go into random apartments to find out. I also couldn't simply ask a neighbor because, for all I knew, one of them was the problem. I also hadn't ruled out the possibility that there had been multiple sources of intrusion, seeing as my Comcast modem was already behaving similarly to the CenturyLink modem and, from what I gathered, they connected to the Internet differently: CenturyLink was DSL (using the phone jack) and Comcast was cable.
I downloaded an app called "Fing," which is a free Wi-Fi network scanner that can discover devices connected to the network and the services/ports they are using.
Any addresses the app had were addresses that had been fed into it, not addresses it found on its own. Still, it told me that under the local network IP address X.X.X.254, something called "Naray Information and Communication Enterprise" was listed as a device using my network.
It showed no services or logs. I Googled this, and up came the same question from many Comcast/Xfinity customers: "What is it?" All I could find was that it was a Korean company. The forum I came across consisted of customers speculating and pointing out that so far, Comcast had refused to address the issue. I used the Fing app several more times over the next few weeks and, every time, in addition to my modem and connected devices, I saw this "Naray" listing, same IP address.
Another Rude Awakening
Eventually, I called Comcast and was transferred several times before finally being told that the Fing app, as a third-party app, was probably inaccurate and that, according to a higher up, it was a "false issue."
I didn't think it was a false issue when numerous unrelated Comcast customers had noticed it and had gotten no response as to what it was. Before I hung up, I asked the Comcast support person to take a cursory glance at my firewall logs. "Whoa," I heard. He then said, "Something has tried to access your modem through IPv6 137 times. That's not normal." He transferred me to someone else.
The lady I was transferred to told me that what I was seeing, after she'd looked at my firewall logs and the numerous attempts to access websites that I had blocked, was normal Internet traffic, including the "FW IPv6 FORWARD drop" attempts to access my modem that the last guy mentioned.
I took this with a grain of salt, seeing that it was more likely she just didn't want to take the time to deal with me. While we were still talking, I clicked over from "Firewall Logs" to "Event Logs" and I saw:
(For security reasons, I'm not putting actual numbers, just #)
I saw another one, except that said "Smurf Attack" instead of "TCP SYN Flooding."
I saw these attacks eleven times in the event logs over the past month.
The lady told me to go to a certain website where you could type in the IP address listed with the attack attempts and find out the company that controls the IP address - not the ISP, but whoever allocated it to the ISP.
I looked up some of the IP addresses and they came back with RIPE NCC (Network Coordination Centre), APNIC - Asia Pacific Network Information Centre, and Deutsche Telekom. Both the Netherlands and northern Sweden were listed as locations and all had an abuse email address to report the IPs.
I plan on doing that, but I'm not too excited since I don't think anything will come of it. The IPs are probably spoofed. Other countries have different laws, and I'm skeptical there will be any arrests or prosecution.
These attacks are new because when I got the modem and afterwards checked the event logs religiously, there were none.
Don't tell me this is normal. I feel like Vikings are at my door with a thunderous battering ram, and I'm being told to relax on the couch and just keep quietly reading my book. My logical belief is that if I do nothing, eventually an intrusion will be successful. I can't let this go. If I want to have a peaceful digital life, reading e-books, watching Netflix, and surfing news stories, I have to keep upping the ante too. I read that it's easier to find a way in than it is to keep everyone out.
One thing I'm curious about is if my neighbors' Wi-Fi networks are experiencing the same thing, with or without their knowledge.
Possibly they are clueless, like I once was. It's hard to believe that only my Wi-Fi network would be experiencing this crap. The only way I think that could be is if the intruder(s) were one of my neighbors themselves. However, seeing as I know half of them and the other half I've never met, I think that's doubtful. Still, the CenturyLink email address changing on my account echoes in my head.
According to the Comcast guy, IPv6 FORWARD drop attempts are attempts to access my modem.
I Googled WAN attacks, and was met with results like "How to Perform an Attack over WAN (Internet)" and "How to Configure Router for WAN Metasploit Attacks" and "How to Do Hacking the Internet."
Geez, who are these people?
Doesn't anyone have a conscience anymore?
Can't they go for a run or read a book or go shopping or hang out at the park or the mall or play with the dog or (from what is apparently becoming legal due to insurmountable popularity) smoke some weed? (Not me, the smell makes me nauseous.) I can understand there's a thrill from breaking into something you're not supposed to, but really people, grow up. Just because I build a LEGO tower, you have to knock it down? Yep. "(Unprintable.)"
Not Giving Up
I called Cisco, the company that manufactured my modem, and was told they didn't support it.
They had a general manual, but no, they couldn't mail it to me. They just manufacture the modem. If I wanted support for it, I'd have to call my ISP.
Cisco told me the ISP modifies the software on their modems to fit their own needs (which, I'm guessing, is to reduce user control). I re-perused the e-manual the Cisco guy sent me the first time I called, which described all sorts of settings I would love access to (some I still don't understand) but don't have.
"Block fragmented IP's. Block port scan detection. Block IP flood detection. Block WAN requests/anonymous Internet requests. IP access filtering. Blocked and allowed domain list. Cable modem state. NAS settings. Media Server settings. Scan settings."
I could go on. I won't.
I called Comcast/Xfinity and was told I needed to call "Security Assurance" who told me it's a technical support issue and then put me on hold, after providing me with a case number (ah, case numbers - the world would crumble without them).
I was told that there were only a few ports that Comcast/Xfinity monitors: 0, 25, 67, 135-139, 161, 445, 520, 547, 1080, and 1900.
I'm still too rookie to know what all these ports mean or what they do.
I read that there are common programs used to facilitate DoS attacks called Trinoo, TEN, TFN2K, and Stacheldraht.
For Trinoo, the default ports used are TCP 1524-27665 and UDP 27444-31335.
For Stacheldraht, TCP 16660-65000 and ICMP ECHO and ICMP ECHO REPLY.
Hmm... In my modem's parental controls, there is an option to block services. You have to type in the service. There isn't a list to choose from, but TCP and UDP are options you have to choose between, including their starting and ending ports. I put them in. It worked for the Trinoo ports, but when I tried to put in the Stacheldraht ports, I got a message saying "Conflict with other service. Please check your input!"
The only option was to click O.K., and the ports weren't blocked. I wondered what this other service was. Perhaps Stacheldraht is already using them. (It might be Netflix; I read that one of the services used by that port is streaming media.)
Another call to Comcast: Cisco had told me that Comcast/Xfinity modifies the software on their modems. When I went to the modem login page, it said "Xfinity."
I asked if they had any modems with more widely accessible user controls and security features. I was told there was no way to know if a different Comcast/Xfinity modem would have the same modified settings as my current one. I was sick of arguing at this point.
The frustrating thing is that even after researching different modems/routers and visiting a few stores, I still had no clue what to look for as an alternative.
I wanted all possible settings available to me. I wanted a list of every port and what it did, like on the Zyxel modem, with checkboxes to block incoming or outgoing connections. I wanted a web activity log and firewall, event, and system logs. I wanted parental controls, MAC and IP address filtering, the ability to control the range of the Wi-Fi signal (if such an option exists), and packet inspection abilities.
I wanted the strongest, most current encryption, which apparently right now is WPA2/enterprise/AES.
I wanted scanning abilities and domain, keyword, and application blocking options. It really sucks that all this is necessary.
Conclusion
I'm feeling so hopeless.
Even with everything I've learned, which doesn't feel like much, there's still too much I don't understand.
So far, the ISPs have been a gross disservice in terms of support.
The mess with CenturyLink was a bad punch line. Comcast so far has been unhelpful. Useless.
Every time I call, I have to give a lengthy explanation to eventually maybe get transferred to someone who knows what I'm talking about, and a few more of my brain cells die of frustration.
One guy I talked to said he was probably one of very few people who could understand the situation and the technical details. He gave me his direct extension and I was happy that I found someone who was telling me something other than "Change your password. Reset your modem. Hire a tech expert."
However, when I tried to call him, the number didn't work, and I found out that employee extensions are part of an internal phone system and can't be reached by the public. That felt like a slap in the face but there ain't shit I can do about it.
Most recently, I was told by Comcast not only what ports they monitor, but also that if I wanted more settings access, I would have to buy a modem.
Pretty much, "You're on your own, chump. Shell out for your own router because we can't help you. Otherwise, zip it and deal with the security issues." Sigh.
It's a tradeoff. Buy my own modem and get no tech support from the ISP or rent a modem from them and get zero security.
I don't have any money at the moment to hire any sort of reputable tech expert, nor do I know where to find one, and I can't buy a new modem yet either. I hope to go to a computer store in a nearby city and ask for advice there, but I can't do that until I figure out a way to get there, which I am working on.
I can keep trying to learn and figure things out on my own, but that is pretty slow going with lots of trial and error.
I feel a sense of urgency since my router is being hammered right now, but my hands are empty.
As of this moment, I'm stuck having a possibly compromised modem with shaky security settings.
I have to just hope and pray an attack doesn't get through.
Whether it does or whether it doesn't, I will not give up. Never will.