4 replies to this topic

[bilo]

I was using the net like normal last night when I suddenly had connectivity issues, and my browser was redirected to a page warning me that a "Router Behind Router" was detected; a third-party router was suddenly detected. No one in the house made any hardware changes or added any new devices, and there were no other internet issues.

All devices were affected. We have two desktop PCs (I was on one), a couple phones, a couple tablets, a Roku, and wireless Epson printer connected like always.  I dug through the router and found no evidence of a rogue device within the connected and recently connected clients list (wired or wireless) but this left our net mostly crippled since 4 AM last night (for some reason Google and gmail would occasionally work {not cached, actual live operation}).

I have an app on my phone that's usually pretty good at detecting Ettercap type MITM attacks when I tested it and didn't make a peep during this, so does this sound like a definite sign of some sort of honeypot situation?

I came home today and found that a family member followed the prompts and (most likely) clicked "disable" (in the option below) which has me concerned that a rogue device has now been given permission to re-route all of our traffic. This allowed their internet to work, albeit a bit glitchy. I looked around the settings again and it appears that they had clicked "disable"  which unintuitively actually ALLOWS the mystery 3rd party router, but the checkbox in the settings that detects 3rd party routers and redirects you to a local warning page within the router, was now unchecked.  (They changed their story and think they clicked "resolve" now, so I don't even know which they clicked. I told them to not touch it til I came home initially.) The problem with that is one option simply stops the redirect to the warning page by ignoring (what it thinks is) the third party router, and the other option opens up the first computer at the top of the list in full DMZ Mode. (What the hell?!)


What is going on? Why wouldn't this device be exposed in the device list in the router? How screwed are we? U-Verse is new to me, and I mostly hate it. I hate the router they assigned us, and am not used to not having full control over a simple standalone DSL modem with a separate router.
I lost the battle when we switched services, so here I am.

This is pretty bad, right?  What do I do here? Simply factory reset the router and change pws and all that jazz?  Firmware update? Will it even matter at this point?

UPDATE:
Now my public IP address is being read from all websites as well as local scan like a giant mac address?!?  

Example:
Your public IP is:
1234:123:12ab:abc0:a123:1a23:12ab:a12e

Service: Basic AT&T U-Verse Internet (6-10 mbps-ish) and 1 Voip line (no TV)

Devices:
- 2 wired PCs*
- 3 wireless mobile
- 1 Roku operating wirelessly (but on that note, the Roku also shows up as it's own access point for some reason, though it always did in the year they've had it).
- Router/Modem Combo (ATT 5031NV-030)*

*Running on powerline adapters, unfortunately. Not my choice, she said the installer insisted.



 

Error: Router Behind Router Detection
The Connection Manager has detected a third party router connected to your 5031NV-030. This creates a condition where two routers each attempt to manage devices behind a NAT. This can create instability in your network and affect performance.

The Connection Manager can assign your third party router to DMZPlus Mode. This will allow both the 5031NV-030 and third party router to share the same public IP. Follow the instructions on the previous page to assign your third party router to the DMZ.

If you need to share devices within a network, the recommended solution is to attach a switch or hub to your 5031NV-030, and connect devices from your network to the switch. In this configuration, the NAT capabilities of your 5031NV-030 will assign private IP addresses to the connected devices, and allow those devices access to the internet via the public IP issued by your Broadband Service Provider.

Press the Back Button to continue.

Some of the router log from near the time this began

 

[Digerati]

I have never seen this problem before but I have set up multiple routers to isolate side networks. For example, when I had my repair business in my home, I had a second router attached to my primary router to create and isolate a separate network for my shop to avoid a potential infected computer in for repair from infecting one of my personal home computers on my primary network.

 

In your case, if me, I would do a full network reset. That is, unplug/disconnect everything - your modem/router and all computers, streamers (Roku), printers, and wireless devices from the wall for a full power shutdown. Don't just power off your PCs - they must be unplugged from the wall to remove all standby voltages too.

 

Then start where your service comes into the house and turn on your modem and wait for the lights to settle. Then your router (if not integrated into the modem). Then one Ethernet connected PC. At this point, check your logs and enter your router's admin menu to see the connected devices to make sure only your PC is connected. I would also change your wireless passphrase too.

 

Then work your way out to your other devices one at a time.

 

Also, are all your computers fully up to date and free of malware?

[Tomk]

Just for my information (probably won't be helpful to the original poster), but wouldn't an IP address of the form 1234:123:12ab:abc0:a123:1a23:12ab:a12e just be a IPv6 address rather than the IPv4 address that most of us are used to?

[bilo]

Hi, I appreciate the detailed insight.  

 

The machine I was on is clean as far as I could tell. I wasn't anywhere unusual online at the time it started, and I always surf with Noscript on. Scans as recent as last week came up clean; no fishy issues.  

 

I took your approach unplugged everything (again) and left out all powerline adapters, Roku, pcs, and mobile after disabling wireless in the router completely, and cleared the known devices from the list so it could start from scratch. I Unplugged all power, all ethernet, and set up my laptop which has a barely touched fresh install from a few months ago and connected it directly to the router via ethernet.

 

Same issues. No other devices listed or showing up in the logs. So it was just the laptop (fresh install Win7) and the router/modem combo. When I disable the "warn me of modem behind modem" I can still surf. In this environment Windows occasionally shows "no internet" on the icon despite being able to go to random sites, and it usually recovers from that after awhile.

 

I don't know if a firmware update was just rolled out (I have the current version, but there is no date in the log of updates.. I can't believe it doesn't give the user control of that).

 

I talked briefly to one person on a very local message board who said he's been having similar troubles, but I couldn't get him to be more specific other than "yeah, mine's been doing that kind of stuff all day too. I think they changed their DNS servers. AT&T doesn't see a problem on their end, I will probably buy a new modem".

 

 

I have never seen this problem before but I have set up multiple routers to isolate side networks. For example, when I had my repair business in my home, I had a second router attached to my primary router to create and isolate a separate network for my shop to avoid a potential infected computer in for repair from infecting one of my personal home computers on my primary network.

 

In your case, if me, I would do a full network reset. That is, unplug/disconnect everything - your modem/router and all computers, streamers (Roku), printers, and wireless devices from the wall for a full power shutdown. Don't just power off your PCs - they must be unplugged from the wall to remove all standby voltages too.

 

Then start where your service comes into the house and turn on your modem and wait for the lights to settle. Then your router (if not integrated into the modem). Then one Ethernet connected PC. At this point, check your logs and enter your router's admin menu to see the connected devices to make sure only your PC is connected. I would also change your wireless passphrase too.

 

Then work your way out to your other devices one at a time.

 

Also, are all your computers fully up to date and free of malware?

 

 

You're right, Tomk.. I realized that's what it probably was, I just have never seen it until now. It's very spotty when it shows up as IPv6 then reverts back to the usual static IPv4. I disabled IPv6 in the router just in case that was related to the issue somehow, but haven't noticed a change with anything else. If I remember correctly the address showed up that way one more time despite that.

 

Just for my information (probably won't be helpful to the original poster), but wouldn't an IP address of the form 1234:123:12ab:abc0:a123:1a23:12ab:a12e just be a IPv6 address rather than the IPv4 address that most of us are used to?

 

I just don't know what to do at this point. I didn't see any footprints leading up to the power outlet in the backyard, as big of a stretch as that would be. Deal with the run-around from tech support I usually get for mundane issues? Pull the plug on the service and run to cable? Ignore the messages and  broken HTTPS and slap in a third-party router of my own?  I thought about switching to Comodo's DNS servers just to try, but realized I don't even have the option in this equipment. If it was just me, it wouldn't be as big of a deal, but the bulk of this affects other non tech savvy people when I'm not around for stretches of time.

 

Thank you both for looking at this.

Edited by bilo, 18 February 2016 - 12:01 AM.

[Digerati]

I note that many ISPs are now issuing modems that provide hotspots so others (supposedly subscribers) can use your wireless modem to gain access to the Internet. I wonder if that is what this is?

 

See http://www.zdnet.com...to-share-wi-fi/