Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Ubiquiti routers now run nmap automatically causing an interesting situation

From: Nick Kelsey <nickk () silicondust com>
Date: Wed, 25 Aug 2021 17:53:27 -0700
Interesting situation...
At my day job (Silicondust) we have started getting support questions/complaints from customers who have Ubiquiti routers at home - it seems that Ubiquiti routers now run Nmap automatically, not sure if daily.
When Nmap probes a Silicondust HDHomeRun tuner it works well - Nmap finds port 80 (device webpages) and port 5004 (http for video) and correctly identifies it as a HDHomeRun device.
Likewise the HDHomeRun does fine being probed by Nmap. Nmap generates 31 TCP requests to port 5004 and the HDHomeRun simply logs these 31 failed requests.
Both Nmap and HDHomeRun are doing their jobs correctly. You get some log messages but you just ran a probe so they are expected.
The problem - Ubiquiti routers are doing this without the user being aware it is happening. The user sees hundreds of failed attempts to access the HDHomeRun in the HDHomeRun logs and they are reporting it to us thinking something is wrong. Further complicating things - the source IP is logged as being from the router so at first glance it could (incorrectly) look like an attacker has figured out how to reach a LAN device via the Internet.
Could disable these log messages but that would hinder normal diagnostics where the user is trying to figure out why a tune request wasn't accepted. 

Could detect that it is a Nmap probe but I object to this on principle.

Could firewall all Ubiquiti MAC address ranges so it can't probe.
Could manage the problem by having support reassure customers that these errors are normal because of their router. That has a ongoing cost associated with it.
I quite like the idea of appending "please contact Ubiquiti support" to the end of every failed log message when a Ubiquiti router is detected :-)
Interested in thoughts on the subject. Should probably just manage the support problem but it annoys me to have to manage a problem created by someone else. 

Thoughts?

Nick

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: