Re: Ubiquiti routers now run nmap automatically causing an interesting situation

["Dario Ciccarone \(dciccaro\) via dev" <dev () nmap org>]

Hey, Nick:

        One other option missing here is - contacting Ubiquiti and talk to them ? About the issues their default 
behavior is creating ? And I assume they're not only scanning *your devices*, but probably the whole L3 subnet, so 
others may also experience similar issues. Or worse - if the device doesn't react properly to the scan . . . 

        So I would contact Ubiquiti, explain the situation, see what they say. 

        Also, while the "contact Ubiquiti Support" is not a bad idea, I think you go with "Do you have an Ubiquiti 
router in your network? If yes, please go to www.silicondust.com/security/ubiquiti" or something like that - and on the 
page, you can explain (in simple terms) to your customers what the issue seems to be, and provide a link to the 
Ubiquiti documentation explaining how to enable/disable this feature. Might also want to add "We don't recommend 
keeping this feature enabled, nor we recommend it to be disabled - as it has no negative impact on our device, leaving 
it enabled or disable it is up to each customers' particular setup and environment", or, again, something along those 
lines.

        Thanks,
        Dario

On 8/25/21, 8:53 PM, "dev on behalf of Nick Kelsey" <dev-bounces () nmap org on behalf of nickk () silicondust com> 
wrote:

    Interesting situation...

    At my day job (Silicondust) we have started getting support 
    questions/complaints from customers who have Ubiquiti routers at home - 
    it seems that Ubiquiti routers now run Nmap automatically, not sure if 
    daily.

    When Nmap probes a Silicondust HDHomeRun tuner it works well - Nmap 
    finds port 80 (device webpages) and port 5004 (http for video) and 
    correctly identifies it as a HDHomeRun device.

    Likewise the HDHomeRun does fine being probed by Nmap. Nmap generates 31 
    TCP requests to port 5004 and the HDHomeRun simply logs these 31 failed 
    requests.

    Both Nmap and HDHomeRun are doing their jobs correctly. You get some log 
    messages but you just ran a probe so they are expected.

    The problem - Ubiquiti routers are doing this without the user being 
    aware it is happening. The user sees hundreds of failed attempts to 
    access the HDHomeRun in the HDHomeRun logs and they are reporting it to 
    us thinking something is wrong. Further complicating things - the source 
    IP is logged as being from the router so at first glance it could 
    (incorrectly) look like an attacker has figured out how to reach a LAN 
    device via the Internet.

    Could disable these log messages but that would hinder normal 
    diagnostics where the user is trying to figure out why a tune request 
    wasn't accepted.

    Could detect that it is a Nmap probe but I object to this on principle.

    Could firewall all Ubiquiti MAC address ranges so it can't probe.

    Could manage the problem by having support reassure customers that these 
    errors are normal because of their router. That has a ongoing cost 
    associated with it.

    I quite like the idea of appending "please contact Ubiquiti support" to 
    the end of every failed log message when a Ubiquiti router is detected :-)

    Interested in thoughts on the subject. Should probably just manage the 
    support problem but it annoys me to have to manage a problem created by 
    someone else.

    Thoughts?

    Nick

    _______________________________________________
    Sent through the dev mailing list
    https://nmap.org/mailman/listinfo/dev
    Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/