Firewall security setting question in wake of DDoS attack


#1

Dear Rachio Team,
After Friday’s DDoS I wanted to tighten my home network security for IPv4, looked up the US Cert recommendations, strengthened my router’s username and password and disabled UpnP. When I increased the security level from Custom to medium (picture below), my GenII was no longer able to go online. It looks as if you are using one of the peer to peer apps listed in the Medium section, as I can reproduce the online/offline status for my rachio. Needless to say that i do not inherently trust these bittorrents etc.
Can you advise what ports rachio needs open, and what this community’s best options are to be safe and that our rachio controllers cannot be accessed for future DDoS attacks or other hacks?
Thanks a lot in advance for your guidance.


#2

Excellent question and one I’m sure we’re all interested in. Looking forward to Rachio’s response.


#3

@hgugger @jyantzer

Here are the current ports that are needed for Gen 1 and Gen 2.

Hope this helps.

:cheers:


#4

Thanks @franz.
My TWC Technicolor router allows for port forwarding and port triggering, and this is unfamiliar territory for me (not a gamer, so normally no need to go there). Which one applies to communicate with rachio?
My desired outcome would be to just open these ports for rachio, but disable the peer to peer apps described in my previous post. Any guidance there?
Last but not least, McAfee shows me an open port list behind the router. While rachio works perfectly, none of the ports you mention are open in McAfee…fever pitch confusion level here…
Last but not least, do you folks at rachio have a recommendation for commercial or free port forwarding software to set and test the port status?
I know it is a lot, and I will try to read up as well :slight_smile:


#5

I can’t think of a good analogy for this, so apologies in advance.

If a device inside your network (say, your computer running a web browser) initiates a connection to a remote server on the Internet (say, the server Rachio uses to host this community website), your firewall will allow the remote server to send data back across that connection, until that connection gets closed. It’s kind of like a phone call. You call out, and whomever you call can talk back.

What your firewall prevents (unless you specifically open up incoming ports) is for any device on the outside of your network to initiate a connection back into your network. Basically, nobody can “call you”, unless you start opening up ports.

My guess is that the Iro works the same way. It initiates a connection from inside your network to a remote server on Rachio’s end, and Rachio’s server talks back over that. I’d guess that Rachio’s server never initiates a connection back to your Iro, so there’s no need for the inbound port to be open, which is why it works even when you don’t have that port open.


#6

@aristobrat seems like he has a good handle on the subject. I know we’ve had customers only open the ports referenced above with success.

I’ve forwarded this to our hardware engineer who might have some recommendations.

:cheers:


#7

Gen2 should never need any port forwarding. All of the connections the gen2 makes to the outside world are initiated from the gen2.


#8

Thanks very much @aristobrat, very plausible analogy. Along similar lines, my McAfee logic was flawed, since McAfee in this case protects my computer and not the router traffic.

If I understand you correctly, rachio servers always respond and don’t initiate, which then would also be true for the firmware updates on port 80 per http://support.rachio.com/article/513-advanced-offline-troubleshooting.

If I now take our logic (confirmed by @dgp) to the next level, shouldn’t my rachio controller be able to communicate with your server regardless of the router security level setting I described at the start of the thread?

In any case, I forwarded the three ports, but same result: offline at typical security setting, online at custom setting…
Next, I enabled the UPnP functionality: no change.
Below is the port forwarding settings. Is there anything wrong with what I did?

Now I just looked into the firewall log and made an interesting discovery:
the only target port that gets consistently denied is from my rachio controller’s reserved IP address to one of your server IPs, port 8883.
Hope this helps the diagnosis…
Have to go do some real work again :wink:


#9

You don’t need any of that port forwarding. You should probably remove it.

The only situation were you need to change firewall rules is where you have a very strict policy where traffic from your network to the internet is also being filtered. That sort of setup is very uncommon for home users but it’s quite common for corporate networks etc to only how access to websites and a few other services and that’s the type of situation where the list of ports the gen2 connects to are needed.


#10

By forwarding those three ports (inbound), your router will allow anyone on the Internet to connect to 192.168.0.106 (using those ports). I assume 192.168.0.16 is your Iro. In my opinion, you don’t want to do that. The only time that’d be needed would be if Rachio’s server were ever trying to initiate a connection to your Iro, which as far as I can tell never happens. I don’t have any ports forwarded for anything on my router, and my Iro, Ecobee 3, gaggle of TiVo DVRs, and a bunch of home automation stuff all work fine (because if they need to talk to their servers, they initiate the connection, not the servers).

I think the purpose of Rachio identifying the three ports (53, 80, 8883) is for networks who don’t allow all ports on the LAN out to the WAN (Internet). IMO, this is more common on a business network than a home network. For example, where I work, the only two ports they allow out to the Internet from employee computers are 80 and 443 (for web surfing). Every other port is blocked. So if I had an Iro installed at my desk (to test?), it wouldn’t be able to talk to Rachio’s servers because my employer’s firewall blocks traffic on port 8883 outbound. IMO, knowing that the Iro needs ports 53, 80, and 8883 are only useful for locked-down networks like that. If I had to get the Iro working at work, I could please for the security guys to open those needed ports. Home networks aren’t locked down like that (nor in my opinion should they be), so no action is required in regards to those ports.


#11

Thanks both, have removed these forwarded ports (yes .106 is my Iro/rachio). Very helpful advice!
Both screenshots in my posts are from my Technicolor TC8715D (supplied by TWC).

https://www.timewarnercable.com/content/dam/residential/pdfs/support/internet/ModemUserGuides/technicolor-tc8715d-userguide.pdf

Any ideas on security level setting above still welcome, as I would like to get back to the typical setting as outlined, but this might be beyond the scope of this forum. Thanks for all the great advice you gave me in this minefield.


#12

Looking at the screenshot in your first post, I’m not sure why the Typical Security (Medium) would cause the Iro to not work. It says “LAN-to-WAN: Allow all”, which is all that I’d expect the the Iro would need.

Regarding the DDoS attack, that almost always requires someone on the Internet having the ability to initiate a connect to a device on your internal network. For that to happen, port forwarding usually has to be setup. Setting up port forwarding for IP cameras is a common thing. So I wasn’t too shocked to hear that it was mostly IP cameras (and a certain brand of DVR) that made up the majority of devices in last week’s DDoS attack.

IMO, as long as you don’t have port-forwarding setup for any of your devices, it’s really unlikely any device in your house will ever participate in a future DDoS attack. I mean, it’s possible… if someone hacked TiVo’s servers (that my TiVo DVRs initiate connections to daily) and figured out a way to for them to instruct my TiVos to do something bad, … that’s technically possible, just a lot harder than what was required to pull of last week’s DDoS attack.


#13

Ditto for the gen1. The gen1 has no open ports (well, it listens to DHCP and DNS replies to its requests) and requires no WAN-to-LAN ports to be opened. The device maintains a single outbound connection, by default on port 31314 but it will fall back to 993 (and 443 on the next version) if it can’t get out on 31314.

Currently, outbound connections on the gen1 are secured with TLS1.0-AES128 (with RSA1024-SHA certs), but very shortly - in the next couple of weeks - all devices will be upgraded to use TLS1.2-ECDHE-AES128 (with RSA2048-SHA256 certs), so state-of-the-art forward secrecy.

Software upgrades are AES128-GCM encrypted and RSA4096 signed, and are fetched over a plain port 80 HTTP connection. The OS signing keys are held in a FIPS140-2 certified HSM that requires multi-factor authentication and physical presence to sign a build.


#14

@hfiennes

Thanks for that detailed explanation, you rock!

BTW for everyone else - Hugo is the founder of electricimp.com, a truly amazing company and product.

:cheers:


#15

You shouldn’t need any port configuration.
Unless you are operating a service e.g. your own web site, or some particular games, you will not need
port forwarding or port triggering.

Your router will generally block incoming traffic (to the controller) if it has not already “called outbound”.
However, outbound traffic initiated (by the controller) will allow a “return channel” for communication.

It should just work if your are configured as a typical home network,
i.e. not blocking outbound traffic at the router the way a corporate network might.

Easiest network security is with controller operating with a (1) Guest Network using (2) Wireless Isolation
(by whatever name your router mfg calls them).
(During setup your phone must be on the Guest Network. You can ‘Forget’ it after configuration.)

Then the controller is not in contact with your other home network devices e.g. PCs,
but able to contact the Rachio servers in the cloud as necessary.

Use a password manager to generate a strong password, or use a suitably long pass phrase.
(For the router too. And disallow router admin access from the WAN side.)
(Not sure what the character limits are for Rachio devices off the top of my head.)

No guarantees but these precautions make it highly unlikely you will be part of the next big DoS attack.


#16

Thank you @MFMurphy00 and @hfiennes,
this session has been very educational for me - and it also reminded me of the joke that “I don’t have to outrun the bear, but only the person between me and the bear” :grinning:, in this case leaky home networks.

Since you seem to have much deeper expertise that I will ever have, is there an explanation for the rachio going “offline” when I choose medium level security level for my router, shown on top of this thread in my first post?

  • when “offline”, will my gen2 still be able to initiate outbound traffic, and get a server answer?
    I originally concluded that it would have to show “online” to work properly, but this might be wrong?

#17

I don’t know how the gen2 works, but given that the screenshot shows medium allowing all LAN-to-WAN traffic, it’s certainly strange that things aren’t working for you. I would expect the “online” state is set when the gen2 initiates a successful outbound connection (over which data can then flow both ways).