I've come to the conclusion that my router* is getting hacked by some clever folks and it's not good.
It started a couple of weeks ago when I noticed disconnects.
I check out the router 10.0.0.1 and find admin/password doesn't work, someone else's SSID and other people's devices showing on the welcome screen
Odd since my SSID still runs decent enough that I might not have noticed otherwise.
So I reset the router, comes up clean, immediately change password to something strong and never used before and continue to customize my settings, hit save and all good.
Until 24 hours later - disconnect issues again so i check 10.0.0.1 and there is the same thing - someone else's SSID and other people's devices showing on the welcome screen.
Mind you this is the same someone else's SSID, not something random or new so I'm thinking must be a config mistake somewhere.
I follow the same steps to reconfig only adding a few more security measures, I start locking things down in the config.
Within an hour, the "bad" config is back.
So I call comcast, open a ticket, they're not sure whats happening but ask me to reset my account password and exhange the device.
Done. Go through the setup process again, making sure to save and download
Within an hour, the "bad" config is back on the new device.
Full reset - Disconnect the router from the internet (unplug the coax) full reconfig and save. All good. Hour goes by still all good.
Plug the coax back in and immediately (2-3 mins) the bad config is back.
Disconnect the coax, reboot the router and it comes up clean with my good config, no configuration change is needed.
This tells me that the router(s) are correctly saving the config changes and something else via the Internet is overwriting the config on purpose.
I login to my Comcast account just to make sure that Comcast isn't doing a config push automatically but the few settings on there are correct.
Plug it back in to the Internet (Coax) and again within 2-3 mins the bad config is back.
Now I go on full lockdown mode - full reset on the router, disable every setting I can including as much IPv6 as possible**, IPv6 custom firewall, high security for IPv4 firewall, 192.168.0.1 default gateway, everything available through the Arris interface. I'm feeling good. Firewall logs show IPv6 attempts are getting blocked by the firewall and 10 minutes goes by and I'm still up and running.
Since I've just beaten the hackers, I'm feeling good and go to the grocery store except when I get back - bad config has returned.
I've read some stories about the Arris PoTD and other issues but I just want a config that will survive.
*Arris TG1682G running 2.4p2s1fresh off the Comcast shelf after my previousArris TG1682G modem/router had the same issue.
**DNS now picks up comcast IPv4 resolvers by default instead of v6
|FW.IPv6 INPUT drop , 74 Attempts, 2018/1/27 05:23:28||Firewall Blocked|
|FW.IPv6 FORWARD drop , 144 Attempts, 2018/1/27 05:23:12||Firewall Blocked|
|FW.WANATTACK DROP , 3 Attempts, 2018/1/27 05:20:01||Firewall Blocked|
Within 3 minutes I get an error and see the router has been reset to the bad config.
I would check and see if MoCA is disabled on your modem and if you have a MoCA "POE" Filter on your line and if not I would add one.. Make sure MoCA is disabled..
FW.IPv6 INPUT drop , 74 Attempts, 2018/1/27 05:23:28 Firewall Blocked FW.IPv6 FORWARD drop , 144 Attempts, 2018/1/27 05:23:12 Firewall Blocked FW.WANATTACK DROP , 3 Attempts, 2018/1/27 05:20:01 Firewall Blocked
Becareful on what you block for IPv6 you could be blocking your own traffic.. Like if you block all ICMPv6, IPv6 will be in a broken state and not work right..