cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

What's the Mongolian connection?

FIXED
kjpetrie
Aspiring Pro
Posts: 214
Thanks: 31
Fixes: 5
Registered: ‎19-12-2010

What's the Mongolian connection?

‎18-02-2020 1:17 PM

I see the following in my router  log:

12:15:20, 18 Feb.    (1826286.400000) PPPoE is down after 2016 minutes uptime [Waiting for Underlying Connection (WAN Ethernet 7 -​ Down)]
12:15:17, 18 Feb.    (1826283.860000) PPP LCP Send Termination Request [User request]
12:14:58, 18 Feb.    IN: BLOCK [16] Remote administration (TCP [122.201.19.99]:56199-​>[nn.nn.nn.nn]:8080 on ppp3)

(My IP address hidden)

According to geoip, 122.201.19.99 is in Mongolia! I also note we see the URL "https://dbtpnhdm.bt.mo" in logs quite often.

Who logs into my router to control it from Mongolia? I find it rather disconcerting, given the security implications of the Internet, and concern about Russia and China, between which Mongolia is sandwiched.

 

Message 1 of 9
(1,783 Views)
0 Thanks
8 REPLIES 8
Mads
Plusnet Alumni (retired)
Plusnet Alumni (retired)
Posts: 1,873
Fixes: 79
Registered: ‎06-08-2018

Re: What's the Mongolian connection?

Fix

‎18-02-2020 1:46 PM

Hey @kjpetrie,

Thanks for highlighting this. It's not uncommon to see IP addresses or web URLS in the router log for your router - the router is blocking these and essentially doing the job it's designed to do. If you have any concerns about the security of your connection, you can force the router to assign you another IP address by turning it off overnight, though I would stress that this won't prevent 3rd parties testing your connection - as previously mentioned, this is commonplace and the router is designed to prevent access to your connection - exactly as it has done so in the screenshot you've provided.

 

Thanks.

Message 2 of 9
(1,775 Views)
0 Thanks
kjpetrie
Aspiring Pro
Posts: 214
Thanks: 31
Fixes: 5
Registered: ‎19-12-2010

Re: What's the Mongolian connection?

‎18-02-2020 5:26 PM

Oh, I see. I was fooled by the next two lines into thinking the connection had succeeded and issued the request to disconnect and reset the WAN after doing whatever it did. I didn't notice that big "BLOCK" response rejecting the access attempt.

The reason I was looking in the logs was that the connection seems to have become "laggy" in the last couple of days and DNS look-ups and website loading seem to take longer than usual so I wanted to see whether my speed was down. With the speeds I have, however, there shouldn't be any noticeable lag, so there must be another explanation. I'll have to see whether something's changed on my PC. Given the quantity of third-party stuff most websites load these days, any delay in DNS resolution could well account for what I see.

 

Message 3 of 9
(1,740 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: What's the Mongolian connection?

‎18-02-2020 6:52 PM

The hostname is that of our ACS (remote management platform) and nothing to worry about. You'll typically see an entry every 24hrs at roughly the same time. You'll also see an entry on disconnect/reconnect or if you power cycle the router.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 4 of 9
(1,725 Views)
0 Thanks
kjpetrie
Aspiring Pro
Posts: 214
Thanks: 31
Fixes: 5
Registered: ‎19-12-2010

Re: What's the Mongolian connection?

‎19-02-2020 1:54 PM

Which does raise the question of why you use an apparently unregistered Chinese (Macau) domain name for this purpose.

Message 5 of 9
(1,680 Views)
0 Thanks
kjpetrie
Aspiring Pro
Posts: 214
Thanks: 31
Fixes: 5
Registered: ‎19-12-2010

Re: What's the Mongolian connection?

‎19-02-2020 5:27 PM

Replying to myself because I can't find the option to edit my previous post, it seems the problem was DNS-related. Changing to third-party DNS has restored normal working. Is there a fault in PN's DNS at present slowing the response?

 

Message 6 of 9
(1,670 Views)
0 Thanks
RealAleMadrid
Aspiring Hero
Posts: 2,731
Thanks: 1,410
Fixes: 59
Registered: ‎07-07-2009

Re: What's the Mongolian connection?

‎21-02-2020 11:08 AM

@kjpetrie  The ACS hostname is a BT address not a Mongolian website.😃

I seem to recall the router displays a truncated version, not the full address. It may be https://pbthdm.bt.motive.com/

I wouldn't worry about it.

Message 7 of 9
(1,614 Views)
0 Thanks
bobpullen
Community Gaffer
Community Gaffer
Posts: 16,887
Thanks: 4,979
Fixes: 316
Registered: ‎04-04-2007

Re: What's the Mongolian connection?

‎22-02-2020 10:07 AM

@kjpetrie wrote:

Which does raise the question of why you use an apparently unregistered Chinese (Macau) domain name for this purpose.

We're not. The full domain name is https://dbtpnhdmmc.bt.motive.com

It's registered to an address in France, and is owned by Nokia.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵
Message 8 of 9
(1,577 Views)
kjpetrie
Aspiring Pro
Posts: 214
Thanks: 31
Fixes: 5
Registered: ‎19-12-2010

Re: What's the Mongolian connection?

‎22-02-2020 8:35 PM

Thanks for the clarification. With all the media fuss about Huawei it would be so easy for someone to see these log messages as an indication the Chinese had a back door into your routers. I do think it's silly to truncate a url though, as part of a url is no use to anyone, especially when it's as misleading as this.

 

Message 9 of 9
(1,563 Views)
0 Thanks