cancel
Showing results for 
Search instead for 
Did you mean: 

Tracert question...

williment
Dabbler
Posts: 10
Registered: ‎10-01-2017

Tracert question...

When recently investigating some DNS issues, PlusNet seemingly managed to conduct a tracert from inside my LAN, see below:

 

C:UsersBSCUser>tracert bbc.co.uk

Tracing route to bbc.co.uk [212.58.244.22]
over a maximum of 30 hops:

1 <1 ms 1 ms <1 ms dsldevice.lan [192.168.1.254]
2 27 ms 27 ms 26 ms lo0.central10.psb-bng02.plus.net [195.166.130.253]
3 28 ms 28 ms 27 ms 411.be6.psb-ir02.plus.net [84.93.253.111]
4 28 ms 28 ms 28 ms 195.99.125.138
5 28 ms 28 ms 27 ms 62.172.103.193
6 28 ms 28 ms 27 ms 195.99.126.101
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 31 ms 29 ms 28 ms 132.185.255.148
11 28 ms 28 ms 28 ms 212.58.244.22

Trace complete.

 

 

Just curious, how do they do that?

24 REPLIES
Browni
Aspiring Hero
Posts: 2,299
Thanks: 790
Fixes: 47
Registered: ‎02-03-2016

Re: Tracert question...

The only IP address within your LAN is the 1st hop (192.168.1.254)

None of the other addresses are local.
I must have been really bad in a previous life as this was my 3rd ISP in a row that used lithium.
Now you're stuck with me because my new ISP doesn't run a forum Cheesy
Community Veteran
Posts: 5,664
Thanks: 1,556
Fixes: 37
Registered: ‎16-10-2014

Re: Tracert question...

That doesn’t really answer the OP’s question @Browni. So @williment I am assuming they that can logon to your device via remote management and from where they can then use the router’s Web UI or CLI to execute the trace route.

Browni
Aspiring Hero
Posts: 2,299
Thanks: 790
Fixes: 47
Registered: ‎02-03-2016

Re: Tracert question...

My bad, I misread the question.
I must have been really bad in a previous life as this was my 3rd ISP in a row that used lithium.
Now you're stuck with me because my new ISP doesn't run a forum Cheesy
DS
Pro
Posts: 641
Thanks: 123
Fixes: 8
Registered: ‎06-01-2017

Re: Tracert question...

Hang on a mo...Shocked

I thought these routers/hubs could not be accessed remotely, apart from the backdoor that would be used by Plusnet/BT to update the firmware (TR069)

Yet BSC (as identified in the tracert) has breached the routers firewall, bypassed or was able to obtain the routers admin password so it could then sit on the OPs LAN to complete the trace route. A quick google shows that BSC is mentioned on a Plusnet Business Teams site

Due to the BSC name given it doesn't look like the OP was asked to join a remote session

If this is possible, why are we asked to post up these results if PN already can remotely carry out this task...? And more importantly if they can get that far in, what's keeping hackers and/or viruses out!!!

Should we be worried or am I missing something obviousHuh

Community Veteran
Posts: 5,211
Thanks: 493
Fixes: 22
Registered: ‎10-06-2010

Re: Tracert question...

TR-069 could also be used to change any setting on the router.

The trace itself looks like it was done from a Windows computer. Or it could have merely been an example, or Plusnet could have set up the OP's account on a test line in their offices and tested it there.

DS
Pro
Posts: 641
Thanks: 123
Fixes: 8
Registered: ‎06-01-2017

Re: Tracert question...

I know what you're saying, but it was either on the beta BT forums or possibly their replacement community ones where this (TR069) was discussed in detail with BT forum mods (staff). I know on one thread I mentioned that I had an unknown device on my lan when using a BTHH and was told by BT that they couldn't access our LAN. After deleting this unknown device it never returned... (I also named every device that I allowed to connect which ruled it out as being one of these)

It's how the OP has written their post that got my attention. It gives the impression that Plusnet have been checking the connection whilst the OP was using it and remotely accessed the LAN to complete the test.

williment
Dabbler
Posts: 10
Registered: ‎10-01-2017

Re: Tracert question...

I gave no permission for plusnet to access my lan. My router admin password was changed when I first had the router. I do have remote access enabled but I have set that password.

williment
Dabbler
Posts: 10
Registered: ‎10-01-2017

Re: Tracert question...

p.s. What's TR-069?

 

DS
Pro
Posts: 641
Thanks: 123
Fixes: 8
Registered: ‎06-01-2017

Re: Tracert question...

TR 069 is basically remote management - https://en.wikipedia.org/wiki/TR-069

 

Something just doesn't sound right to me.

What router are you using?

williment
Dabbler
Posts: 10
Registered: ‎10-01-2017

Re: Tracert question...

It's the router supplied by plusnet: Technicolor TG582n with an openreach modem.

williment
Dabbler
Posts: 10
Registered: ‎10-01-2017

Re: Tracert question...

from wikipedia ref tr-069:

 

 

The compromise of an ISP ACS server or the link between an ACS and CPE by unauthorized entities, including hackers and (domestic and foreign) government agencies, can give access to an entire ISP's subscriber base's routers (with TR-069 enabled). All the above-mentioned information and actions would be available to the potential attackers, including MAC addresses of all clients connected to the router, covert redirection of all DNS queries to a rogue DNS server, and even a surreptitious firmware update which may contain a backdoor to enable covert access from potentially anywhere in the world.[5] Through a recent study of TR-069 ACS implementations, Check Point's Malware and Vulnerability Research Group uncovered several flaws in solutions from ACS vendors, since some xSPs do not implement TR-069 ACS software in a secure manner.[6]

Community Veteran
Posts: 5,211
Thanks: 493
Fixes: 22
Registered: ‎10-06-2010

Re: Tracert question...

How does that traceroute compare with one that you do yourself?

williment
Dabbler
Posts: 10
Registered: ‎10-01-2017

Re: Tracert question...


Tracing route to bbc.co.uk [212.58.244.22]
over a maximum of 30 hops:

1 1 ms 2 ms 2 ms 192.168.1.254
2 10 ms 9 ms 9 ms lo0.central10.pcn-bng02.plus.net [195.166.130.249]
3 10 ms 11 ms 9 ms 411.be6.pcn-ir02.plus.net [84.93.253.79]
4 10 ms 10 ms 9 ms 195.99.125.144
5 13 ms 10 ms 10 ms peer2-et-1-3-0.telehouse.ukcore.bt.net [195.99.127.23]
6 11 ms 11 ms 11 ms 194.74.65.42
7 * * * Request timed out.
8 * * * Request timed out.
9 10 ms 16 ms 10 ms ae0.er02.telhc.bbc.co.uk [132.185.254.105]
10 15 ms 11 ms 13 ms 132.185.255.148
11 11 ms 11 ms 10 ms 212.58.244.22

Trace complete.

DS
Pro
Posts: 641
Thanks: 123
Fixes: 8
Registered: ‎06-01-2017

Re: Tracert question...

Sorry for the delay in replying, I'm disabled and got in to a bit of a predicament Cry all good now fttb Smiley

I do recall BT being able to get to the openreach modem, as can the end user, so it could be from there where s/he gained those results - I am open to being corrected. If it was from your side of the router then it still doesn't appear to be right even if you have remote management on - though again open to being corrected.

I'm not saying you could or should, be possibly turning off remote management and say for example you need to gain access to a home PC whilst you're out, something like teamviewer may be something to consider - I have no commercial interest in teamviewer, it's something my son uses to gain access to his PC using his mobile phone when he's out. There are of course many others out there.