Why are you implementing DDoS protection? It is extremely unlikely that you will be DDoS'd off the internet for general usage. WPA (and given the lack of specification, I'm assuming you're using WPA1 here) is vulnerable (on TKIP). WPA1 was designed as a stop gap measure to WEP attacks. Switch to WPA2 (AES) with a secure passphrase.
Given your concern about a compromised router, I'd be opting for a hardware reset then through the management console.
Ive had issues in the past. I get kinda 'noisy' in social media influencing and activism. Probably why Im dealing with this unique exploit on my router right now.
Im pretty up to date on things. Of course I use WPA2. Also hide my SSID to help protect against neighborhood leeching... here in my neighborhood its a big thing too. I learned a lot working in ISMO (Information Services Management Office) for the USMC and so I know how to lock things down pretty well, even past what is probably needed but it never affects my throughput or connectivity.
The University I live close to has one of the best IT departments in the US. A couple years ago the sophomores from UVU beat MIT graduate students in a hackathon, so I'm just say'n there is a lot of knowledge in and around my neighborhood. Plus, people can get tools to hack WPA2 without even having to go 'darkweb' these days and if they usually only go for networks they can see unless they are a super black hat type of person.
Im super stoked for the new WiFi6 gen of routers for their advances on protecting wifi traffic.
I know, I know... with all dat I should be also VPN but I get a Gig fiber here and VPN usually slows that down to at least half as most just aren't set up for a full Gig down AND up stream. That's part of why I lock my router down so much so not using a VPN isn't that big a deal. Plus my provider, XMission, does a good job at protecting their customers.
Also, I am not a typical user who just hits accept or allow without knowing why.
I have also done a full factory reset on the c3200 as well as a 30/30/30 reset for the fun of it (even though that's mainly a Netgear and D-Link issue for 3rd party DDWRT and Tomato... never done any of that though). Soon as I got back up, my internet went live then dropped then back on and sure enough I was back to the 12 horsies issue
I really do want to nail this exploit down though and I would love, if we do, to give Avast community props in it all for the help.
Next to my ISP, Avast is the next best business model I know of. They are no XMission, but they are above most the rest.
Off topic, here is a video of the CEO of XMission at an OpenWest conference on security and user protection if you want to read about a top notch company!
https://www.youtube.com/watch?v=tl3muxsiSP0
Edit: I meant to address WPA2 hacking. It's very, very difficult to break WPA2 (AES). The only way I'm aware of is running dictionary/bruteforce/Social Engineering (Evil Twin) attacks on it. Alternatives do exist (KRACK attack), but to my knowledge, only affect Linux and Android devices.
======================================================================
Well, looking at twelvehorses(dot)com's source code, reveals sedoparking(dot)com.
'src="//sedoparking.com/frmpark/'
+ window.location.host + '/'
+ 'IONOSParkingUS'
+ '/park.js">'
* Where window.location.host is "twelvehorses.com"
// is the short form of hxxps://sedoparking.com/frmpark/
The fully constructed URL is hxxp://sedoparking.com/frmpark/twelvehorses.com/IONOSParkingUS/park.js
var google_afd_request = {"client":"ca-dp-sedo89_3ph","drid":"as-drid-2638193593145307","domain_name":"twelvehorses.com","session_token":"create"};
var setup = {
domain : 'twelvehorses.com',
registrar : 'IONOSParkingUS',
}; function google_afd_ad_request_done( google_afd_response ) {
if( typeof(google_afd_response.session_token) == 'undefined' ){
google_afd_response.session_token = '';
}
loadContentFrame( google_afd_response.session_token );
}
document.write(
'<script type="text/javascript" language="JavaScript" ' +
'src="http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js"><\/script>' );
function loadContentFrame( session_token ){
var contentFrame = document.createElement('iframe');
contentFrame.setAttribute( 'src',
'http://sedoparking.com/search/registrar.php'+
'?domain=' + setup.domain +
'&rpv=2' +
'®istrar=' + setup.registrar +
'&gst=' + session_token +
'&ref=' + document.referrer +
''
);
contentFrame.setAttribute('name', 'regpark' );
contentFrame.setAttribute('frameBorder', '0' );
var contentContainer = document.getElementById("partner");
if( typeof(contentContainer) == 'undefined' ){
contentContainer = document.createElement('div');
contentContainer.setAttribute('id', 'partner');
}
contentContainer.appendChild( contentFrame );
}
It's currently 1:30AM here, and I don't feel like firing KALI VM's up and running Burpsuite, so I cheated.
hxxp://sedoparking.com/search/registrar.php?domain=twelvehorses.com&rpv=2®istrar=IONOSParkingUSIONOSParkingUS&gst=X&ref=X
That reveals that twelvehorses(dot)com is a parked domain.
Read the little splurge about "Parked Domains"
<div class="row marketing">
<h4 class="col-xs-12">What Is Domain Parking?</h4>
<div class="col-xs-7">
<p>
Domain Parking is a simple way to earn money from your domains'
natural traffic. If you have registered domain names, but they
are not currently being used, then domain parking is a great way
to put those domains to work, earning you revenue.
</p>
<p>
You can make money without even lifting a finger! The idle
domain is used to display relevant advertisements -every time a
consumer clicks on one of the advertisements, you earn money.
</p>
What's interesting is that I cannot get the e221.* domain to actually resolve.
A ping nmap scan of twelvehorses(dot)com reveals ports 80, 81, 443
nmap -p- -v twelvehorses.com
Port 81 is atypical... Try it? Oh, it's a login screen. Scan it. *
Note: Scanning domains may or may not be legal depending on your location. DO NOT RUN THESE SCANS. AGGRESSIVE SCANNING MAY CRASH DOMAINS!!nmap -sC -sV -p T:81 -T5 -A -v --script vuln twelvehorses.com
Not much there >>
Starting Nmap 7.70 ( https://nmap.org ) at 2019-10-27 01:44 Atlantic Daylight Time
NSE: Loaded 145 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:44
NSE Timing: About 50.00% done; ETC: 01:45 (0:00:31 remaining)
Completed NSE at 01:45, 34.01s elapsed
Initiating NSE at 01:45
Completed NSE at 01:45, 0.00s elapsed
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Initiating Ping Scan at 01:45
Scanning twelvehorses.com (74.208.236.207) [4 ports]
Completed Ping Scan at 01:45, 0.96s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:45
Completed Parallel DNS resolution of 1 host. at 01:45, 0.21s elapsed
Initiating SYN Stealth Scan at 01:45
Scanning twelvehorses.com (74.208.236.207) [1 port]
Discovered open port 81/tcp on 74.208.236.207
Completed SYN Stealth Scan at 01:45, 0.05s elapsed (1 total ports)
Initiating Service scan at 01:45
Scanning 1 service on twelvehorses.com (74.208.236.207)
Completed Service scan at 01:45, 6.11s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against twelvehorses.com (74.208.236.207)
Retrying OS detection (try #2) against twelvehorses.com (74.208.236.207)
Initiating Traceroute at 01:45
Completed Traceroute at 01:45, 0.07s elapsed
Initiating Parallel DNS resolution of 14 hosts. at 01:45
Completed Parallel DNS resolution of 14 hosts. at 01:45, 0.25s elapsed
NSE: Script scanning 74.208.236.207.
Initiating NSE at 01:45
Completed NSE at 01:47, 113.01s elapsed
Initiating NSE at 01:47
Completed NSE at 01:47, 0.00s elapsed
Nmap scan report for twelvehorses.com (74.208.236.207)
Host is up (0.048s latency).
rDNS record for 74.208.236.207: 74-208-236-207.elastic-ssl.ui-r.com
PORT STATE SERVICE VERSION
81/tcp open http nginx
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-iis-webdav-vuln: Could not determine vulnerability, since root folder is password protected
| http-server-header:
| Apache
|_ nginx
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|specialized|storage-misc
Running (JUST GUESSING): Linux 3.X|4.X (91%), Netgem embedded (89%), Crestron 2-Series (87%), HP embedded (85%), Oracle VM Server 3.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:netgem:n7700 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3 cpe:/o:oracle:vm_server:3.4.2 cpe:/o:linux:linux_kernel:4.1
Aggressive OS guesses: Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Netgem N7700 set-top box (89%), Linux 3.18 (87%), Crestron XPanel control system (87%), Linux 3.16 (86%), Linux 3.13 or 4.2 (85%), HP P2000 G3 NAS device (85%), Oracle VM Server 3.4.2 (Linux 4.1) (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 8.374 days (since Fri Oct 18 16:49:32 2019)
Network Distance: 14 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
<Traceroute Removed>
Basically, twelvehorses.com is a parked domain. I have zero idea what it *should* be pointing to, but it's not currently pointing to anything I can find. I've also DM'd polonus, who happens to know a shit load more then I do regarding domains.