TS-251 flooding LAN - no internet...?

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
dime0000
New here
Posts: 6
Joined: Sun Jul 05, 2015 10:59 pm

TS-251 flooding LAN - no internet...?

Postby dime0000 » Tue Sep 12, 2017 8:40 pm

I have a weird one..

I've had a TS-251 hooked up to a Netgear router for a couple years now.. just about a month ago, my internet started dropping. After much investigation, I discovered that if I disconnected my QNAP TS-251 from the network, all would work fine. This has been consistent - I've had to regularly pull the plug on the thing. I have 12 other devices on my LAN (both wired and wireless) - not of the other devices are causing issues.

I've tried shutting down every service and add-on I can find on the QNAP device but nothing seems to work - also did firmware updates... Nothing.

A friend of mine suggested I try Wireshark to see if I can see anything.. before I do - any other suggestions?

rcblackwell
Getting the hang of things
Posts: 61
Joined: Wed Mar 19, 2014 4:44 am
Location: Pickering, Ontario Canada
Contact:

Re: TS-251 flooding LAN - no internet...?

Postby rcblackwell » Tue Sep 12, 2017 8:52 pm

dime0000 wrote:... any other suggestions?


Run QNAP's Malware Remover and a virus scan
Robert Blackwell
Pickering, Ontario Canada

Primary NAS
QNAP TS-251, Firmware QTS 4.2.2 Build 20161214
8 GB, 2 x 4TB WD WD40EFRX HD's in RAID 1 Configuration

Backup NAS
QNAP TS-221, Firmware QTS 4.2.2 Build 20161214
1 GB, 2 x 4TB WD WD40EFRX HD's in RAID 1 Configuration

dolbyman
Ask me anything
Posts: 5905
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: TS-251 flooding LAN - no internet...?

Postby dolbyman » Tue Sep 12, 2017 10:41 pm

we have seen that behavior before

probably a compromised NAS with network scanner / botnet running


did you expose photo station to the internet ?

dime0000
New here
Posts: 6
Joined: Sun Jul 05, 2015 10:59 pm

Re: TS-251 flooding LAN - no internet...?

Postby dime0000 » Tue Sep 12, 2017 11:02 pm

I haven't exposed anything to the internet (to my knowledge) and also removed the photo station... but that sounds similar to rcblackwell's approach - would something like that get found with a the QNAP malware / virus scan?

dolbyman
Ask me anything
Posts: 5905
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: TS-251 flooding LAN - no internet...?

Postby dolbyman » Tue Sep 12, 2017 11:03 pm

that qnap malware scanner is sadly a "black box", so we do not know what it detects

dime0000
New here
Posts: 6
Joined: Sun Jul 05, 2015 10:59 pm

Re: TS-251 flooding LAN - no internet...?

Postby dime0000 » Wed Sep 13, 2017 8:33 pm

so I ran the malware scanner and it removed stuff - cool! that said, I'm looking at my router logs and i still see outside IPs hitting my QNAP device on port 22 and 443... Any ideas what else I should be looking at?

dolbyman
Ask me anything
Posts: 5905
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: TS-251 flooding LAN - no internet...?

Postby dolbyman » Wed Sep 13, 2017 9:31 pm

contact qnap via ticket

Ericnepean
Getting the hang of things
Posts: 96
Joined: Mon Jul 02, 2012 4:35 pm

Re: TS-251 flooding LAN - no internet...?

Postby Ericnepean » Mon Sep 18, 2017 7:00 am

dime0000 wrote:so I ran the malware scanner and it removed stuff - cool! that said, I'm looking at my router logs and i still see outside IPs hitting my QNAP device on port 22 and 443... Any ideas what else I should be looking at?

I would start by setting up the router firewall to block ALL outgoing and incoming connections to your QNAP NAS from the WAN side.
You will have to do manual firmware updates and set the time manually, but that's minor compared to whatever else you have happening.

I have shifted the SSH port on my QNAPs from 22 to another port not used by any other service - now I log in with "SSH -l admin -p zzzz 192.168.xxx.xxx" Another obstacle to put in the way of attackers.

Check what other services are enabled - if you don't need Telnet, FTP, AFP (Macs need it), SMB (PCs need it), NFS (for linux/unix) shut them down

Also check that your router has the latest firmware, a strong password, and that the web admin interface on WAN side is locked down. And check if there are any vulnerabilities or advisories against your router. Check if your router might be compromised as well.
Eric in Ottawa, Canada
TS-419Pii
TS-251A


Return to “Users' Corner”

Who is online

Users browsing this forum: No registered users and 5 guests