7 Replies Latest reply: Aug 7, 2012 11:25 AM by palmerg RSS

    Slingbox Port 5001 - can it be reassigned for security?

    palmerg Newbie

      I have been locking down my home network due to a large increase in DDOS and hacking attempts. I have a Netgear WNDR3400 v1 router and I have been studying the logs over the past weeks, remotely. We live in Italy and our Slingbox is back home in FL so we can get our fix of good Ole American TV.

      Anyway, recently the logs have shown

       

      [LAN Access by remote] outsideIP- n.n.n.n:<random non standard port> to 192.168.n.n:2678.

       

      These successful accesses seemed to come from all over; US, China, Spain, Czeck, Rus, UK, and more. The whois I ran for the ones I looked up said they resolved to foriegn locations but I know that IP's can be spoofed. I wasn't going to waist time trying to track anyone down I just wanted it all to stop. Apparently, 2678 is a port used often by bit torrent ptp comms which relies on UPnP (Universal Plug and Play - nonauthenticated access to some services). My router had UPnP on by default so I disabled that feature and sure enough all the traffic stopped. Now my logs show many of those same sites getting something like the following:

       

      [Service blocked: ICMP_echo_req] from source 67.16.146.30, Wednesday, Jul 25,2012 11:53:30

       

      Except for one pesky connection that seems to get through. It reads:

       

      [LAN access from remote] from 8.7.94.65:43316 to 192.168.n.n:5001 Wednesday, Jul 25,2012 03:27:31

       

      As you may know port 5001 is used by Slingbox to service request for video feeds and of course we require that port for our viewing. This access has been in my router log for a few days now and it has me worried. The IP resolves to Broomfield CO. (near Denver) and seems to be a company called Level3 Communications. I have sent them an email to report this but no response yet. Again, it could be spoofed. Is this an access to my video stream or just an attempt? It seems that they would still have to authenticate with Sling media, right?

       

      I want to get rid of this access but I can't block IPs on the router. So I was wondering if I were able to identify another port of my choosing to replace 5000-5001 would that be enough to get rid of this access? Can it be done? Can I assign another port in the setup process and then setup a forwarded port assignment in the router so we could bypass the standard, and well known, port assignment for Slingbox?

       

      If anyone has any other solutions or comments please send them on.

        • Re: Slingbox Port 5001 - can it be reassigned for security?
          palmerg Newbie

          I will still lurk to see if you folks have solutions.

           

          However, the more I research I do the less worried I am. I doubt that the lone IP is hijacking my video stream from the slingbox because I do think that Sling does a good job of requiring and enforcing authentication (I hope).

           

          What I think may be happening is some one trying to exploit an old Windows trojan called back Door Setup or Sockets des Troie that tried to exploit Port 5001 to get remote access to a weak host. Unless the code has been modified that attack will fail because it only worked on Windows 95/98 clients and I think Sling uses some version of Linux. I am still concerned that the connection seems to be established even though it is ineffectual (I think).

          I am still very interested to see if anyone here might have deeper insights. It still worries me but it is not really a Sling issue.

           

          Would still like to know if I can change the port though. Probably not I bet.

           

          Gary

            • Re: Slingbox Port 5001 - can it be reassigned for security?
              palmerg Newbie

              Well I finally got a reply from the owner of the domain for the IP that seems to be successfully hitting the Slingbox. They basically said they would investigate.

               

              I am still getting the log event every day although now the time of the "attack" has shifted from 0300 to 0030.

              My SlingBox service does not seem to have been compromised although I do seem to get more pixelization but its probably my imagination. If I was home where the SB resides I could do a deeper analysis with WireShark and such but I am not so I can't.

               

              Looks like no one here has any insight to offer but thanks for all the views. It's a pretty esoteric issue I know but it is troublesome to me when someone can get onto my home net because a well known service port cannot be reassigned. Maybe I am sweating the small stuff here but these days with the sophistication of attacks I don't think you can be too careful.

              So, I will leave this "unanswered" for a little while longer and then close it out or delete it.

               

              "So long and thanks for all the fish"

               

              Ciao

            • Re: Slingbox Port 5001 - can it be reassigned for security?
              palmerg Newbie

              This isn't really answered but it's been up long enough to know that there isn't much interest in this topic so I figured why keep it lingering on like a hopeless, comatose, casualty of the information age...

                • Re: Slingbox Port 5001 - can it be reassigned for security?
                  tcaradonna Novice

                  The choice of port number is completely arbitrary.  5001 has been selected by Sling for convention, but it is by no means a requirement to use.  If you look at some other related posts on the topic, there are some folks for whom 5001 has been blocked (by cable companies, work firewall etc), they circumvent this by streaming thru another port number that is not blocked.  Another option (if you are not using Slingbox for connected devices/facebook, SlingCatcher or iphone/ipad) is to do away with the TCP port transmission and use the SNATT protocol, which is Slingbox's default connection for when a TCP connection cannot be established.  In my experience, the SNATT has been very stable.  The only trouble is it doesn't work for the aforementioned cases--only for internet viewing and Slingplayer application for your computer.

                    • Re: Slingbox Port 5001 - can it be reassigned for security?
                      palmerg Newbie

                      Thanks for the reply.

                      Since I have to perform a SB Setup to manage a port change on my SB in FL I will have to wait to actually make the change.

                      From my reading SNATT (SB proprietary protocol it seems) tunnels UDP over TCP so there is still a TCP connection involved.

                      I am still getting that one unwanted access (attempt?) per day to port 5001 on the SB  and it still appears that no damage is being done. I will make the change the next time I am in the USA.

                      Thanks.

                        • Re: Slingbox Port 5001 - can it be reassigned for security?
                          tcaradonna Novice

                          I looked at my own logs and I have similar access to my own slingbox.  I think it's probably normal behavior.  The slingbox has to communicate with Sling servers, and I suspect that is what we are seeing.  If you were to change the port you would probably see the same thing on the new port.  I understand your box is far away and you don't have regular access.  I also have my box far away and use a cheap support laptop with Logmein to manage the setup, I just have someone turn it on when I need to check something.  Another option but more costly is a VPN box.

                            • Re: Slingbox Port 5001 - can it be reassigned for security?
                              palmerg Newbie

                              Well I hope your are correct although I have sent emails to level 3 Communication (the company the owns the IP domain that is the source for the "intrusion") and they ackowledged that there may be a problem and that they would investigate but I have not heard back from them for a week now. If I was home I would be able to do a more complete WIreshark analysis on my network to detremine just what this access is doing or attempting to do. I have been monitoring my router logs for a good while and if it is a Sling server it has only started to communicate with my Pro-HD. I have never seen this access before. I am not too worried because it is only "targeting" the SB which is sort of a black box (it may be running a Linux kernal - I think) and not a general purpose OS. I don't know if the SB is "listening " on port 5001 but I suspect that due to the nature of TCP 5001 could be used for input as well as outgoing streaming video. I haven't asked the specific question here as to whether the IP I think is an intruder is really a SB assest but I thought by now that SB reps would have read this post and spoken up or sent me a PM stating that I should not worry if it was normal traffic. That has not happened so I have to assume without knowledge other-wise that the IP is a possible malicious source.

                              One thing I will do when I get he chance is to upgrade my home router to a more robust solution with SPI and better filtering and logging.

                              Thanks for the reply!