1 (edited by phonetrips 2014-02-10 17:56:22)

Topic: My Chumby went crazy yesterday and is destroying my Internet speed

I am not a developer, just a Chumby user with the Startrek clock by my bed. My home network slowed down horribly yesterday and became pretty much unusable. Speedtests would show very slow downloads and wouldn't even finish for uploads. I have Ethernet-wired PC's and a bunch of wifi devices. I called my ISP for support and they said my DSL line was fine, but there was heavy continuous traffic. I could see from my router that the heavy traffic was on the wifi side and to confirm that I turned off wifi for a while and the wired PC's worked perfectly with the Internet at full speed.

I then isolated the problem by turning off devices and was quite surprised that the offender turned out to be the Chumby. It is very repeatable; I turn it off and everything else starts working with full speed. I turn it on and wait a couple of minutes and everything else gets slow again.

I am posting this to warn other Chumby users that if your network slows down, try turning off the Chumby.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

that's very strange.

Cleaning up any loose bits and bytes.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

I have 2 running over here full time and have not experienced anything like that.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

I know more about this Chumby issue now and I think it will affect only those few people who might have their Chumby on a Static IP address, which is no doubt rare.

I happen to have a number of static IP addresses -- i.e. addresses accessible directly from the Internet without going through NAT in a router -- in my house that I use for web services. I had the Chumby on one of those static addresses. My ISP support suggested that I should try installing the Chumby behind a NAT instead to hide it from the Internet on the theory that the high traffic to the Chumby was caused by an attack from the outside on one of its ports as opposed to some flaw in the Chumby system and the server.

I did this and it worked; there is no excess traffic with the Chumby now that it is behind a NAT as most people would have it.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

it would be interesting to know what was being hit from the net, might be a vulnerability that Duane could patch up once the new service is up and rolling and he's making improvements to the chumbies.

any way you could put it back on the net and snoop it's traffic?

Cleaning up any loose bits and bytes.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

In general, it's not really a good idea to have a chumby on an IP visible to the outside world.

By default, a Chumby will respond to a request on port 80, which could very well attract the attention of a bot that will try to "break in" to your system by running through all the usual PHP and IIS exploits, none of which will, of course, work, however it will generate a *lot* of incoming traffic to which the device dutifully responds with 404s.

Chumbys also run zeroconf/rendezvous/bonjour and some HTTP services on ports in the 808x range to publish that information, which could grant access to information about your network.

The bigger danger is if you've enabled SSHD on the device, since the system does not normally have a password - once someone SSH's in, then everything the chumby can reach on your local network, the exploiter can.

If you *do* choose to present a chumby on the public network (I do this occasionally goofing around with node.js), then you should filter the accessible ports with a firewall.

7 (edited by bobsz 2014-02-18 02:06:53)

Re: My Chumby went crazy yesterday and is destroying my Internet speed

phonetrips wrote:

I called my ISP for support and they said my DSL line was fine, but there was heavy continuous traffic. I could see from my router that the heavy traffic was on the wifi side and to confirm that I turned off wifi for a while and the wired PC's worked perfectly with the Internet at full speed.

It might also be more noticeable now if your DSL line isn't supported as well as it used to be, too. Companies around here are really sabotaging their own DSL to get people to more expensive options. The goal is supposedly to make everything wireless eventually. Like the Google world, "an offer you can't refuse."

Thanks for the info, Duane.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

Last time I looked Chumby had an open ntp-server that answered anyone requesting time, ssh v1 and 2 enabled without a password with root account, if enabled and every chumby had the same host keys... I wouldn't run a chumby with any of those configurations... So I fixed mine. The default configuration is like inviting someone to break in.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

I have yet to see anyone break into a default configuration (i.e. ssh not enabled) - could you supply the steps so I can address it?

Re: My Chumby went crazy yesterday and is destroying my Internet speed

oh3nwq wrote:

Last time I looked Chumby had an open ntp-server that answered anyone requesting time, ssh v1 and 2 enabled without a password with root account, if enabled and every chumby had the same host keys... I wouldn't run a chumby with any of those configurations... So I fixed mine. The default configuration is like inviting someone to break in.

ssh isn't enabled unless you explicitly tell it to do so, either one time by using the hidden menu, or every time at boot using various tricks.

I'm not sure about the default settings for ntp, since I've enabled NTP on all mine, because I like having my clocks accurate all the time.

Cleaning up any loose bits and bytes.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

I'll send some suggestions when I get back home, as I can't access my chumby right now.
I was making a few shortcuts in the previous post. I have heard from "a national authority who has a task of knowing these things" that chumbies have been used in NTP based UDP amplification attacks. If the chumby is connected to bridged ADSL line, this is an easy task. Also the shared server SSH key makes it vulnerable to a man in the middle attack.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

that's a lotta if's..

*if* it's on the wild internet, and *if* someone has turned on, and left on SSH...

I'd like to see some firm number of them that are direct connected, as noted:

Duane wrote:

In general, it's not really a good idea to have a chumby on an IP visible to the outside world.

Cleaning up any loose bits and bytes.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

so if you do it, do it right...


changed in /etc/sshd_config

#Protocol 2,1
to
Protocol 2

as  chumby does not have ssh-keygen
I created the new keys on another linux machine

ssh-keygen -f /tmp/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /tmp/ssh_host_dsa_key -N '' -t dsa

and copied the
/tmp/ssh_host_rsa_key and /tmp/ssh_host_rsa_key.pub to chumby /etc
/tmp/ssh_host_dsa_key and /tmp/ssh_host_dsa_key.pub  to chumby /etc

on /etc/ntp.conf I added at the end
restrict default kod notrap nomodify nopeer noquery

Re: My Chumby went crazy yesterday and is destroying my Internet speed

How would you have copied the keys without having access in the first place?

Re: My Chumby went crazy yesterday and is destroying my Internet speed

presumably he would've changed the protocol AFTER copying via scp smile

he also left out changing the filesystem to r/w (otherwise fiddling with all these things doesn't really get you very far)

Re: My Chumby went crazy yesterday and is destroying my Internet speed

oh3nwq wrote:

#Protocol 2,1
to
Protocol 2

as  chumby does not have ssh-keygen
I created the new keys on another linux machine

ssh-keygen -f /tmp/ssh_host_rsa_key -N '' -t rsa
ssh-keygen -f /tmp/ssh_host_dsa_key -N '' -t dsa

Thanks for the suggestions oh3nwq! I also appreciate chumby keeping this forum around in the post-production world.

I still like the screen on my i8 -- in general the system is good. I would not be putting such an old kernel on a public IP anyway. But I implemented your suggestions and I feel like I have one fewer weak links. Cheers from 2018.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

eastpole wrote:

I also appreciate chumby keeping this forum around in the post-production world. .

We're here for the community.

Cleaning up any loose bits and bytes.

Re: My Chumby went crazy yesterday and is destroying my Internet speed

Oh so this is recommended to implement even today?

Re: My Chumby went crazy yesterday and is destroying my Internet speed

If you plan on putting the device directly onto the public internet instead of behind a NAT, then you should probably make modifications to make it less attractive to bots.  You should definitely leave sshd disabled (which is the default) and you might consider using a debugchumby script to disable httpd.

Having said, that, we highly discourage giving chumby devices (or indeed any embedded device) a static public IP unless you know what you're doing.  Even if the device is locked down enough to prevent exploits, the amount of effort an attacker will employ to *try* to break in is significant.