Deutsche Telekom Says 900,000 Fixed-Line Customers Suffer Outages

About 900,000 Deutsche Telekom fixed-line customers have been hit by network outages, the carries said on Monday, and it could not rule out "targeted external factors" as the reason. From a Reuters report: Fixed-line customers have had problems connecting to Deutsche Telekom's network since Sunday afternoon, the company said. "Based on the pattern of errors, it can not be ruled out that the router has been targeted externally, with the result that it can no longer log on to the network," Deutsche Telekom, which has 20 million fixed-line customers, said in a statement on it website.

Suffer?

Really? First world problems amaze the huddled masses.

"The Russians" again?

[xxxJonBoyxxx]

>> it could not rule out "targeted external factors"

I had no idea Hillary was working for Deutsche Telekom now. Happy to see her land on her feet!

More likely, it was a terrorist squirrel (http://cybersquirrel1.com/).

Re:"The Russians" again?

NSA most likely, they have been proven to break inside and damage Deutsche Telekom's first- and second-hand equipment before. Why do Germany put up with it?

Re:"The Russians" again?

Why do Germany put up with it?

Why do Germany Putin up with it? FTFY

The horror

[110010001000]

What will the Germans do without their daily dose of spam calls from India?

Re: The horror

I, as a german, never got one of those... I feel discriminated!

Re:The horror

The anglos shouldn't have colonized india if they didn't want spam calls.
Last time I got one it was last week and from east europe.

TR-069 targeted

[Maavin]

As their first working fix was blocking Port 7547, one can safely assume that the TR-069 implementation of specific router models were targeted. 3rd party routers are/were completely unaffected.

Re:TR-069 targeted

[Shatrat]

As someone who has worked with TR-069 from the carrier/vendor side, that doesn't surprise me at all. There are some provisions for security in the TR-069 protocol, but they're not taken as seriously or implemented as rigorously as they should be. I think this is inevitable when it's done over a public interface. A better solution is to give the router two WAN interfaces on two different VLANs, one public for Internet service and one private for SNMP, TR-069, et cetera.

Re:TR-069 targeted

[I4ko]

It is interesting that you point this out. I've been seeing port scans for TR-069 for the past 4 days. I've since added the port to a rule that will permanently ban an IP if they try to connect on that port.

I experienced this first hand

[itsme1234]

I helped a friend install a new computer and then after all was fine he started to lose the telephony (which looks for the customer like PSTN but is voip over Telekom's router), the DNS (which was by default served from the same router) and ultimately all internet connectivity. After reboot it would work again for 10-20 minutes then start to lose it gradually. I guess it could be some kind of DoS.

It took us quite a while to actually google and find there's a big outage going on. All the while the friend insisted it's the new computer's fault (even after we disconnected it), no there are no such coincidences...

I didn't have any issue even if I'm in the same area (and with Telekom) but of course I'm not using their PoS router.

Attach from outside

It is rumored, that there was an external attact on the TR-69 protocol port 7547 used to update the router firmware by the carrier.

Beware those RUSSIAN squirrels!

Of all squirrels, RUSSIAN ones are the worst.

They distract stupid people very easily - especially those that vote based on promised "free stuff".

Re:Beware those RUSSIAN squirrels!

https://s-media-cache-ak0.pini...

Re:Beware those RUSSIAN squirrels!

Of all squirrels, RUSSIAN ones are the worst.

They distract stupid people very easily - especially those that vote based on promised "free stuff".

Gotta convince the sheeple to not accept the results of the election - after all, when the candidate with the D after their name wins, the results must always be accepted.

And that didn't happen this time!

External attack

According to the users of the heise.de forum, it was indeed an external attack. Many admins reported seeing a sudden surge of requests against port 7547 right at the time when the outages started, trying to get the routers to download a malicious file, obviously trying to exploit a weakness in the firmware of a number of routers made by Arcadyan, which is a major part of the Telekom-supplied and remotely maintained routers. Third party routers, those without TR-069 support or where it was disabled, were not affected at all.

It's Mirai

It's Mirai: http://www.bleepingcomputer.co...

It's a TR-069 exploit in Deutsche Telekom routers

and possibly other routers. There's a thorough article about the issue. Apparently the handler for a SOAP request doesn't sanitize untrusted input and executes backticked shell code.

SOAP Vulnerability added to Mirai

[UnderAttack]

see https://isc.sans.edu/forums/di...

looks like a new SOAP vulnerability was added to Mirai. Here come a few million more mirai bots.

Only their DNS was down

[aepervius]

For the average customer it means no internet. Me I simply replaced the dns by 8.8.8.8 and 8.8.4.4 temporarily (I'll go back to their dns afterward).

Re:Only their DNS was down

If you have Speedport W921V or Speedport W723V you should update the firmware.
https://telekom.de/speedportdownloads

Re:Only their DNS was down

Their DNS was working fine. Some of the Speedport routers however were not fine (surprise...). You could bypass the problem by not using your router's resolver, but if you had trouble accessing sites due to "DNS problems" before the workaround, your router is affected and you need to take care of the problem.

Yo mods!

Could you stop featuring 4-paragraph articles from Reuters? There are a bunch of better articles on this topic online.

interresting very informative

[aepervius]

I was not aware of the product warning (well I did not leave it as default password, and i have one very long complicated alphanumeric one so i guess i am safer). Still the firmware update solved my problem... or was it unrelated and happenned at the same instant ? No idea but now it works. Thanks for the tip.

Poorly written

[Clsid]

I think they should actually state where did the outages happen. One can guess it is somewhere in Germany, but geez...

And before the whole "the Russians are coming" starts on this topic, here is an interesting link

http://www.spiegel.de/internat...

Re:Poorly written

[rtb61]

So it would seem the NSA's excuse of choice is to be a toddler, we didn't do it, Russia did (it has been pretty noticeable for a while). So much so, they have to intersperse it with, we didn't do it, China did. When ever they are asked to prove their claim in court the always claim national security (they can not prove how Russia and China did it with out proving how they did it to Russia and China and that Russia and China are just retaliating). How about a treaty to stop doing, nope, nuh uh, they don't want that, pervy little bastards still want to feed their ego and sense of power and control over everyone else by getting and hoarding everyone's secrets. Little rat bags never grew out of their childish behaviour, we all knew and disliked them for it when they were young and oh look, they are still hard at it, tugging away at their own bits, getting all hot and bothered spying on everyone else (I bet if they had showers in NSA buildings the floors would be sticky, eww).

detailed analysis

[ahaubold]

by Ralf-Philipp Weinmann: https://comsecuris.com/blog/po... just so you know ;)