Page 1 of 1

Ports 80/443 show as open despite router and fiber ONT being powered off

Posted: Tue Sep 20, 2022 8:09 pm
by agracia
A while back I noticed that ports 80 and 443 appeared to be open to the public internet on my network, which was distressing because I had not opened those ports on my firewall. After some troubleshooting I confirmed that not only were they not open on my firewall, but that the public IP that Sonic has provided my firewall through DHCP continues to show ports 80 and 443 as open to the public internet even when I had completely powered off and physically disconnected both my own network equipment and Sonic's network equipment in my home.

I confirmed this issue only appears when running port scans from outside of Sonic's network and that it also affected at least one other Sonic customer, both by testing with my neighbor's Sonic connection (with their approval). Sonic initially informed me that they were investigating the issue but eventually told me this week that they can no longer investigate it. I am still waiting on a response as to why this issue is being closed, their last communication seemed to state that they do not see these ports as open though I still do.

I'd like to put this out to the community to confirm that it is or is not a widespread issue and, if it is, make the case to Sonic for continuing to investigate and resolve this. I'll assume that most in this forum are literate in networking and can run a port scan themselves so I'll just lay out the criteria to have in place for testing to replicate this particular issue. If anyone needs specific technical assistance with running a port scan just ask, I'm happy to help

To replicate this the following should be true:

    - you confirm your current public IP provided by Sonic
    - your router/firewall is powered off and disconnected from any Sonic equipment
    - your fiber ONT ("fiber modem") is powered off and physically disconnected from any ethernet connections
    - you run a port scan for ports 80 and 443 against your current Sonic public IP *from outside of the Sonic network* (this is key as I've confirmed that a port scan of my public IP from my neighbor's Sonic connection does not show the ports as open)

If you've met all of those criteria and you see ports 80 and 443 respond as listening/open, then you are also affected by this.

I understand that some may say this is a non-issue if I've confirmed that my firewall does not actually have those ports open but I would respectfully disagree. The current state of affairs makes confirming the security and functionality of my network more difficult and as a network engineer myself I would be concerned about an issue like this on my network that I could not explain. This is already a long post so I'll leave it there lol, thanks for reading.

Re: Ports 80/443 show as open despite router and fiber ONT being powered off

Posted: Wed Sep 21, 2022 7:33 pm
by virtualmike
What happens if you attempt to connect to them from outside Sonic's network?

Re: Ports 80/443 show as open despite router and fiber ONT being powered off

Posted: Fri Sep 30, 2022 7:58 pm
by agracia
In nmap I receive the following:

Code: Select all

80/tcp  open  http
443/tcp open  https?

If I run a capture in Wireshark while that runs I can see SYN/ACK packets being sent from the remote host, so there is something out there responding as my public IP while the ONT is offline.

No actual connection attempt is successful though, the host does not respond to any HTTP requests on either port. I ran a service scan on nmap at one point to try and identify if some other service is listening on those ports but nmap was not able to identify any.

Re: Ports 80/443 show as open despite router and fiber ONT being powered off

Posted: Sat Oct 01, 2022 5:24 pm
by virtualmike
Yes, it does appear that something else is intercepting those ports. What happens if you test when everything is on and connected?

Re: Ports 80/443 show as open despite router and fiber ONT being powered off

Posted: Mon Oct 03, 2022 9:33 am
by msiegen
The behavior you're describing sounds like a transparent proxy. It's highly unlikely that Sonic would employ one, given their excellent privacy policy and stance on network neutrality. In contrast, mobile carriers sometimes use proxies to facilitate deep packet inspection.

You didn't say where you're testing from, but if it's a mobile hotspot then these observations may be expected and are unrelated to Sonic.