Improvements and doubts in the AX6000

Improvements and doubts in the AX6000

Improvements and doubts in the AX6000
Improvements and doubts in the AX6000
2024-09-11 18:05:50 - last edited 2024-09-12 15:41:11
Model: Archer AX6000  
Hardware Version: V1
Firmware Version: 1.3.0 Build 20221208 rel.45145(5553)

I am here once again asking for friendly help with questions about the modem indicated in the form.

I have previously contacted you using the protocol TP20230412020522.

Now, analyzing some things like network packets, I found the following questions, it seems that the modem is communicating with some sites automatically:

 

Where 'IP_MOLDEM' is the IP of the WAN interface.

Where 'DNS_MOLDEM' is the DNS configured for the WAN interface.

 

16:28:02.367399 IP (tos 0x0, ttl 64, id 16129, offset 0, flags [DF], proto UDP (17), length 64)
    IP_MOLDEM.50614 > DNS_MOLDEM.domain: [udp sum ok] 32837+ A? a . root-servers . net. (36)
        0x0000:  8e00 0000 8e8e b0a7 b900 40a1 0800 4500
        0x0010:  0040 3f01 4000 4011 3fb7 c000 02ca 976a
        0x0020:  61c0 c5b6 0035 002c 6a45 8045 0100 0001
        0x0030:  0000 0000 0000 0161 0c72 6f6f 742d 7365
        0x0040:  7276 6572 7303 6e65 7400 0001 0001
        
16:28:04.486705 IP (tos 0x0, ttl 64, id 16738, offset 0, flags [DF], proto UDP (17), length 75)
    IP_MOLDEM.55049 > DNS_MOLDEM.domain: [udp sum ok] 35077+ A? n-deventry-gw . tplinkcloud . com. (47)
        0x0000:  8e00 0000 8e8e b0a7 b900 40a1 0800 4500
        0x0010:  004b 4162 4000 4011 3d4b c000 02ca 976a
        0x0020:  61c0 d709 0035 0037 e020 8905 0100 0001
        0x0030:  0000 0000 0000 0d6e 2d64 6576 656e 7472
        0x0040:  792d 6777 0b74 706c 696e 6b63 6c6f 7564
        0x0050:  0363 6f6d 0000 0100 01

 

16:28:05.381726 IP (tos 0x0, ttl 64, id 17457, offset 0, flags [DF], proto UDP (17), length 55)
    IP_MOLDEM.47464 > DNS_MOLDEM.domain: [udp sum ok] 6658+ A? yahoo . com. (27)
        0x0000:  8e00 0000 8e8e b0a7 b900 40a1 0800 4500
        0x0010:  0037 4431 4000 4011 3a90 c000 02ca 976a
        0x0020:  61c0 b968 0035 0023 23f1 1a02 0100 0001
        0x0030:  0000 0000 0000 0579 6168 6f6f 0363 6f6d
        0x0040:  0000 0100 01
        
16:40:34.272062 IP (tos 0x0, ttl 64, id 3872, offset 0, flags [DF], proto UDP (17), length 54)
    IP_MOLDEM.34699 > DNS_MOLDEM.domain: [udp sum ok] 56310+ A? ebay . com. (26)
        0x0000:  8e00 0000 8e8e b0a7 b900 40a1 0800 4500
        0x0010:  0036 0f20 4000 4011 6fa2 c000 02ca 976a
        0x0020:  61c0 878b 0035 0022 2ec1 dbf6 0100 0001
        0x0030:  0000 0000 0000 0465 6261 7903 636f 6d00
        0x0040:  0001 0001

 

I would really like you to create a patch to analyze the integrity of the firmware.

 

I did not access any sites like 'a . root-servers . net, n-deventry-gw . tplinkcloud . com, yahoo . com, ebay . com' apparently it is coming from the equipment itself.

  0      
  0      
#1
Options
1 Accepted Solution
Re:Improvements and doubts in the AX6000-Solution
2024-09-11 23:55:52 - last edited 2024-09-12 15:41:11

  @Rozz 

 

Given the domains that you noted, most probably this is related to a mechanism involving domain name resoltion checks to deterine if the device is online - check this thread.

If this was helpful click on the arrow pointing upward to make it blue. If this solves your issue, click the star to make it blue and mark the post as a "Recommended Solution".
Recommended Solution
  0  
  0  
#4
Options
4 Reply
Re:Improvements and doubts in the AX6000
2024-09-11 19:37:02 - last edited 2024-09-12 03:49:14

  @Rozz 

 

As far as not connecting to those sites such as Yahoo, it may be your devices in your network.

 

Maybe I can see the TP Link one from the router checking to see if there is an update or something (not that I would like it).

 

I could see a mail server checking for mail. Think of how your phone knows that you got new mail. 

 

I would not rule out a lot of traffic from a lot of sites you would not expect to that track your device useage and report back to their servers.

 

Does it do it if all the devices were disconnected?

  0  
  0  
#2
Options
Re:Improvements and doubts in the AX6000
2024-09-11 22:23:28 - last edited 2024-09-12 03:49:14

  @ArcherC8 

Yes, before opening the topic I did a test with just the moldem and the edge server. There are packets like the ones I sent to several domains, I didn't post them all, even to reddit.com, a site I've never used.

I also find it very strange, but we are subject to several attacks and I imagine that this happened in some firmware update or it could be something that was added before the purchase.

  0  
  0  
#3
Options
Re:Improvements and doubts in the AX6000-Solution
2024-09-11 23:55:52 - last edited 2024-09-12 15:41:11

  @Rozz 

 

Given the domains that you noted, most probably this is related to a mechanism involving domain name resoltion checks to deterine if the device is online - check this thread.

If this was helpful click on the arrow pointing upward to make it blue. If this solves your issue, click the star to make it blue and mark the post as a "Recommended Solution".
Recommended Solution
  0  
  0  
#4
Options
Re:Improvements and doubts in the AX6000
2024-09-12 15:41:04 - last edited 2024-09-12 15:43:24

  @terziyski I saw your answer and the article you linked, I appreciate the information, I'm relieved to know that it's not malicious at all, but I don't agree with this technique.

 

I come back and insist that TP-Link use logic in their equipment because there are so many hacker gadgets these days and I'm sure that the quality and value of the company will be much higher if they focus on security.

  0  
  0  
#5
Options