=^.^=

Discover All Tenda Devices in ARP Database

Tenda makes embedded devices that are frequently compromised and/or used in DoS attacks. You can actively scan or sniff for the following list of vendor IDs live but I wrote an SQL backed multi-router ARP table reporting system for an ISP years back. This query will locate all clients operating such a device.

select distinct `ip` from `arp` where ( `mac` like 'E8:65:D4%' or `mac` like 'D8:32:14%' or `mac` like 'CC:2D:21%' or `mac` like 'C8:3A:35%' or `mac` like 'B8:3A:08%' or `mac` like 'B4:0F:3B%' or `mac` like 'B0:DF:C1%' or `mac` like '58:D9:D5%' or `mac` like '50:2B:73%' or `mac` like '50:0F:F5%' or `mac` like '08:40:F3%' or `mac` like '04:95:E6%' )

I have had enough problems with these devices that I suggest preemptively locating them, blocking typical remote management/access ports upstream and have all affected users return or upgrade their router. Follow up and remove corresponding upstream rules once the devices have been removed (use arping to verify) to recover netfilter resources.

Comments

There are no comments for this item.