MyRepublic is one of the only major internet service providers that have DHCP with no VLAN (eg - hook a device up, get a public IP with no configuration).

 

This means that anything you hook up to the ONT will get a public IP if you're on one of the "Gamer" or business plans. Normally this is fine as it is often a router designed for the task but in my research it does appear that MyRepublic also do zero port filtering like other ISP's meaning commonly abused ports like DNS, SMB and SMTP are often exposed likely without the user knowing.

 

According to a Shodan scan of MyRepublic's NZ ASN (AS133579 - Here) as of right now there is currently:

- 69 Open DNS Resolvers (including MyRepublic's own resolvers, however).
- 63 Insecure SMTP Servers.
- 51 RDP Servers (including many running Windows 7 / Windows Server 2008).
- 41 NTP Servers.
- 11 Mikrotik Winbox (7 vulnerable to CVE-2018-14847).
- 8 SMB Servers (6 with no auth).

 

This is only a small subset of services that can be commonly exploited or used in a DDOS attack. There are many routers with exposed web interfaces and many other services running which indicate already compromised hosts.

 

There are people active on Geekzone who may have unknown services exposed to the internet. If you're on MyRepublic and have a static or public IP address then give yourself a scan and ensure everything is locked down. You can use the following services:

 

Shodan: https://shodan.io
GRC ShieldsUp!: https://www.grc.com/shieldsup 

 

It may appear I am picking on MyRepublic here but I am seriously not. I do often check the status of different providers in NZ but MyRepublic have always appeared near the top of my lists for potentially compromised hosts due to the lack of VLAN tagging + DHCP; other providers with their use of VLAN tagging limit exposure to general purpose or insecure / unconfigured devices being connected straight to the wild west of the internet. It is also worrying there doesn't appear to be any port filtering happening on MyRepublic meaning these customers may unknowingly be involved in past or future attacks.

 

I'd also like to remind everyone the importance of knowing what you're port forwarding. Think to yourself what would happen if that device got compromised, what have you got on your network that may be a great target to threat actors and how secure the thing you're port forwarding to is. Just because it is "password protected" doesn't mean it is secure. You should also never have to port forward to games consoles, cameras or alarm systems.