"Exploiting SOHO Routers"

-http://securityevaluators.com//content/case-studies/routers/soho_router_hacks.jsp#recommendationsAdmin

Wonder if running without router but with a software firewall sometimes is better..

 

I run both. Leave as few holes as possible.

 

Normally that would be the optimal settings. But if your router is vulnerable and for example the DNS settings have been tampered with, I'd say it would be riskier than having no router. But sure, the DNS issue could be mitigated by setting the DNS in Windows instead of the router.

 

Don't know how old that article is but this has been known for some time. Can be summed up as DNS rebind attacks. One good mitigation is to block all localhost i.e. 127.0.0.1 - 255 destined input from the router in your firewall.

As far as Windows goes. I cannot say dnscache is a safer alternative than the DNS server on the router.

BTW - this article bears a stricking resemblence to one created by Craig Heffner at the 2010 Def Con in Las Vegas: http://www.sourcesec.com/Lab/soho_router_report.pdf.

 

Thanks for the good link. Will study it more closely later.
Well if a router-settings-changing malware manages to change the router's DNS settings, your windows DNS settings are not affected, if that improves the security or mitigates the risk somehow. I assume(!) windows' firewall will not protect against any of these hacks, so I figured it could improve the security by not using a router.

 

My router is commercial grade and it has been hacked a few times. However since I set a password on it so strong that I could never remember it, it has not been hacked once.

 

I am wondering how did you found out that it got hacked? This is probably the first time I have heard that some one got their home router hacked. I mean home users are not usually the ones that most hackers are after

 

This same issue with SOHO routers is also being discussed briefly in the Hardware section: https://www.wilderssecurity.com/showthread.php?t=345654

 

Open up your router GUI and watch your connections. If you see inbound connections to localhost addresses, you have been hacked. Localhost should be reserved to/from your PC exclusively. Wireshark would be a better way to do this BTW. I also suspect hackers are fingerprinting routers looking for commercial ones under the assumption behind one is the "mother lode" of an enterprise to be exploited.

I also found a glitch with the NIS 2013 firewall where it by default will set your router as trusted and file shareable. Well I don't have a network and connect to the Internet via a single PC. So I reset the router in NIS 2013 to protected status.

 

Would you mind elaborating on that a bit? I'm reading that, naturally interpreting instances of "localhost" to mean 127.0.0.1, and can't follow what you were trying to describe.

 

Yes, I should have elaborated. To prevent a DNS rebind attack, you want to block in your firewall any DNS connections to localhost. That is TCP and UDP port 53 outbound to 127.0.0.0 - 127.0.0.255. If your firewall is stateful, it will auto block any unsolicted inbound traffic from the above.

 

The loopback block is 127/8 (127.0.0.0 - 127.255.255.255, first and last addresses being specials of course).

I don't see how blocking traffic to loopback:53 is going to help prevent DNS rebinding attacks in general. A remote server could use similar techniques to cause software running on the local machine to manipulate a DNS server running on the local machine (if one happened to be running). That remote server could even be a webserver and the local software a web browser I suppose. Lets take a more recent example of a DNS rebinding attack though. Where the target IP Address changing trickery allows malicious javascript running in the user's web browser to bypass origin checks while connecting to the user's public IP Address and their router grants that malicious javascript access to its admin panel. The user side DNS mechanisms aren't the problem. It is the remotely specified DNS answers that are the problem. Well, one of the problems.

 

Check out section 5.1: http://crypto.stanford.edu/dns/dns-rebinding.pdf

 

FTA:

Note that they are talking about DNS resolutions to 127.*.*.* rather than DNS connections to 127.*.*.*. They're saying don't let the question "what is the IP Address of foreign host www.example.com" have an answer falling in the range 127.*.*.* (which corresponds to loopback and thus this computer). Software running on the local machine can monitor DNS activity to identify and filter out such answers.

 

See page 36 of the document. It is a bit more specific.

http://ithandbook.ffiec.gov/media/27459/nis-guide_on_firewall_and_firewall_pol_800_41.pdf

The main issue is if your firewall prevents localhost communication from anything other than your PC. Comodo for example treats localhost as a separate network and generates default global rules for it. In NIS, localhost is a protected network also. However, PrivateFirewall totally ignores localhost i.e. no monitoring at all and that is a quote from it's developer when I asked him about it.

 

FTA:

Loopback/localhost is for internal communications within the device we're talking about. So I think an IP Address in the range 127.*.*.* should never appear as a source address and/or destination address in traffic that crosses a device's external interface. I think this is what they are talking about. If an IP datagram is coming in on a LAN interface with a source and/or destination IP Address in the range 127.*.*.*, block it. If an IP datagram is going out through a LAN interface with a source and/or destination IP Address in the range 127.*.*.*, block it. Do you concur?

The DNS Rebinding attack issue is something different. It can be used to target not only 127.*.*.* addresses but also private network addresses and any IP Address really. I hope we're on the same frequency there. Are we?

FWIW, what threw me in your post that I first replied to is that you said your router was hacked, then someone asked you how you knew, then you said:

Because the POV was the router (we're looking at its GUI) I found the "to/from your PC" somewhat confusing. Loopback/localhost addresses would be used within a router itself, within a PC itself, but not between the two. I tried interpreting what you said a different way: that a PC was actually sending 127.*.*.* addresses on the wire to the router, but that would suggest that the PC has a problem rather than the router. Finally, I did consider the possibility that the router was hacked and that was somehow causing records of inbound traffic to 127.*.*.* to appear. One potential point of confusion, though, was whether you meant inbound as in "traffic to loopback/localhost" or "traffic coming in through an external interface and addressed to loopback/localhost address". I'm still not sure what you meant to describe but I do agree with the idea in your subsequent sentence that Wireshark would be a way to add clarity and confirm what is/isn't actually on the wire and traveling through external interfaces.

I'm thinking if we concur on the first two items up above we're good to go and I can just thank you for taking the time to chat about this. Are we good?

 

My main point is routers are not as secure as people think and your next line of defense is your software firewall.

Another issue I see is by default, many third party firewalls "trust" the router. That might be a necessary evil on a network but on a single PC should be changed to a "protected" connection.

 

I wouldn't argue with those points Sorry for the detour from your main point of interest.