"Exploiting SOHO Routers"

Discussion in 'malware problems & news' started by new2security, Apr 25, 2013.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    -http://securityevaluators.com//content/case-studies/routers/soho_router_hacks.jsp#recommendationsAdmin

    Wonder if running without router but with a software firewall sometimes is better..
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I run both. Leave as few holes as possible.
     
  3. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Normally that would be the optimal settings. But if your router is vulnerable and for example the DNS settings have been tampered with, I'd say it would be riskier than having no router. But sure, the DNS issue could be mitigated by setting the DNS in Windows instead of the router.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Don't know how old that article is but this has been known for some time. Can be summed up as DNS rebind attacks. One good mitigation is to block all localhost i.e. 127.0.0.1 - 255 destined input from the router in your firewall.

    As far as Windows goes. I cannot say dnscache is a safer alternative than the DNS server on the router.

    BTW - this article bears a stricking resemblence to one created by Craig Heffner at the 2010 Def Con in Las Vegas: http://www.sourcesec.com/Lab/soho_router_report.pdf.
     
    Last edited: Apr 29, 2013
  5. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Thanks for the good link. Will study it more closely later.
    Well if a router-settings-changing malware manages to change the router's DNS settings, your windows DNS settings are not affected, if that improves the security or mitigates the risk somehow. I assume(!) windows' firewall will not protect against any of these hacks, so I figured it could improve the security by not using a router.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    My router is commercial grade and it has been hacked a few times. However since I set a password on it so strong that I could never remember it, it has not been hacked once.
     
  7. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I am wondering how did you found out that it got hacked? This is probably the first time I have heard that some one got their home router hacked. I mean home users are not usually the ones that most hackers are after :)
     
    Last edited: Apr 30, 2013
  8. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    657
    Location:
    Southwestern Massachusetts
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Open up your router GUI and watch your connections. If you see inbound connections to localhost addresses, you have been hacked. Localhost should be reserved to/from your PC exclusively. Wireshark would be a better way to do this BTW. I also suspect hackers are fingerprinting routers looking for commercial ones under the assumption behind one is the "mother lode" of an enterprise to be exploited.

    I also found a glitch with the NIS 2013 firewall where it by default will set your router as trusted and file shareable. Well I don't have a network and connect to the Internet via a single PC. So I reset the router in NIS 2013 to protected status.
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    Would you mind elaborating on that a bit? I'm reading that, naturally interpreting instances of "localhost" to mean 127.0.0.1, and can't follow what you were trying to describe.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Yes, I should have elaborated. To prevent a DNS rebind attack, you want to block in your firewall any DNS connections to localhost. That is TCP and UDP port 53 outbound to 127.0.0.0 - 127.0.0.255. If your firewall is stateful, it will auto block any unsolicted inbound traffic from the above.
     
  12. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    The loopback block is 127/8 (127.0.0.0 - 127.255.255.255, first and last addresses being specials of course).

    I don't see how blocking traffic to loopback:53 is going to help prevent DNS rebinding attacks in general. A remote server could use similar techniques to cause software running on the local machine to manipulate a DNS server running on the local machine (if one happened to be running). That remote server could even be a webserver and the local software a web browser I suppose. Lets take a more recent example of a DNS rebinding attack though. Where the target IP Address changing trickery allows malicious javascript running in the user's web browser to bypass origin checks while connecting to the user's public IP Address and their router grants that malicious javascript access to its admin panel. The user side DNS mechanisms aren't the problem. It is the remotely specified DNS answers that are the problem. Well, one of the problems.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  14. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    FTA:
    Note that they are talking about DNS resolutions to 127.*.*.* rather than DNS connections to 127.*.*.*. They're saying don't let the question "what is the IP Address of foreign host www.example.com" have an answer falling in the range 127.*.*.* (which corresponds to loopback and thus this computer). Software running on the local machine can monitor DNS activity to identify and filter out such answers.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    See page 36 of the document. It is a bit more specific.

    http://ithandbook.ffiec.gov/media/27459/nis-guide_on_firewall_and_firewall_pol_800_41.pdf

    The main issue is if your firewall prevents localhost communication from anything other than your PC. Comodo for example treats localhost as a separate network and generates default global rules for it. In NIS, localhost is a protected network also. However, PrivateFirewall totally ignores localhost i.e. no monitoring at all and that is a quote from it's developer when I asked him about it.
     
    Last edited: May 5, 2013
  16. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    FTA:
    Loopback/localhost is for internal communications within the device we're talking about. So I think an IP Address in the range 127.*.*.* should never appear as a source address and/or destination address in traffic that crosses a device's external interface. I think this is what they are talking about. If an IP datagram is coming in on a LAN interface with a source and/or destination IP Address in the range 127.*.*.*, block it. If an IP datagram is going out through a LAN interface with a source and/or destination IP Address in the range 127.*.*.*, block it. Do you concur?

    The DNS Rebinding attack issue is something different. It can be used to target not only 127.*.*.* addresses but also private network addresses and any IP Address really. I hope we're on the same frequency there. Are we?

    FWIW, what threw me in your post that I first replied to is that you said your router was hacked, then someone asked you how you knew, then you said:

    Because the POV was the router (we're looking at its GUI) I found the "to/from your PC" somewhat confusing. Loopback/localhost addresses would be used within a router itself, within a PC itself, but not between the two. I tried interpreting what you said a different way: that a PC was actually sending 127.*.*.* addresses on the wire to the router, but that would suggest that the PC has a problem rather than the router. Finally, I did consider the possibility that the router was hacked and that was somehow causing records of inbound traffic to 127.*.*.* to appear. One potential point of confusion, though, was whether you meant inbound as in "traffic to loopback/localhost" or "traffic coming in through an external interface and addressed to loopback/localhost address". I'm still not sure what you meant to describe but I do agree with the idea in your subsequent sentence that Wireshark would be a way to add clarity and confirm what is/isn't actually on the wire and traveling through external interfaces.

    I'm thinking if we concur on the first two items up above we're good to go and I can just thank you for taking the time to chat about this. Are we good?
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    My main point is routers are not as secure as people think and your next line of defense is your software firewall.

    Another issue I see is by default, many third party firewalls "trust" the router. That might be a necessary evil on a network but on a single PC should be changed to a "protected" connection.
     
  18. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,088
    I wouldn't argue with those points :) Sorry for the detour from your main point of interest.
     
Loading...
Thread Status:
Not open for further replies.