Possible Flaw in Linksys BEFSR41 Version 4 Wired Router?

Discussion in 'other security issues & news' started by Pikachu762, Oct 20, 2005.

Thread Status:
Not open for further replies.
  1. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Over the past 2 days or so, I have noticed that my software firewall (the free version of Outpost) is recording incoming connection attempts on UDP 1029. There are only 5 or so different IP addresses involved, and all of them are in China, according to WhoIs.

    The router is not set to forward anything. I am running WinXP Home, I have no servers running on my desktop machine (it is the only machine I have connected to the router). Every option for remote administration is turned off, every option for filtering incoming requests is turned on, along with NAT. I also have the latest firmware available.

    The router blocks all bad incoming requests except for these packets which get through the router on UDP 1029. The source port is given as 50720. Seems there is something out there that creates bad packets that are able to slip past the Linksys. The IP addresses given as the source are as follows:

    222.241.95.14
    222.77.185.242
    219.148.126.141
    220.164.140.226
    211.141.120.102

    I've tried calling the Linksys tech line, but the guys I talked to didn't seem to know very much. They just asked a couple questions about my configuration settings. Perhaps a few of you know someone at Linksys or Cisco whom you could ask about this particular issue. If you have any ideas of things I could try, that would also be appreciated.

    Thank you.
     
  2. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
    Hi Pikachu762,

    The best thing you can do is to run a software firewall to implement a multi-layered security strategy. Two free firewalls that come to mind are Zone Alarm Free and Sygate Personal Firewall. Both will also trigger notifications of outbound connection attempts. If, as you say, there are malformed packets getting through, you could also try running the ethereal packet sniffer to try and capture the bad packets, and then hopefully craft a firewall rule for the Linksys router if that is possible. The only question I have is if the malformed packets are getting through the router, would they then get through either of the firewalls mentioned also - so, you may have to experiment. At the very least you need to know of any outbound connection atempts which you should Deny!

    -- Tom
     
  3. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi Tom,

    Thank you for the response. I am running a software firewall, in my case the free version of Outpost. It let me know about the inbound requests that got through the router.

    There will be long periods of... nothing :) But then there will be a long period of connection attempts, maybe 30 minutes apart, that the SW firewall will log.

    I am frustrated that the router is allowing inbound requests. It blocks everything else, but this stuff on port 1029, from Asian IP addresses, gets through.

    I would like to use Ethereal to get hold of the actual packets that are coming in, but I only have one machine. I'd rather install Ethereal on a 2nd machine that is in a DMZ. Installing WinPcap, which is necessary to run Ethereal, can introduce vulnerabilities on a machine. There was an article on Security Focus about it a while ago. Anyway, I need a 2nd machine...or rather, I want another to use as a investigative platform :) Safer that way.

    Anyone else having a similar problem? Any other ideas?
     
  4. Arup

    Arup Guest

    I have seen the same phenomenon of UDP inbound being let in by routers, the cheaper ones especially don't employ good SPI, particularly on UDP, only the higher end ICSA certified ones do total block. For instance, with CHX, unless given a rule, I could never sync my world clock with atomic time serves, it uses UDP inbound to port 123, with routers, it was easy to do so.
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,103
    Hi Pikachu762,

    Is your router also a firewall? If so, you should be able to block all inbound access to your computer/network from the Internet as it's rarely necessary.

    If it isn't a firewall, but just a NAT device, I'd consider replacing it with a more robust model that does stateful inspection & packet filtering, and Linksys makes some.

    I would visit the Linksys website to see if it has their manuals online for your router.

    -- Tom
     
Loading...
Thread Status:
Not open for further replies.