Vulnerable Home Routers

[Tacitus]

Interesting article regarding vulnerable home routers which are implicated in DDoS attacks. 

http://www.theguardian.com/technology/2014/apr/01/uk-wifi-routers-internet-attacks

It mentions that the only way to discover if your router is vulnerable is for the ISP to scan everyone to pinpoint any that are at risk.  My suspicion is that the vulnerabilities are at server level rather than at the router, but my technical expertise is rather thin on this.

I wonder though whether iDNet do scan for this as a matter of course, or would do so on request?

[andrue]

I wonder though whether iDNet do scan for this as a matter of course, or would do so on request?

Seems unlikely. I came under some kind of DNS DDoS attack earlier in the year. Either under attack or someone trying to use me as an amplifier. Whatever the reason someone started firing DNS requests at my address. IDNet seemed fairly indifferent to it and just said I could change IP address if I wanted. Since it was eating my allowance up at over 1GB an hour I decided to move to an ISP that didn't charge for excessive usage.

http://www.idnetters.co.uk/forums/index.php/topic,31833.msg726022.html

[Gary]

Seems unlikely.

How do you know, you are not with them anymore 

[pctech]

He means he contacted them for assistance and his impression of their response was just 'we'll change your IP if you want but in any case we'll charge you for any overusage irrespective of the cause'
I think I also commented at the time that I thought it unwise to run a server on a domestic connection although if its your router that's being attacked that changes things as your only alternative is a USB ADSL modem.
The potential for such things is also the reason why I won't use ISPs like IDNet that don't allow a hard cap to be set as while I do keep an eye on what's connected to my network, use a long passphrase and apply any updated firmware to my main router and access points there is always a risk I could be caught out and I don't want to end up owing hundreds or even thousands of pounds in bandwidth fees.

[andrue]

He means he contacted them for assistance and his impression of their response was just 'we'll change your IP if you want but in any case we'll charge you for any overusage irrespective of the cause'

Yup,that's it exactly. IDNet seemed to see it as purely my problem so I can't see them scanning for router issues or being otherwise proactive unless they've had a change of policy in the last couple of months.

I think I also commented at the time that I thought it unwise to run a server on a domestic connection although if its your router that's being attacked that changes things as your only alternative is a USB ADSL modem.

I've no idea why I came under attack. The attack was a DNS attack and I've never run a DNS server.

Ultimately whether or not I ran a server wouldn't have affected the attack itself - it continued even when I disconnected my LAN from the router. Maybe having my domain point to my IP address somehow attracted the wrong kind of attention.

[nowster]

Simply put, if someone maliciously wants to send traffic to any IP address, there's no way of stopping that. If it's your IP address you will be charged for it even though you had no involvement in generating that traffic.

[mervl]

Yup,that's it exactly. IDNet seemed to see it as purely my problem ... Maybe having my domain point to my IP address somehow attracted the wrong kind of attention.

I think IDNet might well contact users, if they notice. That's the rub, unless you monitor everyone's connection and their selling point is they're NOT intrusive, how can they know? I too have my own domain, but it points to an MS e-mail server as I reckon they've got better resources than I could have to counter this sort of thing. So far, so good.

[pctech]

Well there are a couple of ways to deal with it:


1. Don't run any external facing services on a home network and make sure your router is stealthing all ports, if you want to run something like TTB's broadband quality monitor restrict responses to it's IP address only, I used ti see a few port scans and DOS attempts on my firewall log on my router, they got no response so they moved on presumably.
I'd rather pay a company a small fee to host my domain mail because its just less hassle and in the event of a DDOS against them they have more bandwidth at their disposal to deal with it than I do or they can simply null route the target.
2. Throw as much bandwidth as possible at it to soak up the attack, there are a number of companies that specialise in DDOS mitigation and traffic filtering that are used by banks and gambling sites, legit traffic gets though, stuff like ping gets blockholed so they will hopefully just get bored.

[Gary]

make sure your router is stealthing all ports,

Kaspersky always said stealthed ports are no guarantee of safety, closed ports are just as secure as stealthed. Stealth is non-standard TCP/IP protocol. With standard networking protocol, if a machine makes a request to another machine, some form of response is expected. Even if your machine is turned off, an upstream router (at your ISP) will respond that the machine is unreachable. So if someone suspects a machine is at a certain address and runs some scans, if they get no response, they will not only know that there is a machine at that address, but that it also has a firewall that is actively dropping requests.

[pctech]

Never said they were Gary but look at it this way.

A door to door salesman is likely to keep knocking on your front door for a longer time if he sees lights on near the door, if there are no lights on he is likely to move on to where he can see lights.

[Steve]

I think what Gary is saying correct, it doesn't matter whether your ports are closed or stealthed, unless you configure your ports to send out the ICMP Unreachable signal you're actually telling your attacker just as much by stealthing as you are with a closed port. Indeed you can't stealth an open port either so one listening port gives you away.

To use your analogy if the JWs come round the only way to escape detection is to shoot them first whether your lights are on or off.

[pctech]

Personally I think stealthed is better than closed so I think we'll agree to disagree on this one.

[Steve]

It's still not a protocol response though,  whether you tell them to eff off immediately or in 30 secs time, they still know your there and they never give up, they'll be back next week until you move away and become unreachable.

[pctech]

The correct protocol response for JWs is 'we're Catholic' (which technically we are)

Had to say it quite a few times but they finally got the hint. 

[nowster]

The correct protocol response for JWs is 'we're Catholic' (which technically we are)

I thought the correct response was...

"Come in. Please excuse the blood. The goat struggled and knocked over the black candles."

[pctech]

 

[Gary]

I guess all ISP's can say that those using non standard equipment should pay if they dont keep patched, and since even iDNet have their own routers I imagine that applies here. (oh can we not bash others religious views and belief systems so blatantly its just wrong)

[Gary]

Personally I think stealthed is better than closed so I think we'll agree to disagree on this one.

Stealthed is just hiding in plain sight, and can actually cause more communications issues than just using closed ports, there are in fact many stealth scanners available to hackers anyway so its pointless, its like hiding your routers broadcast name, its bad security. If you are port scanning as Steve said and your firewall is in stealth mode its obvious its there, and since they can detect stealthed ports easily its ultimately pointless these days.

[andrue]

oh can we not bash others religious views and belief systems so blatantly its just wrong

When they bring them to our front door and try and thrust them into our lives it's entirely acceptable. There's only one person's rights being impacted in that confrontation and it isn't theirs.

Anyway that's certainly going off topic so I'll just say with respect to IDNet that I didn't leave in a huff. I just felt safer going somewhere where a DOS attack wouldn't cost me money. I do feel, however, that they could have handled it differently and perhaps having a better way to handle overages would be worth considering.

[pctech]

Ok then.

I am using a Billion 7800N with the latest firmware and have made absolutely no change to the router's default firewall config.

A sheildsup test shows the ports as stealthed, why would Billion supply the router in such an insecure configuration, incidentally a Netgear I have gives the same result.

[pctech]

Have a look here

https://www.grc.com/su/portstatusinfo.htm

[Gary]

When they bring them to our front door and try and thrust them into our lives it's entirely acceptable. There's only one person's rights being impacted in that confrontation and it isn't theirs.

Anyway that's certainly going off topic so I'll just say with respect to IDNet that I didn't leave in a huff. I just felt safer going somewhere where a DOS attack wouldn't cost me money. I do feel, however, that they could have handled it differently and perhaps having a better way to handle overages would be worth considering.

No its not, you don't have to answer the door and no right to bash them on a public forum in my eyes two wrongs dont make a right... anyway moving on was your router a a recursive dns server? Some TP-Link routers had issues so they were attacked and still are with some Netgears and Zyxel ones, that may explain that issue. Zen being zen scan for such issues, there is in fact a page to test your router here http://security.zensupport.co.uk/ Maybe IDnet could do the same? If people on Zen have a unpatched router Zen will ask them to fix it it or terminate the internet connection it seems, harsh but fair I guess.

[Gary]

Have a look here

https://www.grc.com/su/portstatusinfo.htm

Really old and out of date info. Stealthed has been seen as useless for a while now. Kaspersky software firewalls are not stealthed by default, no need, nor are Mac ones. As I said since they can detect stealhed ports its useless, just like hiding your ssid. Security by obscurity no longer works and is unsafe and misleading really.

Taken from Kaspersky: 'No stealth mode'
First thing some users will notice is that there is no stealth mode. This can be observed on tests like Shields Up or PC Flank. Having no stealth mode does not make you vulnerable, it simply means that your PC will report an error when an outside pc attempts to connect to you (in stealth mode it will do nothing). While this may seem good, it's not, the automated attacks like port scans or various worms are not interested, they will probe random IP addresses whether they are stealthed or not (a good example is Helkern, even if the firewall is stealthed the Intrusion Detection System still blocks Helkern attempts to infiltrate the PC).
Also stealth mode can create problems with different Server type applications, P2P applications or even file transfers on certain programs.

[andrue]

was your router a a recursive dns server?

I don't think so. It's a Billion 6300 and the TBB OpenDNS test gives it a clean bill of health. I'll run the Zen test when I get home. It doesn't really fit the bill from my understanding though. I was getting DNS requests on port 53 and my router has that port stealthed.

Edit: Realised I could run it now by specifying my IP address. The result is 'No response'.