[Cialug] ISPs and patching routers

Matt Stanton matt at itwannabe.com
Tue Oct 2 12:22:04 CDT 2012 

I have one of CenturyLink's fantastically terrible Actiontec modems, which acts as a router.  I can't configure it to operate in bridged mode because that takes away my ability to log into the modem to figure out why CenturyLink has dropped my connection or why my link speed has dropped from 12mbps to 1 or 2mbps, so I have to leave it in NAT mode.  What I do is set it to use .2 in DMZ mode, and that is the IP that my wireless router gets.  It then NATs everything AGAIN.

Luckily, my wireless router supports the newest version of dd-wrt.  I have configured dd-wrt to use Google's public DNS servers (they actually seem to respond faster than CenturyLink's DNS servers), ignoring the DNS servers that the DSL modem's DCHP server offers to the wireless router.  I also have the router's remote management turned off.

The DSL modem must have some sort of remote management enabled, because it seems like CenturyLink tech support is able to access the router somehow.  I set my wireless router up the way I did hoping to mitigate some of the security issues presented by the DSL modem.

My parents are fairly well-trained ;) and they will disallow anything asking to install any sort of browser plugin.  Of course, that means every time Java wants to install an update, my mom comes and gets me to deal with it (and Sun used to put out a Java update every other day... thank God Oracle is lazy!).  Hopefully what I'm doing will protect against this sort of attack... If anyone sees an issue, please let me know.

-- Matt (N0BOX)

Sent from my ASUS Transformer



-----Original Message-----
From: kristau <kristau at gmail.com>
To: Central Iowa Linux Users Group <cialug at cialug.org>
Sent: Tue, 02 Oct 2012 11:52 AM
Subject: Re: [Cialug] ISPs and patching routers

All the more reason to run your own firewall and internal DNS/DHCP,
treating the ISP router as an external, untrusted device.
On Oct 2, 2012 11:43 AM, "Dave Weis" <djweis at internetsolver.com> wrote:

>
> In this exploit it doesn't matter if WAN admin is enabled or not. The
> victim loads a page that does some type of javascript requests to the modem
> using the default username and password and modifies what DHCP hands out
> for DNS servers. It's all coming from the inside interface of the firewall,
> not the outside.
>
>
> -----Original Message-----
> From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org] On
> Behalf Of Adam Hill
> Sent: Tuesday, October 02, 2012 11:17 AM
> To: Central Iowa Linux Users Group
> Subject: Re: [Cialug] ISPs and patching routers
>
> I believe dd-wrt has WAN management disabled by default.  I haven't gotten
> around to setting up OpenVPN either, which would be a more ideal solution,
> so I'm using an open wan management on an non-default port for convenience.
>
> On Tue, Oct 2, 2012 at 10:00 AM, Barry Von Ahsen <barry at vonahsen.com>
> wrote:
>
> > is there an option to not allow management from WAN?
> >
> > or is this in addition to that?
> >
> >
> > -barry
> >
> >
> > On Oct 2, 2012, at 9:42 AM, Adam Hill wrote:
> >
> > > One of my benched side projects is setting up knockd (port knocker) on
> my
> > > dd-wrt router so I don't have to leave it's web interface open to be
> > found
> > > by port scanners and can open port forwards by port knocks.
> > >
> > > On Tue, Oct 2, 2012 at 9:12 AM, David Champion <dchamp1337 at gmail.com>
> > wrote:
> > >
> > >> dd-wrt / openwrt are one of the targets of this attack as well. If
> > you're
> > >> not up to date, or haven't configured it correctly, you may have
> > problems.
> > >>
> > >> -dc
> > >>
> > >> On Tue, Oct 2, 2012 at 9:08 AM, Nathan C. Smith <
> nathan.smith at ipmvs.com
> > >>> wrote:
> > >>
> > >>> Here is a related article:
> > >>>
> > >>>
> > >>>
> > >>
> >
> https://www.securelist.com/en/blog/208193852/The_tale_of_one_thousand_and_one_DSL_modems
> > >>>
> > >>> This one makes it sound like an A-V company was having trouble
> > >> determining
> > >>> how the computer was being manipulated and redirected because it was
> > >> being
> > >>> done outside the computer through the DSL modem.
> > >>>
> > >>> May you live in interesting times.
> > >>>
> > >>> -Nate
> > >>>
> > >>> -----Original Message-----
> > >>> From: cialug-bounces at cialug.org [mailto:cialug-bounces at cialug.org]
> On
> > >>> Behalf Of Josh More
> > >>> Sent: Tuesday, October 02, 2012 8:53 AM
> > >>> To: Central Iowa Linux Users Group
> > >>> Subject: [Cialug] ISPs and patching routers
> > >>>
> > >>> Looks like the router attack we've long known was possible is now
> > >> actually
> > >>> being used.
> > >>>
> > >>> This would be a good time to move friends and family over to openwrt
> or
> > >>> ddwrt.  (Or an ISP that takes responsibility for security.)
> > >>>
> > >>> Details are here:
> > >>>
> > >>>
> > >>
> >
> http://arstechnica.com/security/2012/10/dsl-modem-hack-infects-millions-with-malware/
> > >>>
> > >>>
> > >>> -Josh
> > >>> _______________________________________________
> > >>> Cialug mailing list
> > >>> Cialug at cialug.org
> > >>> http://cialug.org/mailman/listinfo/cialug
> > >>> _______________________________________________
> > >>> Cialug mailing list
> > >>> Cialug at cialug.org
> > >>> http://cialug.org/mailman/listinfo/cialug
> > >>>
> > >> _______________________________________________
> > >> Cialug mailing list
> > >> Cialug at cialug.org
> > >> http://cialug.org/mailman/listinfo/cialug
> > >>
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug at cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list