dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
82410
« Weird Download PopupFoxTrot Cartoon on spam... »
prev · 1 · 2 · 3 ... 6 · 7 · 8 · 9 · 10 · 11 · 12 · 13 · next
qrkx
Premium Member
join:2003-04-26
Montreal, QC

qrkx to jvmorris

Premium Member

to jvmorris

Re: First WINNER!!!

said by jvmorris:

Still, there's the little matter of the beer and the Glenmorangie to be finalized and, as it is, I'm going to have to go back and carefully read as to just what commitments were made.
Alls I knows is that B ain't getting open source beer!

rgds.

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

1 edit

BeesTea to qrkx

Premium Member

to qrkx
said by qrkx:

Heh...simple ingress filtering....when will we learn?
Tis true my friend. But then what would we do with all the time we spend trying to triangulate DDoS ?? Imagine how board we'd get not having to deal with backscatter too.
qrkx
Premium Member
join:2003-04-26
Montreal, QC

qrkx

Premium Member

Meh...Imho...it ain't even worth trying to zero down on Ddos- too many ways to achieve that from an attacker's perspective....

rgds.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to qrkx

MVM

to qrkx

Re: El Cheapo Router Challenge

said by qrkx:

Blake,

How can any security device not offer logging? I am at a loss explaining the reasoning for this.

rgds.

Welcome to my world of pure hell and darkness. I have begged vendors and pleaded with them, but I guess they just don't get it, but even high end vendors can have HUGE differences in their logging abilities. Logs out are just as important as logs in, but again a lot of companies just don't get it. Its a simple thing to include, but beyond their grasp to understand.

Blake

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to qrkx

MVM

to qrkx

Re: First WINNER!!!

Okay, can we just go to the videotape? I think I know what you did; I'd just like to be proved wrong.
qrkx
Premium Member
join:2003-04-26
Montreal, QC

qrkx to Link Logger

Premium Member

to Link Logger

Re: El Cheapo Router Challenge

said by Link Logger:

said by qrkx:

Blake,

How can any security device not offer logging? I am at a loss explaining the reasoning for this.

rgds.

Welcome to my world of pure hell and darkness. I have begged vendors and pleaded with them, but I guess they just don't get it, but even high end vendors can have HUGE differences in their logging abilities. Logs out are just as important as logs in, but again a lot of companies just don't get it. Its a simple thing to include, but beyond their grasp to understand.

Blake
Can we then just conclude that any vendor ignoring the logging side is pretty much worthless?

rgds.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to BeesTea

MVM

to BeesTea
There a lot of things the author of SQL Slammer could have done, but choose not to. Thankful he was an independent and a hacker from the old school.

Blake

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Link Logger

MVM

to Link Logger
said by Link Logger:

. . . Welcome to my world of pure hell and darkness. I have begged vendors and pleaded with them, but I guess they just don't get it, but even high end vendors can have HUGE differences in their logging abilities. Logs out are just as important as logs in, but again a lot of companies just don't get it. Its a simple thing to include, but beyond their grasp to understand.
Amen to all of that. And it's not just SOHO NAT routers or hardware firewall appliances, or even the high-end PSFs. If you can't select at least an option for comprehensive logging (and then analysis of the logs), you're pretty much in a "by gosh and by golly" situation as to understanding what may be happening on your connection, be it a simple SOHO situation or a business environment.
jvmorris

jvmorris to qrkx

MVM

to qrkx
said by qrkx:

. . . Can we then just conclude that any vendor ignoring the logging side is pretty much worthless?
Oh, the product may well be fine. But how is the customer to know, one way or the other? Ask the vendor?
qrkx
Premium Member
join:2003-04-26
Montreal, QC

qrkx

Premium Member

said by jvmorris:

said by qrkx:

. . . Can we then just conclude that any vendor ignoring the logging side is pretty much worthless?
Oh, the product may well be fine.
So it's a guessing game on the behalf of the customer? The product may well be fine?!

rgds.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

2 edits

jvmorris

MVM

said by qrkx:
said by jvmorris:
said by qrkx:

. . . Can we then just conclude that any vendor ignoring the logging side is pretty much worthless?
Oh, the product may well be fine.
So it's a guessing game on the behalf of the customer? The product may well be fine?!
Yes, I think that sums it up rather well. For example, when I bought the SMC Barricade 7004 ABR (I was still on dial-up at the time), it satisfied all my technical requirements. It was only after I got it, installed it and started using it that I found out just how poor its (native) logging capabilities were.

I think someone has to have experience with a truly decent logging/log analysis tool (like Blake's Link Logger or Dan's WallWatcher or Sven's Log Viewer) when used in conjunction with a compatible NAT, hardware firewall appliance, or PSF before they can understand just what such logging capabilities can do for them. Of course, most consumers (again, router/hardware firewall/PSFs) could care less about this, but it's essential for those of us who like to putter about. Indeed, I found it rather scary when I didn't have this capability; I had no idea what was happening 'out there' and little if any capability to monitor outbound comms. For the PSFs that I've played with (since NIS 2002), Sygate's SPF does a reasonably credible job on the logging, but not so much on log analysis. (I hasten to acknowledge that I have not comprehensively surveyed PSFs or their logs in the recent past.)

If anything, I would wish that comparative analyses of such products put a lot more emphasis on logging capabilities than what I've seen to date in their evaluations.

Addendum: Before we wander off into any great digression in this thread, I should acknowledge that logging/log analysis and configuration documentation has been one of my great obsessions since I first showed up on BBR/DSLR. If someone desires to discuss this particular aspect regarding SOHO NAT Routers/hardware firewall appliances, or PSFs, it would probably be best to start a new thread. I think we'd all prefer to keep this thread focused on SOHO NAT router vulnerabilities, not logging capabilities.
KyeU
join:2003-12-31
Canada

KyeU to Link Logger

Member

to Link Logger
Announcer: "AND D-MAN HAS HIS ETHERNET CABLE AROUND LINKY'S NECK!"

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

OK I have created another thread to discuss qrkx See Profile method of sneaking packets past a NAT here »First winner - El Cheapo Router Challenge

Still looking for other ways to sneak stuff past a router so keep working on it gang.

Let me know when you want to switch to the D-Link 604 as that is the next target in line.

Blake

willendorf
join:2000-12-29
Norwich, CT

willendorf to Link Logger

Member

to Link Logger
Blake, I think it would be good after an explanation of exactly what took place in the attack, we keep the successful methods listed and then go back and try them on each of the previous routers that weren't penetrated. This way we would know if the attacks are universal or vendor specific.
Bane75
join:2002-09-20
Parker, CO

Bane75 to B04

Member

to B04
Yes there is some FUD in there. FUD was not the point, the point was to look at some of the mentioned attack techniques based on their merits, you are obviously unable to do that.

EGeezer
Premium Member
join:2002-08-04
Midwest

2 edits

EGeezer to Link Logger

Premium Member

to Link Logger
So we need to have a Meet & Greet for this beer thing - I guess I gotta buy you winners the beer, but B needs to supply the Glenmorangie.

EDIT - AND, we finally drive home the usefulness of logging as a part of Layered security.
tvhawaii
join:2002-02-17
Wailuku, HI

tvhawaii to Link Logger

Member

to Link Logger
Is Network View »www.networkview.com/ broken or has anyone else seen port 21 active on both of these devices?

--Michael

Bubba
GIT-R-DONE
MVM
join:2002-08-19
St. Andrews

Bubba to Link Logger

MVM

to Link Logger
I don't how better to ask this and do NOT deminish what was done ? in this very short post\question....but....on a scale of 1 to 5 for all of us clueless less knowledgeable in this crowd....is this a vulnerabiltiy ?

The next question is the exploit aspect which will only come when the stack comes on I presume.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Link Logger

Premium Member

to Link Logger
something else that comes to mind, the crew at rootkit.com, and the crew at sysinternals.com, not trying to start a battle fellas, but i wonder if anything has been looked at from their view, or even ASAP, has any one made an inroad, NAT maybe hacked, but what if you spent the last 5 years indulged in cracking, breaking, corrupting ect.

the world was once thought flat, but it didnt stop the barriers being broken now did it ?
B04
Premium Member
join:2000-10-28

2 edits

1 recommendation

B04 to Bane75

Premium Member

to Bane75
said by Bane75:

Yes there is some FUD in there. FUD was not the point, the point was to look at some of the mentioned attack techniques based on their merits, you are obviously unable to do that.
Any "attack techniques" they referenced seemed to me either inapplicable, undocumented, FUD, or trivial. But I'm coming at this from an amateur viewpoint.

I appreciated your posting of the link -- actual vendor commentary on the subject -- and gave a thumbs up for it, but you seem particularly clueless about this entire subject and about Blake's challenge.
said by Bane75:

The easiest way to compromise the box behind the router would be to use something like cross site scripting on a website to push a subseven or some such to the windows box. I know that method would work, I don't think that is in question. What I think everyone would like answered is if the router can be bypassed without using something like cross site scripting, for that I have a couple of ideas.
While you seem enamored of the phrase "cross-site scripting", it has nothing, at all, to do with this Router Challenge -- it's based on, er, web surfing, ya know? You might as well suggest downloading a trojan from a web site as a means to win the challenge -- oh wait, you DID! You're talking about SubSeven! How very silly.

Please don't bother responding; based upon your ignorance and rudeness I've added you to my ignore lists.

Anyway, congratulations to qrkx See Profile ! I look forward to the analysis and implications (e.g., why did no one else succeed, would it have been possible without Blake's close cooperation, could anything else be done, etc.) -- is there a separate thread on this?

Edit: Whoops; never mind -- »First winner - El Cheapo Router Challenge

Edit 2: What the heck is Glenmorangie?

-- B

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

1 edit

jvmorris

MVM

said by B04: . . .
Edit 2: What the heck is Glenmorangie?
. . . .
Whisky!! -- and damn good stuff, I might add. Somehow you owe all of us a case (each) of it.
B04
Premium Member
join:2000-10-28

1 edit

B04

Premium Member

Fine then. I've begun stocking up the cellars... Feel free to grab one off the shelf.

-- B
gatzdon
join:2002-10-25
Lake Zurich, IL

gatzdon to Link Logger

Member

to Link Logger
You got my attention with this thread. I like the concept. I know it would be impractical to set up an unlimited number of setups, but it would be nice to see the challenges organized into two groupings.

First: Out of the box following the Quickstart Directions. This would be just what it sounds like. Open the box, follow the quickstart directions, and nothing more. This is probably the most common scenario you'll see when joe blow sets up his router.

Second: If someone had a web page maintained with directions on how to secure your router (change default password/username, enable/disable services, DMZ to non-existent IP address, etc...). The second half of the challenge could be the router setup using all the recomendations listed. Obviously if an exploit is found, the recomendation would change and subsequently the router configuration. This setup should allow for simple requests that reflect common usage of an internet connection (visit page »www.microsfft.net, open »mms://123.123.123.123:1234 in Media Player, but not include requests such as run this app, or click on this link and click accept (those would not be considered unsolicited, but rather poor browsing habits)

I would also work on a clear and short statement declaring the purpose, "This test is designed to challenge the effectiveness of a cheap NAT based router to reject unsolicited incoming attacks"

Also, if people find a FAR router, it would be nice if someone secured one/two to include in the challenge. I remember there was a time when you could get 10 RP614's FAR at staples.

Just a few thoughts.

Is there a web page yet for displaying the parameters of the challenge and a summary of the results? It would be nice to include not just the model number, but also the
Bane75
join:2002-09-20
Parker, CO

Bane75 to qrkx

Member

to qrkx

Re: First WINNER!!!

said by qrkx:

said by BeesTea:

said by Link Logger:

(I doubt it would matter what device was running as a lot of high end firewalls would have also failed to block these)
Agreed. Unless you two are using the same provider, primarily it's a network policy issue. He shouldn't have been able to get mis-sourced packets onto your providers network.

I don't suspect the SOHO stuff keeps track of TTL, but in theory you could watch for TTL changes on responses from your DNS.
Heh...simple ingress filtering....when will we learn?

rgds.
If the TTL behavior is true, these devices could potentially be exploited by a tool such as Firewalk. Has anyone tried to Firewalk any of the routers, Blake has put up?
Bane75

Bane75 to B04

Member

to B04

Re: El Cheapo Router Challenge

said by B04:

said by Bane75:

Yes there is some FUD in there. FUD was not the point, the point was to look at some of the mentioned attack techniques based on their merits, you are obviously unable to do that.
Any "attack techniques" they referenced seemed to me either inapplicable, undocumented, FUD, or trivial. But I'm coming at this from an amateur viewpoint.

I appreciated your posting of the link -- actual vendor commentary on the subject -- and gave a thumbs up for it, but you seem particularly clueless about this entire subject and about Blake's challenge.
said by Bane75:

The easiest way to compromise the box behind the router would be to use something like cross site scripting on a website to push a subseven or some such to the windows box. I know that method would work, I don't think that is in question. What I think everyone would like answered is if the router can be bypassed without using something like cross site scripting, for that I have a couple of ideas.
While you seem enamored of the phrase "cross-site scripting", it has nothing, at all, to do with this Router Challenge -- it's based on, er, web surfing, ya know? You might as well suggest downloading a trojan from a web site as a means to win the challenge -- oh wait, you DID! You're talking about SubSeven! How very silly.

Please don't bother responding; based upon your ignorance and rudeness I've added you to my ignore lists.

Anyway, congratulations to qrkx See Profile ! I look forward to the analysis and implications (e.g., why did no one else succeed, would it have been possible without Blake's close cooperation, could anything else be done, etc.) -- is there a separate thread on this?

Edit: Whoops; never mind -- »First winner - El Cheapo Router Challenge

Edit 2: What the heck is Glenmorangie?

-- B
Initially Blake asked fro compromises based on the machine behind the router surfing out to sites. Cross site scripting is definitely able to accomplish that task.

My knowledge is based on years of experience in the IT security field, what is your knowledge based upon? The document I posted has some very valid points on weaknesses in NAT, the point once again was to discuss the merits of the attacks.

You fail to understand the technology involved. You admit you are an amateur, perhaps you should spend some time researching how the technology works and how exploits are written and used.

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

No, i agree with B, that "whitepaper" is too vague to be of any contribution. It feels like it was written by a sales team. And "cross-site-scripting" is a cute buzzword but has nothing to do with testing NAT front-ends.
rgillis70
Premium Member
join:2002-12-30
Washington, DC

1 recommendation

rgillis70 to Bane75

Premium Member

to Bane75
said by Bane75:

Initially Blake asked fro compromises based on the machine behind the router surfing out to sites. Cross site scripting is definitely able to accomplish that task.
Actually he wanted a set attack with no browsing - it was requested that he browse so that the device would be having activity, but browsing was not part of the initial challenge. It was just done to make the challenge more realistic in the approach, that there would be normal activity.

This test is not to see if a website can infect you - it can do that behind a $200,000 firewall if the user is dumb enough. The test is to see if the device itself can be bypassed, and thus far only one type of attack has gotten by.
Bane75
join:2002-09-20
Parker, CO

Bane75 to justin

Member

to justin
said by justin:

No, i agree with B, that "whitepaper" is too vague to be of any contribution. It feels like it was written by a sales team. And "cross-site-scripting" is a cute buzzword but has nothing to do with testing NAT front-ends.
It probably was written by a sales team. The whole point was to get people think about possible methods, not to say "these methods will definitely compromise a NAT device."

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

Apparently hacking the Netgear FR114P must have scared everyone off, as I'm not seeing the attempts on it like I saw for the Linksys BEFSR41, so maybe everyone feels that a $64 device is unbreachable or something.

qrkx is still the only person to sneak packets by any device thus far in this challenge, but I think we have determined in the »First winner - El Cheapo Router Challenge thread that this method would work on just about anything, but is a very low security risk in the grand scheme of the internet.

I will remove the Netgear FR114P and slap in the cheapest NAT router I have, a D-Link 604 and let you know when everything is ready to go.

After the D-Link 604, I'm planning on putting up a XP SP2 system (no patches beyond SP2) so we can test it's built in firewall capabilities and after that I'll put up a totally unprotected XP system so we can have some fun (ie see how easy it is to own an unprotected system, so you can see what a difference a NAT Device does make). Currently the system behind the NAT Device is a totally unpatched, open public shares, weak password protected XP system and still no one has managed to get a file onto it, off of it (ie read it). So its only protection from the internet is the NAT device up front and thus far it has done an excellent job of protecting it.

Blake
B04
Premium Member
join:2000-10-28

B04

Premium Member

Well now that you've given us "a taste", I'd also like to see if qrkx See Profile's sneaky packets can be leaked through a "real" firewall too. Got any Nokia/Checkpoints or PIXes on hand?

-- B