said by B :

Well now that you've given us "a taste", I'd also like to see if qrkx 's sneaky packets can be leaked through a "real" firewall too.

said by justin :

No, i agree with B, that "whitepaper" is too vague to be of any contribution. It feels like it was written by a sales team. And "cross-site-scripting" is a cute buzzword but has nothing to do with testing NAT front-ends.

said by Bane75 :

Initially Blake asked fro compromises based on the machine behind the router surfing out to sites. Cross site scripting is definitely able to accomplish that task.

said by B :

Any "attack techniques" they referenced seemed to me either inapplicable, undocumented, FUD, or trivial. But I'm coming at this from an amateur viewpoint.

I appreciated your posting of the link -- actual vendor commentary on the subject -- and gave a thumbs up for it, but you seem particularly clueless about this entire subject and about Blake's challenge.

While you seem enamored of the phrase "cross-site scripting", it has nothing, at all, to do with this Router Challenge -- it's based on, er, web surfing, ya know? You might as well suggest downloading a trojan from a web site as a means to win the challenge -- oh wait, you DID! You're talking about SubSeven! How very silly.

Please don't bother responding; based upon your ignorance and rudeness I've added you to my ignore lists.

Anyway, congratulations to qrkx ! I look forward to the analysis and implications (e.g., why did no one else succeed, would it have been possible without Blake's close cooperation, could anything else be done, etc.) -- is there a separate thread on this?

Edit: Whoops; never mind -- »First winner - El Cheapo Router Challenge

Edit 2: What the heck is Glenmorangie?

-- B

said by qrkx :

Heh...simple ingress filtering....when will we learn?

rgds.

said by B : . . .
Edit 2: What the heck is Glenmorangie?
. . . .

said by Bane75 :

Yes there is some FUD in there. FUD was not the point, the point was to look at some of the mentioned attack techniques based on their merits, you are obviously unable to do that.

said by Bane75 :

The easiest way to compromise the box behind the router would be to use something like cross site scripting on a website to push a subseven or some such to the windows box. I know that method would work, I don't think that is in question. What I think everyone would like answered is if the router can be bypassed without using something like cross site scripting, for that I have a couple of ideas.

said by qrkx :

So it's a guessing game on the behalf of the customer? The product may well be fine?!

said by jvmorris :

Oh, the product may well be fine.

said by qrkx :

. . . Can we then just conclude that any vendor ignoring the logging side is pretty much worthless?

said by Link Logger :

. . . Welcome to my world of pure hell and darkness. I have begged vendors and pleaded with them, but I guess they just don't get it, but even high end vendors can have HUGE differences in their logging abilities. Logs out are just as important as logs in, but again a lot of companies just don't get it. Its a simple thing to include, but beyond their grasp to understand.

said by Link Logger :

Welcome to my world of pure hell and darkness. I have begged vendors and pleaded with them, but I guess they just don't get it, but even high end vendors can have HUGE differences in their logging abilities. Logs out are just as important as logs in, but again a lot of companies just don't get it. Its a simple thing to include, but beyond their grasp to understand.

Blake

said by qrkx :

Blake,

How can any security device not offer logging? I am at a loss explaining the reasoning for this.

rgds.

said by qrkx :

Heh...simple ingress filtering....when will we learn?

said by jvmorris :

Still, there's the little matter of the beer and the Glenmorangie to be finalized and, as it is, I'm going to have to go back and carefully read as to just what commitments were made. ;)

said by BeesTea :

Agreed. Unless you two are using the same provider, primarily it's a network policy issue. He shouldn't have been able to get mis-sourced packets onto your providers network.

I don't suspect the SOHO stuff keeps track of TTL, but in theory you could watch for TTL changes on responses from your DNS.

said by Link Logger :

(I doubt it would matter what device was running as a lot of high end firewalls would have also failed to block these)

said by jvmorris :

No, No!! Save the GlenMorangie for me! (EGeezer only likes German beers; I have a more varied palate! :( )

said by Anav :

The whole thread and challenge is FUD. NAT drops packets not originating from the LAN period, but who am I to stand in the way of fun. ;-)

said by jvmorris :

No, it's EGeezer with the beer fixation. :D

said by Link Logger :

You don't have to allow anything just some way to see what port I'm using as a source. Second I don't think the NAT device is going to allow anything from your system, except where the ports match. So something to your port 53 from my port x doesn't mean you can send something back to my port 80 for an example, worth a brief experiment perhaps to prove.

Blake

said by qrkx :

I can allow incoming UDP 53.
If you do a nslookup www.whatever.com myIP then I should see your incoming request and reply but that wouldn't prove much since your box will naturally allow any responses from my IP.

said by Link Logger :

qrkx Do you still have that system setup and I'll surf to an IP that you give me and then you can see what ports are being used by the router and then base an attack back on those. Even if there isn't a web site there you should still see the attempt and hence the ports.

Blake

said by EGeezer :

... That's why we drink it here.

Well, in that case, I'm off the the Elks to buy my own. They have popcorn too.

said by qrkx :

Unfortunately beer ain't gonna be one of them in this case. ;)

said by taximan233 :

If you remember K-lite then you remember the supernode function. As an example Limewire uses the same in Ultrapeer. The node remembers that you shook hands and therefore sends scans back to the(well at one time default port 6346).

said by B :

The SP2 test would be interesting. (At first I thought you meant putting it behind the router, but I now surmise you meant INSTEAD of the router...)

said by dadkins :

After all this fun is finished, I would like to see the test repeated with the routers setup in a real-world configuration. Like with xxxx game installed with #xxxx port(s) forwarded. Some games don't even need ports forwarded...

[snip]

Thoughts?

said by dadkins :

Yep. 6346. It's the only port I have forwarded and someone or something is using it to try and connect to various ports on my laptop. Too bad I have Outpost Pro denying them! ;)

said by dadkins :

Yep. 6346. It's the only port I have forwarded and someone or something is using it to try and connect to various ports on my laptop. Too bad I have Outpost Pro denying them! ;)

said by dadkins :

Routers are not bulletproof in real-world usage.

said by Anav :

The whole thread and challenge is FUD. NAT drops packets not originating from the LAN period, but who am I to stand in the way of fun. ;-)

said by Bane75 :

In the meantime, here is a link to a file on some of the attacks used in the past to bypass NAT devices. This is from Watchguard, a very respectable security vendor.

»www.cactechnology.com/whitepaper···l_wp.pdf

BUSTING THE NAT MYTH: WHY NAT DOESN’T PROVIDE “FIREWALL-LIKE”
SECURITY
Say you wanted to keep your home address private from everyone except friends and family members. If you
managed to do that, would you then say, “Keeping my address private makes me completely safe. I no longer
have to lock the doors or use a security device.” Foolish, right? Yet many businesspeople follow that logic when
concluding that a NAT device, such as a router, is a firewall.
Network Address Translation was designed specifically to allow many computers to share a single public IP
address, which is the numeric identifier that represents a computer or device on a network. The functionality was
developed as a simple solution to the critical shortage of unique IP addresses that came about as worldwide use of
the Internet exploded.
NAT works like this: when a piece of transmitted data, called a packet, leaves your network for the Internet, a
NAT device replaces all private IP source addresses with one public address. It also hides your private,
unregistered network address from the public. Since the NAT box advertises its own address to the world as the
source address, all replies from the Internet return to the NAT device. The device then checks an internal table for
a match before opening a port and redirecting replies to the appropriate computer inside the network.
So where did the myth come from that NAT devices give the same network protection as a firewall? If an attacker
initiates a connection to a network through an obscure port, the NAT device checks the table. If it finds that no
one inside the network has requested information on that port, it drops the packet, providing, in this sense, a
modicum of security. That’s how the myth originated.
But NAT devices weren’t designed for security. In fact, their main purpose is to share access to the Internet and
let traffic in. Any security benefits provided are side effects. Although these devices are often advertised as
providing “firewall-like security,” the vendors that make them generally aren’t focused on security and don’t
provide protection against new types of threats. With only a NAT device between a network and the Internet, all
computers on that network are vulnerable.
For example, a hacker can send an "anybody there?" message, called a ping, to millions of addresses. Firewalls
recognize ping and hide themselves. NAT devices, however, respond, letting the hacker know he's found a live
connection and an easy way in to the network.
Interestingly, hackers have developed attacks specifically for NAT devices, including:
􀂃 Exploiting open ports. Once a NAT device opens a port by putting it in the NAT table, all traffic destined to that
port is allowed through to the local computer identified in the table. Hackers use automated programs to guess which
ports NAT has opened, and they keep trying until they get through.
􀂃 Taking over the server. Some NAT devices can be configured so that packets not matching anything in the NAT
table are sent to a specified computer, such as a server, rather than be discarded. This lets the administrator ensure
that good traffic is not lost and that computer applications that wouldn’t normally work through NAT can run. But
from a security perspective this isn’t smart because it allows the NAT device to let everything through. Once a
hacker gets control of the server, he can easily access any other computer on the same network.
􀂃 Spoof attacks. NAT devices are especially susceptible to spoofing. That’s when hackers alter data packets to make it
look like they’re coming from a valid source. Anyone with sufficient technical knowledge, using hacking tools
freely available on the Internet, can put another user's IP address in the "From" (source) field of packets. Since NAT
relies on analyzing addresses, false addresses can easily compromise NAT devices.

said by Link Logger :

Let the challenge begin, good luck challengers and good luck FR114P.

said by jvmorris :

... with a maniacal grin on your face. (Please wear clothes; we have children here.)

said by B :

. . . . Blake, other than the obvious logged attempts, has anyone contacted you to formally take the challenge and/or describe an attack plan? Or are we just hoping that at least some talented folks are going to show us who's boss?

said by Just Bob :

That was 3 years ago and the problem was fixed.

»www.wi-fiplanet.com/news/article.php/1494941

said by chris10s :

Great test, keep up the good work!

With all this activity at your router have you noticed any slow down in your internet connection or has the the router lock up? My linksys bfsr41 tends to freeze up when it gets intensely probed.

said by Link Logger :

find a totally unpatched, unsecured XP Pro system complete with open shares. I log into this system as 'Bob' who is an administrator and doesn't have a password (the only thing worse then a weak password is no password).

said by B :

I think qrkx and BeesTea were making some pretty strong claims; have either of you two folks taken a crack at Blake yet?

-- B

said by Link Logger :

I don't have anything in front of the SR41 to analyze the different attacks being tried, so the best I can put up is what ports are being hit. I'm not interested in 'discovering' anyone's 0-day which gets past the router, only that something did and they can discuss it if they wish.