 FlogatorPremium,MVM
join:2003-01-19
Cantley, QC
kudos:1 | reply to skj
Re: BEFSX41 Stealth & Closed Ports and AFP I supposed we should have better explain this problem to the community. Let's just say that Linksys is aware of this. Let's add that firmware 1.44.11t does not fix this problem. And before diving into the specifics of the problems, let's specify that even though this is a conceptual problem, it does not permit a hacker or an intruder to get to your local network. The ONLY side effects of this bug is purely and simply the fact that under some circumstances (that I am describing below), the BEFSX41 will advertise its presence on the internet that's it, that's all. Note that this problem is not present if you disable the SPI firewall (as known as advance firewall) simply because the problem is in the SPI firewall itself.
A good SPI firewall keeps states about established TCP connections. These states allow the firewall to discards any packet that do not match a precise set of condition much better than a regular NAT firewall would do. A good SPI firewall keeps such state when a given TCP connection is fully connected (meaning the first 3-way handshake is completed). The problem with the BEFSX41 SPI firewall implementation is that it starts maintaining states on TCP connections even if the 3-way handshake is not completed. If you get a DoS attack using a TCP SYN flood on different ports in a very short amount of time, you will exhaust the BEFSX41 SPI TCP connection state table. So far that is not that bad. The problem comes from the fact that when it has exhausts its connection table, the BEFSX41 starts replying with SYN/RST and that is what the nanoprobe test is complaining about. Replying with SYN/RST is a standard response when not behind a firewall BUT THAT IS NOT THE DESIRED BEHAVIOR FOR A GOOD SPI FIREWALL  .
The BEFSX41 SPI bug is about replying with SYN/RST packet thus revealing the IP address existence to the internet. That is what Linksys has to fix in their next firmware version.
Again as I said before. This bug does not open holes for hacker or intruder but rather advertise the presence on the internet with those SYN/RST. |
|
 skjWelcome to the far side of realityPremium,Mod
join:2002-04-04
Gone South | Thank you Flogator for your detailed explanation which explains the issue very clearly.  |
|
| My two cents is if I knew of this fault I would of never bought it because this is fucking crap. If I wanted to be seen Then I wouldnt of pick the option to not be pinged. I picked an advance firewall for security and they knowing I am still connected doesnt show much of a security measure. I think linksys or cisco since they are connected should get off there ass and fix it. Advance firewall doesnt look so advance if you are seen when in precious standard BEFSR41 v2 never showed me up in stealth as far as I know. So somone needs to push the paper on this issue and fix it. This is a big disappoint to me on linksys products, if they cant get the job done and fix this issue then they shouldnt be in business. Advanced firewall my ass if it cant keep me stealth completely.
-illusion
Ps. My comments, I am sure most will be close to my view just not as pissed off as me. |
|
FlogatorPremium,MVM
join:2003-01-19
Cantley, QC
kudos:1 | rboone18, if you are patient, in the mean time you could disable the advanced firewall until the next firmware version (assuming this will be fixed then). Disabling advanced firewall will make your BEFSX41 act like a BEFSR41. Otherwise, I may recommend you some other brand router with very similar features but slightly more expensive. |
|
skjWelcome to the far side of realityPremium,Mod
join:2002-04-04
Gone South Host:
Charter Internet/TV
Earthlink DSL
CenturyLink
ISP b2b etc
Cisco
| said by Flogator:
rboone18, if you are patient, in the mean time you could disable the advanced firewall until the next firmware version (assuming this will be fixed then). Disabling advanced firewall will make your BEFSX41 act like a BEFSR41. Otherwise, I may recommend you some other brand router with very similar features but slightly more expensive.
The question also becomes are you still better off (more secure) with the "advanced" firewall enabled? |
|
 d_lBarsoomPremium,MVM
join:2002-12-08
Reno, NV
kudos:7 | reply to Flogator
Flogator, I'm not familiar with the exact specifics of a SYN flood attack. You said, "If you get a DoS attack using a TCP SYN flood on different ports ..." Do SYN attacks use different ports or all the same? If you had a SYN attack, shouldn't/wouldn't the SPI function just drop the records of the connection state so it doesn't fill the table? I mean you get a warning from the router saying that it is a possible SYN attack, but doesn't the router actually do something about the problem?
I guess what I'm asking is, are GRC's probes a good simulation of a SYN attack or just a very fast port probe. This "unstealthed" port problem seems to be a scan-rate related bug.
If the router is scanned at a slower rare, I'm sure those ports above ~1000 wouldn't be showing. The connection state table has to have an update feature that replaces the "aged" data so it would never "overflow".
If it is scanned too fast, I just thought that the whole point of an SPI feature was that it would just note that a SYN flood was happening and drop the connection state data associated with the flood attack so as to not be overloaded. Now if the SX41 is probed between these two extreme speeds, then maybe that is where the bug comes into play. |
|
