Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
4 edits | El Cheapo Router Challenge
In response to all the claims about NAT not being a worthy security device there is and has been for a long time a ongoing NAT challenge here where I can put up any one of a number of cheap consumer grade NAT routers (D-Link 604, Linksys SR41v1, SX41, WRT54GS, WRV54G, Netgear FR114P, FVS318v1, FVS318v3, Zyxel Zywall 10, 10w etc) post an IP address and if you can get through to a system behind the device (Windows 98SE open shares, it can't be any easier) then you win! I could also setup a sniffer behind the router for picking up UDP packets or whatever as well. You tell me the attack and then we will work to validate that it works.
I don't have any 'pure' NAT devices as I'm not really sure where I could buy one anymore. Certainly in the distance days of past where there were 'pure' NAT devices then they could be 'hacked' in a number of different ways, but that was then and this is now and so called NAT devices today are not the same as then (ie these are not your Daddy's NATs and hence are much more secure).
This challenge is about the truth and if a NAT router is a good inbound perimeter security device (I'm not claiming NAT devices will solve world hunger or anything, just prevent unsolicited inbound scans/attacks).
Blake
Edit: The IP address of the system can be found Here on page 17. New system configuration on page 18.-- WCB!
--
Vendor: Firewall Logging Software
»www.SonicLogger.com - SonicWall and 3Com
»www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
B
Premium,MVM
join:2000-10-28
1 edit | Re: NAT Challenge
Thank you Blake! It's long overdue that your challenge had its own thread.
Your challenge reminds me of the Randi Foundation's ongoing million dollar challenge for claims of the paranormal -- you're willing to work with the claimants to pre-approve the terms by which the contest will be judged successful or failed.
For more background for the viewing audience -- »Security (NAT Router subsection link)
I take it that ANY unsolicited packet inside the LAN wins? Or must the claimant affect the open shares?
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| said by B  :I take it that ANY unsolicited packet inside the LAN wins? Or must the claimant affect the open shares? I am willing to look at any method of getting anything past a NAT and then we will discuss it in the sense of just how 'damaging' could it be. If you read/write the shares then certainly it couldn't get much more damaging then that, but anything else is worthy of at least acknowledgement and discussion. If you were able to slide a stream of packets in and against a system behind a NAT then its a possible worm infection so certainly getting packets by could be worthy (I'll put a totally unpactched XP system with open shares behind the NAT so its vulnerable to all the current worms and exploits if that would help).
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
rgillis70
Premium
join:2002-12-30
Herndon, VA
·Cox HSI
| reply to Link Logger
Yes thanks Link. I mentioned this today in a thread - this will make it much easier to point to if anyone wishes to challenge this or makes the "NAT can't protect you" statements.
 |
|
ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
| reply to B
said by B :Thank you Blake! It's long overdue that your challenge had its own thread. Your challenge reminds me of the Randi Foundation's ongoing million dollar challenge for claims of the paranormal -- you're willing to work with the claimants to pre-approve the terms by which the contest will be judged successful or failed. For more background for the viewing audience -- » Security (NAT Router subsection link) I take it that ANY unsolicited packet inside the LAN wins? Or must the claimant affect the open shares? -- B Yep I agree.
Take That Sylvia Brown!
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:  | reply to rgillis70
Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway.
--
dmiessler.com -- grep understanding knowledge |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE
| Bahh, Daniel that's cheatin' 
Seriously while I would agree that some outbound traffic would be classified as "typical", this "mythical" NAT-transversal attack (sounds nice at least) should work whether someone is sending packets outbound (hence having at least "something" in the tables) or the connect is idle. I've "heard" that people can do this, I've never seen proof...I'd like to see some of the people who have said it is possible do this, and then explain to me HTH they did it.
--
The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. It is it's natural manure.The "Tree of Liberty" letter From Thomas Jefferson to William Smith |
|
B
Premium,MVM
join:2000-10-28
|
Well yeah, but the cool part of the challenge should be that the leet hackerz don't have to reveal how they did it -- all they have to do is... do it!
We don't want to give them any excuse not to demonstrate their leetitude.
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Daniel
said by Daniel :Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway. When do you want to do it and do you have a preference as to which NAT device? Would I be surfing to your site, or just surfing in general?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to B
said by B :Well yeah, but the cool part of the challenge should be that the leet hackerz don't have to reveal how they did it -- all they have to do is... do it! If requested I would be happy to keep the attack technique confidential except for the fact that it worked, what ever it takes to prove or disprove how safe NAT devices are, as that is ultimate goal of this challenge.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE | Well if you are going to be so considerate LL, All you have to do is go to a specified URL running a specified browser and click on a specified link...Then click the run button |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to Link Logger
Only thing is, most people here are into STOPPING this kind action. Post the IP at one of the better know sk sites/forums... you know, on the seedier side of the web.
Also, set up the test as a "working" setup. You know, with a few items allowed to go through - like your browser... perhaps a service or two. The things that ask for connection from a firewall perspective.
I could do a factory reset to my router and not run the wizard(Auto-Config) or allow the "items" that are required access to even work and nothing will be able to get in. This would be an unfair test, no?
While I do know that a NAT router does protect you from most of the garbage/connections you don't want, "NOTHING" is 100%.
This is why we all recommend Layers, right?
Running some sort of firewall that at least logs connection attempts, whether an attack or a simple unsolicited connection request/packet, will show you that occasionally, things do get past a router.
Good luck with your challenge Link Logger!
--
Think outside the Fox... Opera |
|
B
Premium,MVM
join:2000-10-28
| No, no, dadkins , it's not like that.
Most SOHO NAT routers don't even try to prevent outbound activity -- there's no permissions prompted or required such as one would see with personal firewall software.
By common definition, it's not just the browser and a few services that would be allowed out -- ALL programs can get out through the router. It's only unsolicited inbound traffic that we're testing here. (If Blake were already running the cracker's trojan program the test would be a waste of time.)
However, I do like your recommendation that the challenge be publicized in more "appropriate" places... with LL's permission of course.
-- B
--
In a realm outside causality and function |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000 | reply to Link Logger
Shouldn't this challenge be called the "Firewall Appliance Challenge" ? Every one of those devices is a firewall. NAT just happens to be one of their features.
--
Captain of the ATU Tux Racer Clan. |
|
salzan
Experienced Optimist
Premium
join:2004-01-08
WA State | reply to Link Logger
Will the router have remote admin enabled if it's the default setting? |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
1 edit | reply to B
Yeah B, I know there are no prompts. but for a SOHO router test to appear valid, one does have to set it up.
*MY* router, after running Auto-Config, has a couple of items allowed. Add to that, to make this a more Joe User like test, allow a game or two through the router(don't some require inbound?).
I'd like to see this as real as possible.
--
Think outside the Fox... Opera |
|
B
Premium,MVM
join:2000-10-28
| reply to BeesTea
Aww, c'mon. Blake tried to address that at the outset.
The point (I think) is to test the real-world protection provided by SOHO-class routers currently available. They don't say "Firewall" on the box (at least not in big letters). They say "router".
Personally I've always liked to call it the "El Cheapo NAT Router Challenge".
-- B
--
In a realm outside causality and function |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| said by B : They don't say "Firewall" on the box (at least not in big letters). They say "router". They don't say NAT either.
This gives the impression to people that NAT is some kind of layer of security. It's the stateful filtering that's providing the security, not the NAT.
Haven't we had threads upon threads about what part of these appliances are doing the heavy lifting ?
--
Captain of the ATU Tux Racer Clan. |
|
B
Premium,MVM
join:2000-10-28 | Well I say there are only 6,621,661,912 angels dancing on that thing...
-- B
--
In a realm outside causality and function |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Gelroos
said by Gelroos :Well if you are going to be so considerate LL, All you have to do is go to a specified URL running a specified browser and click on a specified link...Then click the run button Is that all you want me to do?? I'm at a client site right now (largest bank in the world) but I'd gladly do that for you right now as I'm logged on to the top level domain server which has all the transfer accounts and such on it so it shouldn't be a problem to do your quick test right away
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
