dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
82399

Link Logger
MVM
join:2001-03-29
Calgary, AB

4 edits

7 recommendations

Link Logger

MVM

El Cheapo Router Challenge

In response to all the claims about NAT not being a worthy security device there is and has been for a long time a ongoing NAT challenge here where I can put up any one of a number of cheap consumer grade NAT routers (D-Link 604, Linksys SR41v1, SX41, WRT54GS, WRV54G, Netgear FR114P, FVS318v1, FVS318v3, Zyxel Zywall 10, 10w etc) post an IP address and if you can get through to a system behind the device (Windows 98SE open shares, it can't be any easier) then you win! I could also setup a sniffer behind the router for picking up UDP packets or whatever as well. You tell me the attack and then we will work to validate that it works.

I don't have any 'pure' NAT devices as I'm not really sure where I could buy one anymore. Certainly in the distance days of past where there were 'pure' NAT devices then they could be 'hacked' in a number of different ways, but that was then and this is now and so called NAT devices today are not the same as then (ie these are not your Daddy's NATs and hence are much more secure).

This challenge is about the truth and if a NAT router is a good inbound perimeter security device (I'm not claiming NAT devices will solve world hunger or anything, just prevent unsolicited inbound scans/attacks).

Blake

Edit: The IP address of the system can be found Here on page 17. New system configuration on page 18.-- WCB!
B04
Premium Member
join:2000-10-28

1 edit

B04

Premium Member

Re: NAT Challenge

Thank you Blake! It's long overdue that your challenge had its own thread.

Your challenge reminds me of the Randi Foundation's ongoing million dollar challenge for claims of the paranormal -- you're willing to work with the claimants to pre-approve the terms by which the contest will be judged successful or failed.

For more background for the viewing audience -- »Security (NAT Router subsection link)

I take it that ANY unsolicited packet inside the LAN wins? Or must the claimant affect the open shares?

-- B

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

said by B04:

I take it that ANY unsolicited packet inside the LAN wins? Or must the claimant affect the open shares?
I am willing to look at any method of getting anything past a NAT and then we will discuss it in the sense of just how 'damaging' could it be. If you read/write the shares then certainly it couldn't get much more damaging then that, but anything else is worthy of at least acknowledgement and discussion. If you were able to slide a stream of packets in and against a system behind a NAT then its a possible worm infection so certainly getting packets by could be worthy (I'll put a totally unpactched XP system with open shares behind the NAT so its vulnerable to all the current worms and exploits if that would help).

Blake
rgillis70
Premium Member
join:2002-12-30
Washington, DC

rgillis70 to Link Logger

Premium Member

to Link Logger
Yes thanks Link. I mentioned this today in a thread - this will make it much easier to point to if anyone wishes to challenge this or makes the "NAT can't protect you" statements.


ZOverLord
Premium Member
join:2003-10-20
Minneapolis, MN

1 recommendation

ZOverLord to B04

Premium Member

to B04
said by B04:

Thank you Blake! It's long overdue that your challenge had its own thread.

Your challenge reminds me of the Randi Foundation's ongoing million dollar challenge for claims of the paranormal -- you're willing to work with the claimants to pre-approve the terms by which the contest will be judged successful or failed.

For more background for the viewing audience -- »Security (NAT Router subsection link)

I take it that ANY unsolicited packet inside the LAN wins? Or must the claimant affect the open shares?

-- B
Yep I agree.

Take That Sylvia Brown!

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel to rgillis70

MVM

to rgillis70
Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway.

Gelroos
Mad Mage
Premium Member
join:2003-05-23
Washington, DC

Gelroos

Premium Member

Bahh, Daniel that's cheatin'

Seriously while I would agree that some outbound traffic would be classified as "typical", this "mythical" NAT-transversal attack (sounds nice at least) should work whether someone is sending packets outbound (hence having at least "something" in the tables) or the connect is idle. I've "heard" that people can do this, I've never seen proof...I'd like to see some of the people who have said it is possible do this, and then explain to me HTH they did it.
B04
Premium Member
join:2000-10-28

B04

Premium Member


Well yeah, but the cool part of the challenge should be that the leet hackerz don't have to reveal how they did it -- all they have to do is... do it!

We don't want to give them any excuse not to demonstrate their leetitude.

-- B

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to Daniel

MVM

to Daniel
said by Daniel:

Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway.
When do you want to do it and do you have a preference as to which NAT device? Would I be surfing to your site, or just surfing in general?

Blake
Link Logger

Link Logger to B04

MVM

to B04
said by B04:

Well yeah, but the cool part of the challenge should be that the leet hackerz don't have to reveal how they did it -- all they have to do is... do it!
If requested I would be happy to keep the attack technique confidential except for the fact that it worked, what ever it takes to prove or disprove how safe NAT devices are, as that is ultimate goal of this challenge.

Blake

Gelroos
Mad Mage
Premium Member
join:2003-05-23
Washington, DC

Gelroos

Premium Member

Well if you are going to be so considerate LL, All you have to do is go to a specified URL running a specified browser and click on a specified link...Then click the run button

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins to Link Logger

MVM

to Link Logger
Only thing is, most people here are into STOPPING this kind action. Post the IP at one of the better know sk sites/forums... you know, on the seedier side of the web.

Also, set up the test as a "working" setup. You know, with a few items allowed to go through - like your browser... perhaps a service or two. The things that ask for connection from a firewall perspective.

I could do a factory reset to my router and not run the wizard(Auto-Config) or allow the "items" that are required access to even work and nothing will be able to get in. This would be an unfair test, no?

While I do know that a NAT router does protect you from most of the garbage/connections you don't want, "NOTHING" is 100%.
This is why we all recommend Layers, right?

Running some sort of firewall that at least logs connection attempts, whether an attack or a simple unsolicited connection request/packet, will show you that occasionally, things do get past a router.

Good luck with your challenge Link Logger!
B04
Premium Member
join:2000-10-28

B04

Premium Member

No, no, dadkins See Profile, it's not like that.

Most SOHO NAT routers don't even try to prevent outbound activity -- there's no permissions prompted or required such as one would see with personal firewall software.

By common definition, it's not just the browser and a few services that would be allowed out -- ALL programs can get out through the router. It's only unsolicited inbound traffic that we're testing here. (If Blake were already running the cracker's trojan program the test would be a waste of time.)

However, I do like your recommendation that the challenge be publicized in more "appropriate" places... with LL's permission of course.

-- B

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

BeesTea to Link Logger

Premium Member

to Link Logger
Shouldn't this challenge be called the "Firewall Appliance Challenge" ? Every one of those devices is a firewall. NAT just happens to be one of their features.

salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

1 recommendation

salzan to Link Logger

Premium Member

to Link Logger
Will the router have remote admin enabled if it's the default setting?

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

1 edit

dadkins to B04

MVM

to B04
Yeah B, I know there are no prompts. but for a SOHO router test to appear valid, one does have to set it up.

*MY* router, after running Auto-Config, has a couple of items allowed. Add to that, to make this a more Joe User like test, allow a game or two through the router(don't some require inbound?).

I'd like to see this as real as possible.
B04
Premium Member
join:2000-10-28

1 recommendation

B04 to BeesTea

Premium Member

to BeesTea

Aww, c'mon. Blake tried to address that at the outset.

The point (I think) is to test the real-world protection provided by SOHO-class routers currently available. They don't say "Firewall" on the box (at least not in big letters). They say "router".

Personally I've always liked to call it the "El Cheapo NAT Router Challenge".

-- B

BeesTea
Internet Janitor
Premium Member
join:2003-03-08
00000

1 recommendation

BeesTea

Premium Member

said by B04:

They don't say "Firewall" on the box (at least not in big letters). They say "router".
They don't say NAT either.

This gives the impression to people that NAT is some kind of layer of security. It's the stateful filtering that's providing the security, not the NAT.

Haven't we had threads upon threads about what part of these appliances are doing the heavy lifting ?
B04
Premium Member
join:2000-10-28

B04

Premium Member


Well I say there are only 6,621,661,912 angels dancing on that thing...

-- B

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to Gelroos

MVM

to Gelroos
said by Gelroos:

Well if you are going to be so considerate LL, All you have to do is go to a specified URL running a specified browser and click on a specified link...Then click the run button
Is that all you want me to do?? I'm at a client site right now (largest bank in the world) but I'd gladly do that for you right now as I'm logged on to the top level domain server which has all the transfer accounts and such on it so it shouldn't be a problem to do your quick test right away

Blake

dadkins
Can you do Blu?
MVM
join:2003-09-26
Hercules, CA

dadkins to Link Logger

MVM

to Link Logger
Something else to add into the mix, for a touch more reality... BT or(plus?) some other P2P app allowed through the router. BT does have to allow inbound, right?

Thanks B!

Just trying to keep it real.

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to salzan

MVM

to salzan
said by salzan:

Will the router have remote admin enabled if it's the default setting?
How about default settings for current firmware version? If there is a default configuration issue then game on and we will flame the vendor for such a bone head move with proof in hand.

Blake
qrkx
Premium Member
join:2003-04-26
Montreal, QC

1 recommendation

qrkx to Link Logger

Premium Member

to Link Logger
Blake,

I'll be more than glad to do some tests in the coming days - regardless of the firewall box in place.(I think we discussed the semantics and you should change the thread title accordingly)
However - we should do this privately (I really don't think we need a peanut gallery...) and agree upon test methodology (these tests will be performed across ISP bbones and we should consider any ill side effects due to spoofing, ISP filtering, etc). We could then publish the conditions/results of the tests and draw any necessary conclusions.

rgds

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to B04

MVM

to B04
Feel free to post the link to this thread where ever you like. The truth is out there somewhere.

Blake
Link Logger

1 recommendation

Link Logger to dadkins

MVM

to dadkins
said by dadkins:

Running some sort of firewall that at least logs connection attempts, whether an attack or a simple unsolicited connection request/packet, will show you that occasionally, things do get past a router.
For this test I would run a traffic sniffer in promiscuous mode behind the NAT to pick up any unsolicited traffic to prove or disprove a successful 'bypass' of the NAT.

Blake
Link Logger

Link Logger

MVM

I would agree somewhat with changing the title as true I don't want to mislead anyone, however when people talk poorly about NATs they are often talking about cheapo systems like Linksys (otherwise why would they be talking about an almost mythical piece of hardware that no one has) etc, so in that sense the title is correct as that is what I'm putting up. So I'm not totally convinced the title is wrong, but certainly I'm always open to suggestions for improvement.

Blake
B04
Premium Member
join:2000-10-28

1 recommendation

B04

Premium Member


I'd suggest "SOHO Router Challenge" or, even better, "Home Router Challenge". (Lots of people don't know what SOHO means, and it really is kind of dumb acronym anyway.)

I'm guessing you don't like my real preference in "El Cheapo NAT Router Challenge"...

Last suggestion would be "$20 Router Challenge". I just checked Buy.com and there are least 3 routers under $30.

-- B

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel to Link Logger

MVM

to Link Logger
said by Link Logger:
said by Daniel:

Can we have you surf and such while we try? I've wanted to do some of this testing for quite a while anyway.
When do you want to do it and do you have a preference as to which NAT device? Would I be surfing to your site, or just surfing in general?
I'm not sure what they paramaters would be, but no, it wouldn't be to a site I own. The idea would be to try and ride back through entries in your NAT table. I'm not saying I could do this, or that it can be done, but I don't see it as impossible.

As for whether or not someone could get packets into a modern SOHO router that doesn't have anything in the NAT table -- that I'd rate as highly unlikely.

But yeah, I think we should explore this for real this time. Many of us here have wanted to for a while now; we should just go ahead and do it. Let's set up a time to meet in #ATU or something.

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to B04

MVM

to B04

El Cheapo NAT Router Challenge

Actually I do like it.

Blake
B04
Premium Member
join:2000-10-28

B04 to Daniel

Premium Member

to Daniel

Re: NAT Challenge


A variation to a site you own would probably be good too -- the attack could involve an HTML e-mail message with links back to an image at your site -- the image retrieval would alert you to the target's presence (and presumably NAT table state).

Stretching the definition of "unsolicited" I realize, but...

-- B