Warning - Users with Tenda ADSL modem

Forums › New Zealand Broadband › Warning - Users with Tenda ADSL modem

1 | 2 | 3 | 4

2 posts

Wannabe Geek
+1 received by user: 1

Trusted

Netsafe

#824645 24-May-2013 11:48

I saw Juha Saarinen tweet this link and am intrigued by the flaw you identify for the increased data usage.

At NetSafe we had this issue raised by a new Orcon customer and there was absolutely no reason for the massive rise in data usage - no sign of malware at all, no sharing of passwords with house guests, good encryption and long passphrase - all the standard consumer security messaging we put out around wireless.

But this would suggest the firmware in the box itself - something the average home user simply plugs in and hopes for the best with - is the issue, leaving ports open that allows DNS resolving to use traffic on their account. Have I absorbed the 2 page thread correctly?

So how do we convey blocking ports and setting up a DMZ to the average home user? Or should the home user only use the modem the ISP delivers and hopefully has tested and secured?

http://www.securitycentral.org.nz

JamesL

956 posts

Ultimate Geek
+1 received by user: 342
Inactive user

#824647 24-May-2013 11:54

The problem is the modem shouldn't expose DNS on the WAN side which is what this Tenda modem is doing

Any reputable brand shouldn't have this problem so there should be no reason to be resigned to ISP provided modems, but for the average home user it's probably safer to use the modem supplied one as long as its been tested

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#824649 24-May-2013 11:59

NetSafeChris: But this would suggest the firmware in the box itself - something the average home user simply plugs in and hopes for the best with - is the issue, leaving ports open that allows DNS resolving to use traffic on their account. Have I absorbed the 2 page thread correctly?

Chris, you got it right. Most importantly, not only using DNS but allowed the modem/router to be an active participant on DNS DDoS against web servers by using DNS amplification.

NetSafeChris: So how do we convey blocking ports and setting up a DMZ to the average home user? Or should the home user only use the modem the ISP delivers and hopefully has tested and secured?

See previous reply.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

darthmeow

101 posts

Master Geek
+1 received by user: 22

#824652 24-May-2013 12:03

I wouldn't be at all surprised if these modems/routers are also vulnerable to UPnP calls from the WAN side. I've seen a few already.

Thanks for the heads up too. I'll be making sure my regular clients don't get these!

Nyan

eXDee

4033 posts

Uber Geek
+1 received by user: 1070

Trusted

#824656 24-May-2013 12:07

NetSafeChris: I saw Juha Saarinen tweet this link and am intrigued by the flaw you identify for the increased data usage.

At NetSafe we had this issue raised by a new Orcon customer and there was absolutely no reason for the massive rise in data usage - no sign of malware at all, no sharing of passwords with house guests, good encryption and long passphrase - all the standard consumer security messaging we put out around wireless.

But this would suggest the firmware in the box itself - something the average home user simply plugs in and hopes for the best with - is the issue, leaving ports open that allows DNS resolving to use traffic on their account. Have I absorbed the 2 page thread correctly?

So how do we convey blocking ports and setting up a DMZ to the average home user? Or should the home user only use the modem the ISP delivers and hopefully has tested and secured?

As stated by another user, orcon customers should not see this unless the firewall has been disabled. Someone with a Genius modem can probably confirm this.

Advice should be to tell users to use the modem from their ISP if they are unsure. If they do choose to buy a modem from another brand, then they should only use one from a well known reputable brand, and that they should be aware of the risks. I'd point out specific brands that are known to have issues and that firewalls should always be enabled.

You may want to explain the reason why this is a major problem, that these are used in DDoS attacks and will likely result in high usage of their data cap (as well as potentially other security flaws from having an ineffective firewall, as demonstrated).

There are numerous online checks to find out whether someone is operating an open resolver on their IP or a subnet, i found 20 or so adjacent to my own IP from a quick scan on one online tool. Several of these have a mailserver login on their web interface, and one or more belonged to rainbowprint.co.nz. Plenty of misconfigured servers out there, and we don't need home user modems adding to this.

A quick google finds
http://dns.measurement-factory.com/surveys/openresolvers.html
and
http://openresolverproject.org/

Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.

edit: heres an article by pcmag which attempts to explain it to a typical user though has them carry out several steps
http://securitywatch.pcmag.com/hacking/310118-are-you-a-zombie-how-to-check-for-open-dns-resolvers

freitasm

BDFL - Memuneh
80653 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#824665 24-May-2013 12:24

eXDee: Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.

https://www.grc.com/x/ne.dll?rh1dkyd2 and click Proceed. Then click Service Ports. No need to enter IP address.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

darthmeow

101 posts

Master Geek
+1 received by user: 22

#824676 24-May-2013 12:35

freitasm:
eXDee: Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.

https://www.grc.com/x/ne.dll?rh1dkyd2 and click Proceed. Then click Service Ports. No need to enter IP address.

Or go to https://www.grc.com and click shields up, proceed, all service ports. 9/10 with GRC now shields up won't load unless you go at it this way.

Nyan

eXDee

4033 posts

Uber Geek
+1 received by user: 1070

Trusted

#824678 24-May-2013 12:38

darthmeow:
freitasm:
eXDee: Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.

https://www.grc.com/x/ne.dll?rh1dkyd2 and click Proceed. Then click Service Ports. No need to enter IP address.

Or go to https://www.grc.com and click shields up, proceed, all service ports. 9/10 with GRC now shields up won't load unless you go at it this way.

Yeah i got this.

However:
This Internet service ports "grid scan" determines the status — Open, Closed, or Stealth — of your system's first 1056 TCP ports.

DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.

Psi

19 posts

Geek

#824700 24-May-2013 13:09

plambrechtsen: I would however like to know what its modem code is though.

If you could pm me and you are a Telecom customer email me and we could do a quick line test with it and I can grab the necessary numbers at our end.

Telecom already know. They are investigating 5 other users with tenda modems and similar issues.
see my first post on page 1

kyhwana2

2572 posts

Uber Geek
+1 received by user: 233

#824944 24-May-2013 19:38

eXDee:
DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.

Actually, it's both. If UDP doesn't work for whatever reason (packet too large/fragments/UDP not working) it will fall back to using TCP port 53.

eXDee

4033 posts

Uber Geek
+1 received by user: 1070

Trusted

#824961 24-May-2013 20:15

kyhwana2:
eXDee:
DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.

Actually, it's both. If UDP doesn't work for whatever reason (packet too large/fragments/UDP not working) it will fall back to using TCP port 53.

Good point actually, though you want to test for 53 UDP at least/as well, i wouldn't be satisfied with a TCP only check.

Geekzone support

Support Geekzone with one-off or recurring donations Donate via PressPatron.

blakamin

4431 posts

Uber Geek
+1 received by user: 1306
Inactive user

#824999 24-May-2013 20:55

eXDee:
kyhwana2:
eXDee:
DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.

Actually, it's both. If UDP doesn't work for whatever reason (packet too large/fragments/UDP not working) it will fall back to using TCP port 53.

Good point actually, though you want to test for 53 UDP at least/as well, i wouldn't be satisfied with a TCP only check.

Feel free to hassle Steve Gibson about it ;-p

plambrechtsen

1948 posts

Uber Geek
+1 received by user: 459
Inactive user

#825017 24-May-2013 21:31

Psi:
plambrechtsen: I would however like to know what its modem code is though.

If you could pm me and you are a Telecom customer email me and we could do a quick line test with it and I can grab the necessary numbers at our end.

Telecom already know. They are investigating 5 other users with tenda modems and similar issues.
see my first post on page 1

I will chase up with the CTS folks, but it would be helpful if you could help me out. I have asked nicely 3 times now. :)

Psi

19 posts

Geek

#825028 24-May-2013 22:01

Emailed you plambrechtsen.

I heard back from Tenda.
After a few language issues they sent me a web gui screenshot showing some webgui options to enable/disable http,icmp,snmp,telnet on the WAN side.

Their pictures shows the WAN accepting all of them. (All ticked)

I have yet to see if my friends router actually has this page in their webgui (i've never seen it before)
But it is located in an odd place and inside several submenus so i might have missed it.

In any case it doesn't explain why they have them all enabled on the WAN side as default.

NetSafeChris

2 posts

Wannabe Geek
+1 received by user: 1

Trusted

Netsafe

#825191 25-May-2013 12:58

Thanks for all the responses to my query and I hope I didn't hijack the thread. I think I've got my head round the issue and will craft some new simple advice on how/what to check. The Shields Up tool is great but my knowledge of UDP vs TCP is lacking. Much obliged to all

http://www.securitycentral.org.nz

1 | 2 | 3 | 4