Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4
NetSafeChris
2 posts

Wannabe Geek

Trusted
Netsafe

  #824645 24-May-2013 11:48
Send private message

I saw Juha Saarinen tweet this link and am intrigued by the flaw you identify for the increased data usage.

At NetSafe we had this issue raised by a new Orcon customer and there was absolutely no reason for the massive rise in data usage - no sign of malware at all, no sharing of passwords with house guests, good encryption and long passphrase - all the standard consumer security messaging we put out around wireless.

But this would suggest the firmware in the box itself - something the average home user simply plugs in and hopes for the best with - is the issue, leaving ports open that allows DNS resolving to use traffic on their account. Have I absorbed the 2 page thread correctly?

So how do we convey blocking ports and setting up a DMZ to the average home user? Or should the home user only use the modem the ISP delivers and hopefully has tested and secured?





http://www.securitycentral.org.nz

JamesL
956 posts

Ultimate Geek
Inactive user


  #824647 24-May-2013 11:54
Send private message

The problem is the modem shouldn't expose DNS on the WAN side which is what this Tenda modem is doing

Any reputable brand shouldn't have this problem so there should be no reason to be resigned to ISP provided modems, but for the average home user it's probably safer to use the modem supplied one as long as its been tested

 
 
 
 


freitasm
BDFL - Memuneh
68855 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #824649 24-May-2013 11:59
Send private message

NetSafeChris: But this would suggest the firmware in the box itself - something the average home user simply plugs in and hopes for the best with - is the issue, leaving ports open that allows DNS resolving to use traffic on their account. Have I absorbed the 2 page thread correctly?


Chris, you got it right. Most importantly, not only using DNS but allowed the modem/router to be an active participant on DNS DDoS against web servers by using DNS amplification.

NetSafeChris: So how do we convey blocking ports and setting up a DMZ to the average home user? Or should the home user only use the modem the ISP delivers and hopefully has tested and secured?


See previous reply.






 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


darthmeow
89 posts

Master Geek


  #824652 24-May-2013 12:03
Send private message

I wouldn't be at all surprised if these modems/routers are also vulnerable to UPnP calls from the WAN side. I've seen a few already.

Thanks for the heads up too. I'll be making sure my regular clients don't get these!

eXDee
4025 posts

Uber Geek

Trusted

  #824656 24-May-2013 12:07
Send private message

NetSafeChris: I saw Juha Saarinen tweet this link and am intrigued by the flaw you identify for the increased data usage.

At NetSafe we had this issue raised by a new Orcon customer and there was absolutely no reason for the massive rise in data usage - no sign of malware at all, no sharing of passwords with house guests, good encryption and long passphrase - all the standard consumer security messaging we put out around wireless.

But this would suggest the firmware in the box itself - something the average home user simply plugs in and hopes for the best with - is the issue, leaving ports open that allows DNS resolving to use traffic on their account. Have I absorbed the 2 page thread correctly?

So how do we convey blocking ports and setting up a DMZ to the average home user? Or should the home user only use the modem the ISP delivers and hopefully has tested and secured?


As stated by another user, orcon customers should not see this unless the firewall has been disabled. Someone with a Genius modem can probably confirm this.

Advice should be to tell users to use the modem from their ISP if they are unsure. If they do choose to buy a modem from another brand, then they should only use one from a well known reputable brand, and that they should be aware of the risks. I'd point out specific brands that are known to have issues and that firewalls should always be enabled.

You may want to explain the reason why this is a major problem, that these are used in DDoS attacks and will likely result in high usage of their data cap (as well as potentially other security flaws from having an ineffective firewall, as demonstrated).

There are numerous online checks to find out whether someone is operating an open resolver on their IP or a subnet, i found 20 or so adjacent to my own IP from a quick scan on one online tool. Several of these have a mailserver login on their web interface, and one or more belonged to rainbowprint.co.nz. Plenty of misconfigured servers out there, and we don't need home user modems adding to this.


A quick google finds
http://dns.measurement-factory.com/surveys/openresolvers.html
and
http://openresolverproject.org/

Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.

edit: heres an article by pcmag which attempts to explain it to a typical user though has them carry out several steps
http://securitywatch.pcmag.com/hacking/310118-are-you-a-zombie-how-to-check-for-open-dns-resolvers




freitasm
BDFL - Memuneh
68855 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #824665 24-May-2013 12:24
Send private message

eXDee: Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.


https://www.grc.com/x/ne.dll?rh1dkyd2 and click Proceed. Then click Service Ports. No need to enter IP address.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletcricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Coinbase | TheMarket | My technology disclosure


darthmeow
89 posts

Master Geek


  #824676 24-May-2013 12:35
Send private message

freitasm:
eXDee: Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.


https://www.grc.com/x/ne.dll?rh1dkyd2 and click Proceed. Then click Service Ports. No need to enter IP address.



Or go to https://www.grc.com and click shields up, proceed, all service ports. 9/10 with GRC now shields up won't load unless you go at it this way.

 
 
 
 


eXDee
4025 posts

Uber Geek

Trusted

  #824678 24-May-2013 12:38
Send private message

darthmeow:
freitasm:
eXDee: Haven't found one with a simple test to your own IP without having to enter it, but there is probably one out there. You could possibly do this on your own website, wrapping it in a nice user friendly interface where they just press a button and it checks their connecting IP if it responds to DNS.


https://www.grc.com/x/ne.dll?rh1dkyd2 and click Proceed. Then click Service Ports. No need to enter IP address.



Or go to https://www.grc.com and click shields up, proceed, all service ports. 9/10 with GRC now shields up won't load unless you go at it this way.

Yeah i got this.

However:
This Internet service ports "grid scan" determines the status — Open, Closed, or Stealth — of your system's first 1056 TCP ports.



DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.

Psi

Psi

11 posts

Geek


  #824700 24-May-2013 13:09
Send private message

plambrechtsen: I would however like to know what its modem code is though.

If you could pm me and you are a Telecom customer email me and we could do a quick line test with it and I can grab the necessary numbers at our end.


Telecom already know. They are investigating 5 other users with tenda modems and similar issues.
see my first post on page 1

kyhwana2
2469 posts

Uber Geek


  #824944 24-May-2013 19:38
Send private message

eXDee:
DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.


Actually, it's both. If UDP doesn't work for whatever reason (packet too large/fragments/UDP not working) it will fall back to using TCP port 53.


eXDee
4025 posts

Uber Geek

Trusted

  #824961 24-May-2013 20:15
Send private message

kyhwana2:
eXDee:
DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.


Actually, it's both. If UDP doesn't work for whatever reason (packet too large/fragments/UDP not working) it will fall back to using TCP port 53.


Good point actually, though you want to test for 53 UDP at least/as well, i wouldn't be satisfied with a TCP only check.

blakamin
4431 posts

Uber Geek
Inactive user


  #824999 24-May-2013 20:55
Send private message

eXDee:
kyhwana2:
eXDee:
DNS is port 53 UDP not TCP. I think its better to specifically check that a recursive resolver is responding to queries rather than a simple port test too, to result in less false positives.


Actually, it's both. If UDP doesn't work for whatever reason (packet too large/fragments/UDP not working) it will fall back to using TCP port 53.


Good point actually, though you want to test for 53 UDP at least/as well, i wouldn't be satisfied with a TCP only check.


Feel free to hassle Steve Gibson about it ;-p

plambrechtsen
1948 posts

Uber Geek
Inactive user


  #825017 24-May-2013 21:31
Send private message

Psi:
plambrechtsen: I would however like to know what its modem code is though.

If you could pm me and you are a Telecom customer email me and we could do a quick line test with it and I can grab the necessary numbers at our end.


Telecom already know. They are investigating 5 other users with tenda modems and similar issues.
see my first post on page 1


I will chase up with the CTS folks, but it would be helpful if you could help me out.  I have asked nicely 3 times now. :)

Psi

Psi

11 posts

Geek


  #825028 24-May-2013 22:01
Send private message

Emailed you plambrechtsen.



I heard back from Tenda.
After a few language issues they sent me a web gui screenshot showing some webgui options to enable/disable http,icmp,snmp,telnet on the WAN side.

Their pictures shows the WAN accepting all of them. (All ticked)

I have yet to see if my friends router actually has this page in their webgui (i've never seen it before)
But it is located in an odd place and inside several submenus so i might have missed it.

In any case it doesn't explain why they have them all enabled on the WAN side as default.

NetSafeChris
2 posts

Wannabe Geek

Trusted
Netsafe

  #825191 25-May-2013 12:58
Send private message

Thanks for all the responses to my query and I hope I didn't hijack the thread. I think I've got my head round the issue and will craft some new simple advice on how/what to check. The Shields Up tool is great but my knowledge of UDP vs TCP is lacking. Much obliged to all




http://www.securitycentral.org.nz

1 | 2 | 3 | 4
View this topic in a long page with up to 500 replies per page Create new topic





News »

NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.