Bugtraq mailing list archives
Re: DoSing the Netgear ISDN RT34x router.
From: mwade () CDC NET (Mike Wade)
Date: Fri, 25 Feb 2000 21:59:07 -0500
On Fri, 25 Feb 2000, Swift Griggs wrote:
HOW: Door #1: SYN scan the router with nmap. It'll deny all connections to port 23 after that for about 5 minutes per packet. DoSing it in this way is trivial. Of course spoofed packets work just great. Door #2: Telnet to it. Sit there. No one else can manage it, regardless of if you have authenticated or not. Door #3: Send it tons of ICMP redirects, it'll stop routing packets at all during the storm (which can be fairly light) and it'll take about 30 seconds to recover. (try winfreeze.c) Door #4: Send it some contrived RIP packets with host routes for your favorite people in the office set to loopback. The default is to allow RIP-2B in both directions.
I own one of these gimpy-so-called-routers and have found many bugs that are similar to the ones you've mentioned. Generally, I've found the TCP/IP stack + NAT features to be of very low quality. Perhaps this is to be expected at a low price point but their firmware is just plain broken. Bug #5: Send a single UDP packet between 63000 - 65000 bytes to the router from local or remote. This will lock the router up between 15 - 30 seconds and sometimes reboot. Sending these packets once about every 10 seconds is enough to keep the router locked up forever. Perhaps this is a memory issue? Bug #6: Broken and sometimes legit IRC DCC and Real Audio/Video (film.com's trailers usually sends my router into endless reboots) requests often cause the router to reboot when using NAT. This is obviously just sad coding. Bug #7: Legit traffic is often dropped in NAT mode after >12 hours of connection time (I assume the NAT tables leak). Open connections are not affected, however no new connections will be created. The only solution is to disconnect or reboot the router. I believe this to be related to poor timing out of UDP packets such as DNS queries sitting stale in the NAT table. I'm sure there are plenty of other bugs that can be found dealing with the TCP/IP stack and NAT mode. The current release version of firmware for these routers is '1.50(C.00)' but I do have a beta version of the firmware that I have not tested that is labeled '2.20 Beta 15' from August of 1999. I see Netgear has some newer model ISDN routers available. Is Netgear even supporting these routers any more? --- Mike Wade (mwade () cdc net) Director of Systems Administration CDC Internet, Inc.
Current thread:
- Re: unused bit attack alert Vern Paxson (Feb 21)
- Microsoft Security Bulletin (MS00-012) Microsoft Product Security (Feb 22)
- redhat 6.0: single user boot security hole Darren Reed (Feb 22)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
- SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
- DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
- Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- <Possible follow-ups>
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
- Re: unused bit attack alert Max Vision (Feb 24)