RE: DSL Modem or Router Cracked?

[Robert Starliper <tim () starlipers com>]

Aaron -

        I noticed in your original note, you mentioned the Linksys.  When I
first set up my Linksys cable/DSL router, I noticed it was sending out quite
a bit of SNMP trap traffic, it appeared to be a periodic update on the
unit's general health.  I seem to recall these packets being sent at a rate
of about 1 every 30 seconds or so.

Just my .02

Tim Starliper
LAN/WAN Consultant
Business Tech, Inc.

-----Original Message-----
From: Klepinger, Aaron [mailto:Aaron.Klepinger () CompuCredit com]
Sent: Thursday, June 13, 2002 12:07 PM
To: 'NESTING, DAVID M (SBCSI)'; 'incidents () securityfocus com'
Subject: RE: DSL Modem or Router Cracked?


Looks like the logging on my router (192.168.1.1) is broadcasting to
192.168.1.255 using SNMP and also for some reason UPnP is sending out
packets.  I'll make sure to disable those and also just check the general
configuration of my 192.168.1.2 box.

What worried me was the amount of packets being sent to the same or similar
address at a "high" (relative term!) rate.  My connection slowed
significantly and I figured these packets might be the culprit.  I have also
reconfigured my Alcatel modem with the defaults, so we'll see if that helps,
too.  Looks like I have some work to do!  :)

Thanks for everyone's help.  I got about 5 responses that were quite helpful
and I highly appreciate the assistance.

Aaron



-----Original Message-----
From: NESTING, DAVID M (SBCSI) [mailto:dn3723 () sbc com]
Sent: Thursday, June 13, 2002 11:53 AM
To: 'incidents () securityfocus com'
Cc: 'Klepinger, Aaron'
Subject: RE: DSL Modem or Router Cracked?


What about this traffic alarms you specifically?

The 192.168.1.1:5390 -> 192.168.1.255:162 is SNMP, maybe an SNMP trap being
sent to your network's broadcast address (someone else can probably comment
more specifically).  Check the configuration of the 192.168.1.1 device and
turn SNMP off if you're not using it.

The 192.168.1.1:1901 -> 239.255.255.250:1900 is "Universal Plug-and-Play"
traffic.  The latter address is a multicast address reserved for this
purpose.  It should remain local to your own network (i.e. not routed
through your Internet link).

205.152.37.254:53 is DNS for ns.asm.bellsouth.net (your ISP?).
129.6.15.29:123 is NTP at time-b.nist.gov, probably a time synchronization
tool running on 192.168.1.2.

None of this looks alarming to me, at first glance.  What about it worries
you?

Though to be fair, there have been some vulnerabilities in the last few
months related to SNMP and UPnP, so that traffic alone might be reason to
take a closer look at your network, but I see no evidence of a compromise
just yet.

David


==================================================
This message contains PRIVILEGED and CONFIDENTIAL
information that is intended only for use by the named recipient.
If you are not the named recipient, any disclosure, dissemination,
or action based on the contents of this message is prohibited.
In such case please notify us and destroy and delete all copies
of this transmission.  Thank you.
==================================================

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com