Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Router question 2...

From: Dave <dlaud.flux () gmail com>
Date: Mon, 23 Jan 2006 17:18:22 -0500
Thanks for your input...Here is some more info:
The server uses dynamic DNS to update the DNS records. The domain name(s) register provides the DNS services. The servers have one IP address and they use virtual hosting to host multiple sites. We dont like the idea of using the DMZ. We port foward the correct traffic to the intended machines. No, the routers WAN admin. feature is NOT enabled! Also, the router/firewalls' NAT feature is disabled. So spoofing a local IP shouldnt matter...Example:
Using NAT - I from local machine (192.168.3.12) tried to access website via domain name (www.mydomain.com) and as expected I was greeted with the routers login prompt. This will keep local users from accessing the server via it's domain name but opens the router up for spoofed IP attacks. If an attacker sent a request to www.domain.com and spoofed his IP as a local IP he would most likely be greeted with the password prompt 'cause the router thinks a local user is trying to access the site via domain name.
NOT using NAT - I from local machine try to access www.mydomain.com and I am correclty routed to the *local* server. So just spoofing your IP as local wouldnt help the attacker...he still has to access the router via it's local IP.
In order to log into the routers config page...you must be local AND call the router via it's local IP (192.168.3.3). So just spoofing his IP wouldnt help much...I think anyway! We are going to switch to using a linux box as our outer perimeter firewall...but that is then and this is now ;) Smoothwall looks promising...thanks
At anyrate...the router has been reset and all firmware updated. But the fact remains...The routers WAN admin feature is OFF. it is set up so local IP spoofing attacks shouldnt work. But nonetheless...when I (from WAN or LAN) tried to access one of the sites on the server I was greeted with routers password prompt! As far as I can tell not all of the hosted sites domain names, when requested, would serve up the login prompt. This was temporary so we could only test the situation from when we learned of it until it stopped (roughly 30 minutes)...but hey, when all is said and done, it's not supposed to do that! And since it never has before and hasnt since I believe there is a way to exploit this router to force this behaviour. 


Any help / comments / flames appreciated...


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. 
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: