Kitz Forum

Announcements => Site Announcements => Topic started by: kitz on April 13, 2018, 10:19:46 AM

Title: Home routers proxying bad traffic for Botnets
Post by: kitz on April 13, 2018, 10:19:46 AM
According to a white paper published this week by Akamai (https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf) over 65,000 home routers are proxying bad traffic for botnets.

Akamai reports that it has detected over 4.8 million SOHO routers which are vulnerable by exposing UPnP services via the WAN interface and of these have identified over 65,000 devices which have already been compromised.

Quote from: Akamai
The simple explanation of the vulnerability that lead to NAT injections, is that these devices expose services on their WAN interface that are privileged and meant to only be used by trusted devices on a LAN. Using these exposed services, an attacker is able to inject NAT entries into the remote device, and in some cases, expose machines behind the router while in other cases inject Internet-routable hosts into the NAT table, which causes the router to act as a proxy server.


A list of vulnerable routers is listed in the report, but notably a lot of ASUS models are affected including the DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B, RT-N66U etc

Refs:-
Akami (https://www.akamai.com/us/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf)
Bleeping Computer (https://www.bleepingcomputer.com/news/security/over-65-000-home-routers-are-proxying-bad-traffic-for-botnets-apts/)
Title: Re: Home routers proxying bad traffic for Botnets
Post by: kitz on April 13, 2018, 10:23:14 AM
Full list of affected manufacturers and models can be found in the report but I list below some of the more popular makes.

ASUS
DSL-AC68R, DSL-AC68U, DSL-N55U, DSL-N55U-B,
MTK7620, RT-AC3200, RT-AC51U, RT-AC52U, RT-AC53,
RT-AC53U, RT-AC54U, RT-AC55U, RT-AC55UHP, RT-
AC56R, RT-AC56S, RT-AC56U, RT-AC66R, RT-AC66U,
RT-AC66W, RT-AC68P, RT-AC68R, RT-AC68U, RT-AC68W,
RT-AC87R, RT-AC87U, RT-G32, RT-N10E, RT-N10LX, RT-
N10P, RT-N10PV2, RT-N10U, RT-N11P, RT-N12, RT-N12B1,
RT-N12C1, RT-N12D1, RT-N12E, RT-N12HP, RT-N12LX,
RT-N12VP, RT-N14U, RT-N14UHP, RT-N15U, RT-N16, RT-
N18U, RT-N53, RT-N56U, RT-N65R, RT-N65U, RT-N66R,
RT-N66U, RT-N66W, RTN13U, SP-AC2015, WL500

Belkin
F5D8635-4 v1, F9K1113 v5

DrayTek Corp.
Vigor300B

NETGEAR
R2000, WNDR3700, WNDR4300v2, WNR2000v4

ZyXel
Internet Center, Keenetic, Keenetic 4G, Keenetic DSL,
Keenetic Giga II, Keenetic II, Keenetic Lite II, Keenetic
Start, NBG-416N Internet Sharing Gateway, NBG-418N
Internet Sharing Gateway, NBG4615 Internet Sharing
Gateway, NBG5715 router, X150N Internet Gateway
Device



Title: Re: Home routers proxying bad traffic for Botnets
Post by: kitz on April 13, 2018, 10:24:51 AM
How to Fix It

Quote from: Akami
If a device is affected by this vulnerability, there are only a few options for mitigation. The first would be to replace 
the device with something else that youve confirmed is not vulnerable to these types of attacks. If replacing the
device is not an option, it is typically possible to disable UPnP services on the device. However, this could have
impacts in other areas of your network, such as gaming or media streaming. 
In cases where neither of these options work, deploying a firewall in front of your affected device and blocking 
all inbound traffic to UDP port 1900 will prevent the information leaks that make TCP daemon discovery possible. 
If your device is already compromised, this would still allow proxy injection and proxy usage. Manually removing 
these injections would stop proxy usage, but would not prevent future injections from happening, making this
solution a game of whack-a-mole
Title: Re: Home routers proxying bad traffic for Botnets
Post by: broadstairs on April 13, 2018, 10:43:27 AM
For anyone who is paranoid and wants to chcek out their router you can check port 1900 using https://www.grc.com/ (https://www.grc.com/) (using Sheilds Up), I did check mine just to be sure and it is fine  ;)

Stuart
Title: Re: Home routers proxying bad traffic for Botnets
Post by: kitz on April 13, 2018, 11:07:58 AM
Cheers Stuart - Direct links for UPnP Port probes at grc.com

Port 1900 (https://www.grc.com/port_1900.htm)

Port 5000 (https://www.grc.com/port_5000.htm)

Title: Re: Home routers proxying bad traffic for Botnets
Post by: Deathstar on April 13, 2018, 11:20:30 AM
Stealth (DSL-AC68U)
Title: Re: Home routers proxying bad traffic for Botnets
Post by: roseway on April 13, 2018, 12:23:33 PM
Likewise (Technicolor DGA4130)
Title: Re: Home routers proxying bad traffic for Botnets
Post by: banger on April 13, 2018, 12:31:29 PM
UPNP test passed and Stealth on 1900 and 5000 on an Asus DSL-N55U. Hmmm.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: broadstairs on April 13, 2018, 01:16:09 PM
UPNP test passed and Stealth on 1900 and 5000 on an Asus DSL-N55U. Hmmm.

Tim you must have UPNP turned off.

Stuart
Title: Re: Home routers proxying bad traffic for Botnets
Post by: Ronski on April 13, 2018, 02:20:24 PM
Stealth on 1900 but not 5000,  Asus N66U running Merlin.

What's the implications of turning off UNPNP?

ETA. Actually port 5000 is something to do 3CX as its forwarded to that.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: tubaman on April 13, 2018, 06:13:50 PM
Stealth (Netgear D6220)
Title: Re: Home routers proxying bad traffic for Botnets
Post by: Ronski on April 13, 2018, 06:56:02 PM
Stealth at home - Pfsense  :thumbs:
Title: Re: Home routers proxying bad traffic for Botnets
Post by: banger on April 13, 2018, 07:20:35 PM
Tim you must have UPNP turned off.

Stuart

Not that I am aware Stuart although I am using V9 of Asus firmware which has had some security updates. Log shows uPNP is enabled.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: broadstairs on April 13, 2018, 08:06:43 PM
Not that I am aware Stuart although I am using V9 of Asus firmware which has had some security updates. Log shows uPNP is enabled.

OK then I suspect they may have fixed it. Interestingly I checked my Netgear D6220 and it has UPNP enabled but both ports WAN side show stealth.

Stuart
Title: Re: Home routers proxying bad traffic for Botnets
Post by: banger on April 13, 2018, 10:02:25 PM
Same here Stuart with my Asus both ports are stealth yet checking WAN settings Upnp is enabled.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: broadstairs on April 14, 2018, 07:41:11 AM
To be honest I dont see why UPNP should ever be enabled on the WAN side on a home router, yes it can be needed on the local lan side. Does sound like your router f/w has fixed this. I do also wonder if your ZyXEL in bridge mode has something to do with this? I wonder what you might see if the ASUS was running as a single box?

Stuart
Title: Re: Home routers proxying bad traffic for Botnets
Post by: Chrysalis on April 14, 2018, 12:31:22 PM
UPNP is my first thing I turn off on any new router.

Ronski implications are is any port forwarding has to be done manual, something I have always done anyway.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: banger on April 14, 2018, 07:46:09 PM
To be honest I dont see why UPNP should ever be enabled on the WAN side on a home router, yes it can be needed on the local lan side. Does sound like your router f/w has fixed this. I do also wonder if your ZyXEL in bridge mode has something to do with this? I wonder what you might see if the ASUS was running as a single box?

Stuart

Good point it had ocurred to me that many router may still be running with old firmware and not behind a bridge modem router. I am happy that stealth is indicated as I have two spare DSL-N55U's just in case the original goes pop wasn't looking forward to replacing them although I do have a ZyXel 3925 which would do the trick.

Tim
Title: Re: Home routers proxying bad traffic for Botnets
Post by: sevenlayermuddle on April 15, 2018, 03:05:25 PM
UPNP is my first thing I turn off on any new router.

Ronski implications are is any port forwarding has to be done manual, something I have always done anyway.

Agreed, I also always disable UPnP over port forwarding concerns.  If port forwarding were needed Id want know about it, and configure it manually.  Actually though I go further... if an application,game or gadget requires port forwarding, I simply refuse to use that application,game or gadget.   There may come a day when I need to give in, but so far so good - no port forwarding at all. :fingers:
Title: Re: Home routers proxying bad traffic for Botnets
Post by: CarlT on April 15, 2018, 07:31:15 PM
Perfectly happy to use UPNP. No excuse for it to be exposed on WAN side. Presents minimal risk other than that. Plenty of ways for malware or a bad actor to get a bidirectional link without it once on the LAN.

Do you guys that disable it as a matter of routine have static rules for your packet filtering or do you use a stateful firewall?
Title: Re: Home routers proxying bad traffic for Botnets
Post by: snadge on April 15, 2018, 07:45:09 PM
thanks for the heads up :)

Stealthed on 1900 & 5000
 - BT Home Hub 5B
 - rev v0.07.06.01239-BT
Title: Re: Home routers proxying bad traffic for Botnets
Post by: sevenlayermuddle on April 15, 2018, 08:52:06 PM
Perfectly happy to use UPNP. No excuse for it to be exposed on WAN side. Presents minimal risk other than that. Plenty of ways for malware or a bad actor to get a bidirectional link without it once on the LAN.

Do you guys that disable it as a matter of routine have static rules for your packet filtering or do you use a stateful firewall?

My take is...

All software has bugs and vulnerabilities, and that includes the protocol parsing software that processes incoming traffic.   Often, that parsing is performed in OS kernel, making that software especially vulnerable.   Maliciously crafted packets could take advantage of such bugs, and get to do very bad things on the destination.

Even without port forwarding it is still possible, of course, to be in receipt of a malicious data packets but generally, you need to have started the conversation.   With port forwarding, the bad guys can very precisely target their malicious traffic at a personal level, right through to your OS (or your games console, or webcam, or whatever) anytime they like, just by sending it unsolicited to your IP.

That is why I have always refused to allow port forwarding.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: CarlT on April 15, 2018, 09:40:08 PM
It's not supposed to be exposed on the WAN side. As long as the producers of the device aren't outstandingly incompetent it should be fine.

If the people who write the software are incompetent enough that they have random services listening on the WAN side UPNP is probably the least of the concerns. Unsolicited attacks as you describe require knowledge of the devices on the LAN side anyway. If the gateway is doing its job properly these should not be exposed.

Regardless forwarding any ports at all carries a risk, whether static or dynamic.

That is why I'm fine with UPNP. It's a very useful application that reduces the need for manual configuration for each device behind the NAT.

Obviously if you're the kind of person that has static IPs or IP reservations for every device on your network it's a natural extension of that, but working with this stuff I try and keep my configuration at home to a minimum of complexity, which means UPNP gets to play. So far I've not noted any compromise  :)

Incidentally I do appreciate what you're saying about UPNP.

Quote
MiniUPnP < 1.4 Multiple Vulnerabilities

Description

According to its banner, the version of MiniUPnP running on the remote host is prior to 1.4. It is, therefore, affected by the following vulnerabilities :

- An out-of-bounds read error exists in the ProcessSSDPRequest() function in file minissdp.c that allows an unauthenticated, remote attacker to cause a denial of service condition via a specially crafted M-SEARCH request. (CVE-2013-0229)

- A stack-based buffer overflow condition exists in the ExecuteSoapAction() function in the SOAPAction handler, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a long quoted method, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2013-0230)

Solution
Upgrade to MiniUPnP version 1.4 or later.
Title: Re: Home routers proxying bad traffic for Botnets
Post by: Chrysalis on April 15, 2018, 11:54:37 PM
stateful firewall

upnp when implemented properly is fine, but i just prefer to not chance it on a feature i dont use. any enabled unused feature is a potential attack vector.