[14033] in bugtraq
DoSing the Netgear ISDN RT34x router.
daemon@ATHENA.MIT.EDU (Swift Griggs)
Fri Feb 25 19:34:43 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.0002251214450.23763-100000@voodoomindcontrol.jcius.com>
Date: Fri, 25 Feb 2000 12:59:34 -0700
Reply-To: ssgriggs@usa.net
From: Swift Griggs <ssgriggs@JCIUS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000223150258.5995.qmail@www0h.netaddress.usa.net>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
WHICH ONES:
The Netgear ISDN RH348 and RT328, and possibly the Zyxel P128imh (same
firmware).
HOW:
Door #1: SYN scan the router with nmap. It'll deny all connections to port
23 after that for about 5 minutes per packet. DoSing it in
this way is trivial. Of course spoofed packets work just
great.
Door #2: Telnet to it. Sit there. No one else can manage it, regardless
of if you have authenticated or not.
Door #3: Send it tons of ICMP redirects, it'll stop routing packets at
all during the storm (which can be fairly light) and it'll
take about 30 seconds to recover. (try winfreeze.c)
Door #4: Send it some contrived RIP packets with host routes for your
favorite people in the office set to loopback. The default
is to allow RIP-2B in both directions.
Quick Fix: Use an ACL in the router to deny access to everywhere but your
management station. Turn RIP off if you can, if not then try to only
broadcast RIP, not listen. These routers don't support any other type of
distance vector protocols, and fortunately they don't do link state
protocols at all (ie.. no redistribution of bogus routes learned and
trusted by any evil haxx0r on the network). That's fine with me, I doubt
I'll be housing my ASN on an ISDN line anytime soon, but that's just me.
- --
__________________________________________________
Swift Griggs - Janitor, Secretary, Router dude.
Some will rise by sin and some by virtue fall
PGP(GPG) Key ID D38E3D91 | InterNIC Handle SG1991
Key fingerprint for the key that I use is here:
010C A7E3 A630 8107 E9A5 F9AD 82D6 BA10 D38E 3D91
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: Using GPG 1.1
iD8DBQE4tt8qgta6ENOOPZERAjSYAJ4zThI0EV9lRb8D1yWjA/P9LuOtlQCeIfU2
cVHrE6DZ8UpISE3gvrycwnk=
=7glx
-----END PGP SIGNATURE-----
