My firewall was a security risk

Diffrent DNS vulnerabilities and DNS amplification attacks have been on network security news lately. Yesterday I got e-mail from my ISP Elisa that I had an open DNS server running on my Internet connection, and it should be immediately disabled (someone had reported on problems with this). I was wondering what was happening, because none of my devices should have such such service running.

I asked for some more information on them (for example IP address of the server) so I could sort out that when I got home. I was wondering what could it be, because I had only two devices directly connected to Internet: Elisa viihde IPTV set-to-box and D-link DIR-100 router/firewall. All the computers were behind that router/firewall in a way they can’t act like servers to Internet.

It turned out that the D-link DIR-100 router was acting as publicly accessible DNS server on the network. I checked manuals, reconfigured it and everything, but the problem did not go away. I checked also if there was a firmware update available for my device, but according the check I already had the newest firmware available on my device (from year 2008) installed on my device. What a stupid that this device has a public DNS server functionality running on it’s WAN port (should be only accessible in LAN port) and it does not seem to have any way to disable that (no control to turn it off and firewall rule configuration tool so stupid that I can’t write suitable rule to block that.

D-link still has DIR-100 router available, so I am wondering if it still has years old firmware on it. Or is that newer device based on different hardware and firmware but still carries that same name (often happens on consumer devices), and I am left out of updates for my older model. My router/firewall had been running years without problems (at least me not knowing that anything was wring), but now overnight it turned to be of not use.

I changed the firewall device to another (older) model and the problem was solved for now. I used Open Resolver Project on-line tool DNS Check to verify that the problem existed and was solved after the firewall device change.

What we can learn on this? You can’t trust your firewall software to be OK. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.

5 Comments

  1. Tomi Engdahl says:

    I also found out this:

    Easy to exploit backdoor found in several D-Link router models
    http://hexus.net/tech/news/network/61245-easy-exploit-backdoor-found-several-d-link-router-models/

    It has been found that seven domestic router models, made by well-known networking firm D-Link, can be easily controlled remotely via a back door.

    provides full access to the router web interface with no username or password required

    Reply
  2. Tomi Engdahl says:

    It seems that there has been several different versions of DIR-100 on market, each needing
    different firmware software. I seem to have oldest revision RevB and newest firmware for it.
    http://ftp.dlink.ru/pub/Router/DIR-100/Firmware/

    Reply
  3. Tomi Engdahl says:

    My old DIR-100 firewall also seemed to have also same backdoor vulnerability as this one
    http://www.epanorama.net/newepa/2013/10/15/d-link-firewall-teardown-and-vulnerability/

    I had fixed that in time by disabled by disabling management though WAN port (which is always a good idea unless you absolutely need it).

    Reply
  4. Tomi Engdahl says:

    D-link DIR-100 UART
    http://hwmayer.blogspot.fi/2010/09/d-link-dir-100-uart.html

    First thing that I’ve wanted to do was to add a serial port connector to see what’s running inside it. After opening the case it was easy to find the UART pins on the PCB, as they looked similar as in other D-Link devices.

    Reverse Engineering a D-Link Backdoor
    http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*