11:54 pm (UTC-7) | by Ben April (Senior Threat Researcher)
The Attack: Complex but Practical and Effective
First, the attacker has to assume a position where he/she is capable of changing the DNS records of the domain that will be used for the attack. Next, the attacker will need to create various pages on the malicious domain that will host the Web side of the attack and link these with DNS. Finally, the attacker must have sufficient control of the Web server such that he/she can cause it to send a TCP reset (RST) command on demand.
How Users Can Protect Themselves
Normally, the admin console is not exposed to the Internet because many consumer routers include a default setting (or provide an option) that prevents any IP address outside of the local network from connecting to it. However, many services on these devices listen for connections on all interfaces. Packet filtering will prevent external users from accessing the admin console but internal users can often access the console using an external IP address.
Here are some suggestions that will reduce risks brought about by this attack based on the list of suggestions provided by Craig Heffner:
- Enable the HTTPS admin console on your device and don’t forget to disable the HTTP console (if possible).
- Use a strong password for your router. Change the user name to something other than the factory default, if possible. If you worry about forgetting the new password, write it down and put it on the device itself.
- Disable access to your router’s admin console from any external network. This option is often accessible from the admin console.
- If you choose not to use the DNS servers automatically provided by your ISP, use another recursive resolver (with permission) or a resolver offered for public use such as OpenDNS. This will protect you from the published version of this attack code and the root servers will thank you.
- If possible, add a firewall rule preventing devices on your local network from sending packets to the block that your public IP address is a member of. This will prevent any IP addresses on your LAN from contacting the external IP address of your router. If your ISP changes the block used in your neighborhood, however, you will need to edit this rule. As an added benefit, this rule will prevent your systems from inadvertently broadcasting to your neighbors.
- Keep the firmware of your router and other network devices up-to-date.
Updates as of August 5, 2010, 2:05 a.m. UTC
Share this article