Some routers are at risk for about 1 minute while the router reboots


Recommended Posts

Some routers are at risk for about 1 minute while the router reboots.

Not saying this is widespread or anything, just a cautionary heads up, something you may want to look for next time you reboot your router.

I heard this on Security now on my walk last night, thought other people on the forum may want to know / read about this. I just copied and pasted the transfcripted from that section of the show into the thread.

Question #5,

Sami Lehtinen makes a GREAT observation about dangerously leaky "hardware" firewalls. He says: I wanted to warn people about potential problems with regular home routers such as the more expensive and fancy firewall routers that are very configurable. That configurability can backfire nastily. This kind of plays into what we were talking about earlier. While the router is booting - it's quite a long process - parts of the system start with default configuration, like the switch portion. This causes all LAN, WAN and DMZ ports to be completely bridged for about one minute. After that, normal NAT/SPI, DHCP, et cetera, function returns.

As far as I can tell, that's a very serious security issue. 60 seconds is more than enough for automated attacks to get through, even if somebody would claim it's just a short moment. And this is not just one case. I have noticed similar functionality in other products like this earlier from the same manufacturer. I assume the basic system they're using is flawed. It shouldn't start networking before everything else is ready.

It's very easy to notice this functionality when configuring the firewall because, if you run ipconfig/renew after reboot, it's trivial to get a public IP from the ISP's DHCP pool and use the Internet for about one minute. After that one minute the network stops working until you again renew the lease, and then you'll get the IP address from the local LAN DHCP pool, as expected.

Steve: Well, this is a fantastic observation, and I'm not at all surprised this is going on. But it's something that had never occurred to me before. Many of the fancier, higher end routers are based on Linux, and they've got a fundamental networking architecture which is supported at the low-level OS level. But then they layer on many more features which run as independent processes and, for example, hook into the network in order to add filtering and NAT routing functionality and so forth. But without those things running, that is, before they hook into the network layer, you have a generic bridging router with none of the security features enabled.

So this is a very real problem. What, I mean, the takeaway from this actually is to - what I would do is, and I'm probably going to do it from now on, I don't reboot my router very often, but I would disconnect my LAN side connection for a couple minutes until the router comes up and it settles down, and then bring my local network up inside. What he was saying, just to clarify, and this is one way to test this, he was saying that shortly after rebooting the router, if he then - he was using the Windows command, "ipconfig /renew," which tells Windows to go send out a query for its auto configuration, the DHCP, Dynamic Host Configuration Protocol, send out a query to get an IP.

What he discovered was that, if you do this shortly after the router comes up, you are actually connected directly out to the public Internet. And traffic is flowing both ways. You have a simple, non-NATed bridge to your network. So you send out a DHCP query, it goes to your ISP, not to your router. Which means you will get back a public routable IP, the one that would normally be acquired by your own router. You would obtain that. And your system would be on the Internet during that time. Eventually, the router's own DHCP server comes up, and its interception technology, NAT and so forth, comes up, the stateful packet inspection and all that. Then you get normal routing functions.

But what he observed, and this doesn't surprise me, but it's certainly something to be aware of, is that with a router which is actually probably Linux-based OS, it's going to take a while to get itself going. We know that these are not fast processors. They're little, cheesy, I mean, they're slow, barely enough to handle the normal traffic that you have through the router, and they're cutting costs every way they can.

So minimizing the complexity and the speed of the processors is one of the things that they do. So what that means is that it's fine once it gets going, but it really takes it a while to come up and get going. And during that time, you could actually have zero protection. I think that's really interesting.

TOM: So you could also just keep all your computers unconnected to the router during setup. But it seems simpler to just pull that connection to the Internet out because then you can make sure that your computers are getting assigned and everything.

Steve: Well, yes. The problem with that - I mean, yes. That's the - you have one connection to pull if you pull the WAN side. The problem then is that your router won't have been able to obtain, when it booted, a public IP. And so you'd have to give it a kick or wait for it to go ask again or do something. What I was wondering was whether you could run ShieldsUP! during that time. But the problem is you would, if you got a public IP - you have to have an IP in order to run ShieldsUP!. If you get a public IP anyway, then you know you've got a problem. So, I mean, you know that you've got no protection from the Internet during that window.

Now, this makes me glad that all of our personal computers now have their own software firewalls, also, because that's going to give you some protection. But, boy, this does say that you don't want to absolutely depend upon the software firewall in your machine. I'm sorry. You don't want to depend upon the hardware firewall offered by the router because it's transient. It's not present for a while when you're restarting your router. So what's safest, although it's not just a single plug, if you've got a router that also is a switch, you'd have to, like, pull all of the connections from it while it comes back up, wait for it to settle down, and then plug things back in again. But, wow, that's really a great observation.

Link to comment
Share on other sites

Very general statement with no proof or actual specific hardware mentioned, they generalized all hardware and are basically saying "it all works this way" which isn't the case. So until someone can show me something specific, I consider this kind of stuff FUD.

Link to comment
Share on other sites

Except every single router/firewall I've seen doesn't actually respond to anything while they're rebooting nor do they bridge/route any data, essentially the rules are loaded before the interface is up.

I agree with xendrome, lots of fud.

Link to comment
Share on other sites

another one of Warwagons Router scaremongering threads with no real proof or truth behind it...

I'm not quoting this as Gospil, just something people may want to keep an eye out for when rebooting their routers. Most are probably not effect by this, some might be. This was only a heads up.

I have seen the reverse of this on some DSL Modems. Upon rebooting the modem and doing an ipconfig /renew. You would get 192.168.x.x then... after about 1 min that number would change to the Internet IP address.

Link to comment
Share on other sites

let me guess Steve is "The Sky is falling Gibson" ;)

Yes I would agree it would be an issue if your isolated DMZ port(s) and your other switch ports were bridged while the router was booting for any length of time.. One example is all that required to show proof of concept, did they give one piece of hardware that does this? If not its scare tatics for what reason??

As to your router booting as a bridge before it NATs?? Come on -- again you have to provide atleast 1 product that does this or your just making **** up and trying to scare people

Here you go -- while your software firewall is booting your machine could be open to attack ;) So you should never use a any software firewall ;) or should not have your wire connected to the network until your OS and sofware firewall are fully booted :rolleyes:

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.