Tag Archives: DNS Rebinding

The latest development in Router Attacks. – What you need to know about people attacking your router.

Router Attacks – DNS Redirect

Routers are vulnerable to different types of attacks.  The first attack is the DNS Rebinding and Cross-Site Request Forgery attack.  This attack was demonstrated at the 2010 DEFCON as a modern attack against home routers.  The attack is fairly intricate in that it uses multiple parts in the actual attack.  The attack works in three parts.  The first part of the attack the attacker needs to be able to modify the DNS records.  Next the attacker must be able to create various pages on the target domain and link these with DNS.  The attack happens when the victim visits the malicious site.  Where the attacker obtains a user’s public IP address.  Then the attacker quickly creates a subdomain on the attack domain with two “A records”.  With one a record pointing to the server and the other points to the public IP address of the victim’s router, the web server redirects the victim’s browser to a page with JavaScript code that will execute the CSRF portion of the attack, (Trend Labs Security, 2010).   After both these steps are done the attacker has control of the Web Server meaning the attacker can send TCP reset (RST) commands on demand.  Finally, the browser begins to execute the JavaScript code which tries to connect to the temp subdomain, the attacking server will reply with an RST command and end the session.  The user’s system will try the other IP address that it knows about for the hostname, which happens to be the external IP address of the victim’s router, (Trend Labs Security, 2010).  Results are then channeled to the attacking server via a portal.  The attacker can then try different credential until they have success and fully connects.

 

DNS Redirect Prevention

There are a few ways to protect a router from this flavor of attack.  The first and foremost make sure one uses HTTPS and disable the HTTP console if this is a configuration setting.  Always use strong passwords for routers.  Remove factory default passwords always.  Also adding a firewall rule preventing devices on the local network from sending packets to the IP block that your public IP address is a member of.  Also keeping your firmware up to date is a huge help.  Using a No Script plugin can also protect against malicious JavaScript since this is a part of the attack.

 

CDP Attacks

Another attack happens to be in the Cisco Discovery Protocol which can be used by default with all cisco devices.  First off this protocol is enabled by default.  CDP contains information about the network device such as the software version, IP address, platform, capabilities, and the native VLAN, (Popeskic, 2011).  This information is also sent in complete clear text.  When this information is sniffed off of the VLAN internet traffic an attacker can use this to find other exploits to orchestrate an attack such as Denial of Service (DoS) attack.  CDP is also unauthenticated meaning an attacker can craft fraudulent CDP packets and have them received by the attacker’s directly connected Cisco device.  If an attacker can get access to the router via SNMP or Telnet an attacker can find the entire topology of a network at Layer 2 and Layer 3.  Which also includes IOS levels, router and switch model types, and IP addressing schema.

 

CDP Prevention

The way of preventing against the CDP attack is to simply disable the default configuration which allows this on the router.  Most administrators need to not just focus on disabling on a single interface which allows the CDP table to stay populated, but to disable on the entire device.  (Redscan, 2013) says, “CDP can be useful and, if it can be isolated by not allowing it on user ports, then it can help make the network run more smoothly.”

 

router

Figure 1. Warning message displayed on HTTP website from infected router.

 

References

Popeskic, V. (2011, December 16). cdp attacks – cisco discovery protocol attack. Retrieved from https://howdoesinternetwork.com/2011/cdp-attack

Redscan. (2013, December 19). Ten top threats to vlan security – redscan. Retrieved from https://www.redscan.com/news/ten-top-threats-to-vlan-security/

TrendLabs Security. (2010, August 10). trend labs security intelligence blog protecting your router against possible dns rebinding attacks – trend labs security intelligence blog. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dns-rebinding-attacks/

TrendLabs Security. (2015, May 20). trend labs security intelligence blog new router attack displays fake warning messages – trend labs security intelligence blog. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/new-router-attack-displays-fake-warning-messages/