TUCoPS :: Network Appliances :: napl4975.htm

Linksys DSL router may be used in DDOS scheme
7th Jan 2002 [SBWID-4975]
COMMAND

	Linksys DSL router may be used in DDOS scheme

SYSTEMS AFFECTED

	BEFN2PS4 (EtherFast Cable/DSL Router &  Voice  with  4-Port  Switch)
	BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)

PROBLEM

	Matthew S. Hallacy posted :
	

	Querying Linksys  devices  with  the  default  community  of  \'public\'
	causes them to set the address that  queried  as  their  snmptrap  host,
	dumping traffic such as the following to that address:
	

	Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.

	1.1.0 \"@out 192.168.1.200 =3D=3D> 24.254.60.13[110].\"

	Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.

	1.1.0 \"@out 192.168.1.200 =3D=3D> 216.120.8.23[5632].\"

	Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.

	1.1.0 \"@out 192.168.1.200 =3D=3D> 216.120.8.3[5632].\"

	Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.

	1.1.0 \"@out 192.168.1.200 =3D=3D> 216.120.8.4[5632].\"

	Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.

	1.1.0 \"@out 192.168.1.200 =3D=3D> 216.120.8.5[5632].\"

	Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1

	.1.0  \"-->[U]Send OP:    ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9

	218583272 a ..\"

	Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1

	.1.0 \"<--[U]Recv __:    ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\\

	\"\\\".0..\"

	

	It looks like a combination of debugging information as well as  traffic
	logging, many customers never use  the  configuration  page,  let  alone
	change the SNMP communities. To make the matter worse,  LinkSys  refuses
	to distribute an MIB for the device, which is not suprising  considering
	the SNMP implementation on the device is rather broken (it goes  into  a
	continious loop).
	

	 Update

	 ======

	

	The Cyberiad [http://www.nmrc.org], reported that  he  tested  SNMP  WAN
	access on device BEFSR81, revision 2.37 and  successfully  modified  the
	device forwarding rules  by  saving  the  changes  thanks  to  community
	string :
	

	.1.3.6.1.4.1.3955.3.1.6.0

	integer valued ... set to 1 to save new vals/recycle.

	

	

SOLUTION

	Vendor  dosen\'t  seems  responsive,  yet   v2.38.1   firmware   release
	reportedly blocks the WAN SNMP.
	

	 Update

	 ======

	

	Use following revs :
	

	 BEFSR41 - v1.40.2

	 BEFSR81 - v2.40.2

	

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH