Bugtraq mailing list archives

Re: DoSing the Netgear ISDN RT34x router.

From: mwade () CDC NET (Mike Wade)
Date: Fri, 25 Feb 2000 21:59:07 -0500


On Fri, 25 Feb 2000, Swift Griggs wrote:

HOW:
Door #1: SYN scan the router with nmap. It'll deny all connections to port
              23 after that for about 5 minutes per packet. DoSing it in
              this way is trivial. Of course spoofed packets work just
              great.

Door #2: Telnet to it. Sit there. No one else can manage it, regardless
              of if you have authenticated or not.
      
Door #3: Send it tons of ICMP redirects, it'll stop routing packets at
              all during the storm (which can be fairly light) and it'll
              take about 30 seconds to recover. (try winfreeze.c)

Door #4: Send it some contrived RIP packets with host routes for your
              favorite people in the office set to loopback. The default
              is to allow RIP-2B in both directions.


I own one of these gimpy-so-called-routers and have found many bugs that
are similar to the ones you've mentioned.  Generally, I've found the
TCP/IP stack + NAT features to be of very low quality.  Perhaps this is to
be expected at a low price point but their firmware is just plain broken.

Bug #5: Send a single UDP packet between 63000 - 65000 bytes to the router
        from local or remote.  This will lock the router up between 15 -
        30 seconds and sometimes reboot.  Sending these packets once about
        every 10 seconds is enough to keep the router locked up forever.
        Perhaps this is a memory issue?

Bug #6: Broken and sometimes legit IRC DCC and Real Audio/Video
        (film.com's trailers usually sends my router into endless reboots)
        requests often cause the router to reboot when using NAT.  This
        is obviously just sad coding.

Bug #7: Legit traffic is often dropped in NAT mode after >12 hours of
        connection time (I assume the NAT tables leak).  Open connections
        are not affected, however no new connections will be created.  The
        only solution is to disconnect or reboot the router.  I believe
        this to be related to poor timing out of UDP packets such as DNS
        queries sitting stale in the NAT table.

I'm sure there are plenty of other bugs that can be found dealing with the
TCP/IP stack and NAT mode.  The current release version of firmware for
these routers is '1.50(C.00)' but I do have a beta version of the firmware
that I have not tested that is labeled '2.20 Beta 15' from August of 1999.

I see Netgear has some newer model ISDN routers available.  Is Netgear
even supporting these routers any more?

---
Mike Wade (mwade () cdc net)
Director of Systems Administration
CDC Internet, Inc.

Current thread:

Re: unused bit attack alert Vern Paxson (Feb 21)
- Microsoft Security Bulletin (MS00-012) Microsoft Product Security (Feb 22)
- redhat 6.0: single user boot security hole Darren Reed (Feb 22)
- Re: unused bit attack alert antirez (Feb 23)
- Multiple vulnerabilities with Outblaze-based e-mail providers .sozni (Feb 23)
  - SANE 2000 program details and registration - May 22-25, 2000 Fred Donck (Feb 25)
  - DoSing the Netgear ISDN RT34x router. Swift Griggs (Feb 25)
    - Re: DoSing the Netgear ISDN RT34x router. Mike Wade (Feb 25)
- <Possible follow-ups>
- Re: unused bit attack alert Mullen, Patrick (Feb 22)
- Re: unused bit attack alert Max Vision (Feb 23)
  - Re: unused bit attack alert Max Vision (Feb 24)