[Dshield] Request for Information re: Linksys Router Logging and Dshield Submissions

John Holmblad jholmblad at aol.com
Thu Oct 16 16:23:18 GMT 2003


I recently made a modification to my Linksys router (BEFSX41) to 
explicitly filter (by configuring a new filter using the filters tab on 
the www browser based control console for the Linksys router)  incoming 
packets targeted to  UDP port 1026 on my router and coming from the 
Internet. I did this because I was noticing a lot of such "hits" 
recently in my DShield submissions. Thanks to yesterday's posting by 
John Hardin  which clarified the protocol mechanism that Microsoft OS's 
use for the Messenger Service, I now realize that these "hits" were 
probably of that kind and that these submissions may have somehow 
contributed to DShield's statistics, and, in turn, Microsoft's awareness 
that something was going on with respect to a vulnerability in the 
Messenger service.
One side effect of this new filtering  rule in my router appears to be 
that my daily submissions to Dshield via the CVTWIN software no longer 
report such "hits".   This diminution of  Dshield submission volume was 
a surprising result to me especially because, when I use the 
aforementioned Linksys "www browser based control console" to examine 
the log file entries, such "hits", which formerly appeared in green type 
font, are now in red, indicating that they were stopped by a filtering 
rule! Obviously, red should be of more concern than green, so why don't 
these log entries, which are now flagged in read type font, get  into my 
submissions to Dshield? If I am correct,  then this outcome does not 
seem to fall into the realm of "best practice" because, otherwise useful 
information for Dshield is now not getting where it is supposed to go! 
The reduction in submission volume is significant (at least the part 
that I see in the email message that I get copied on which shows about a 
10:1 reduction with, of course, total elimination of entries for 
incoming UDP packets on port 1026.

Because this router also performs NAT/PAT and because I do NOT  have any 
Addr/Port to service mappings for incoming connections of any protocol 
type, the router first logs and  then  drops such TCP " connection 
request" or UDP "connectionless" packets. As a consequence ,  during the 
time period before I had the filtering rule in effect (that is, from 
when I installed the router until yesterday), I believe I was and am 
still  fairly safe from attack from the Internet even without this 
filtering rule. Therefore one  simple "workaround" for this anomaly 
would be to turn the filter off so that Dshield can get the additional 
"hit" volume that is now being suppressed by imposition of this 
filtering rule.

 In general it would appear that the only vulnerability of a NAT/PAT 
router without any mapping of incoming connections to available 
services, would be the case of "session hijacking" where an attacker, 
using a "man in the middle" attack, is able to take over an open 
"transaction query response pair", say of a UDP based service on the LAN 
that is awaiting a UDP response from the Internet side of such a 
session. Unfortunately, the Linksys documentation does not provide any 
insight as to what steps their product takes to thwart such attacks. It 
is not even clear whether or not their product is IETF RFC compliant 
with respect to NAT/PAT (e.g. UDP packet response wait timer setting) 
since their User Guide documentation does not specifically mention any 
such compliance.

I should add that I rely on the Linksys Logviewer software to "catch" 
the  router log info which the Linksys router sends out via SNMP onto 
the LAN to the PC which is running Logviewer. This is Linksys freeware 
that I do not think has been updated by Linksys for quite some time.  It 
is possible that the Linksys router uses a different SNMP packet type to 
send "red" log entries as opposed to "green" or "black" log entries and 
therefore the Logviewer software is not picking up such packets. Before 
I take the trouble of  running an Ethereal trace on the 
Linksys<=>Logviewer packet flows I thought I would ask any members of 
this list who are using this Linksys product if they understand what is 
going on here. Any help will be appreciated.

I would add that I have spoken to Linksys customer report and requested, 
on more than one occasion, that they provide  improved documentation on 
the firewall related aspects of the BEFSX41 but so far I have not gotten 
any useful response.  The only good news here is that they at least have 
people to answer the telephone when you call them, which is more than 
you can say for a lot of suppliers to the SOHO market. This lack of good 
documentation is unfortunate for Linksys because if they did a little 
more work on the firewall side (first documentation wise and then some 
product improvements) I think their product would be much more suited as 
a low end  Small Office router than it is today. I have copied Linksys 
on this email as well so If I get a response  I will let you all know 
what I learn from them.

Best Regards,


John Holmblad


Televerage International


(H) 703 620 0672

(M) 703 407 2278

(F) 703 620 5388


www page:                      www.vtext.com/users/jholmblad

primary email address: jholmblad at aol.com

backup email address:  jholmblad at verizon.net


text email address:         jholmblad at vtext.com

More information about the list mailing list