1 files changed, 156 insertions, 0 deletions
diff --git a/informationals/teso-i0023.txt b/informationals/teso-i0023.txt
new file mode 100644
index 0000000..b21eb1c
--- /dev/null
+++ b/informationals/teso-i0023.txt
@@ -0,0 +1,156 @@
+0023 2000/04/16  Information on BinTec Router DoS 
+==== TESO Informational =======================================================
+This piece of information is to be kept confidential.
+===============================================================================
+Description ..........: By filling the NAT table of a BinTec Router one can
+                        force the machine to reboot because of memory shortage
+Date .................: 2000/04/16 00:00
+Author ...............: rookie
+Publicity level ......: unknown
+Affected .............: BinTec Router (BRICK-XS1/4 tested)
+                        Firmware 4.9.3 has fixed this bug by deleting
+                        Table entries, the 'Final Release' 5.1.2 reintroduced
+                        the bug again
+Type of entity .......: 
+Type of discovery ....:
+Severity/Importance ..: low, stupid DoS, easy to use
+Found by .............: rookie
+===============================================================================
+BinTec Router will reboot automatically when memory is short, so the perfect
+DoS is to fill up the memory.
+A common setup especially for workgroup and small business Access Router to
+connect many computers over one or two ISDN lines is NAT (Network Adress
+Translation). However, NAT is also considered to be a 'security feature'
+because it acts like a stateful transparent proxy for private networks, so it
+can be found on other setups, too.
+Due to this behaviour a router doing NAT has to manage a table with the
+following information for every connection:
+internal network ip & port -> router external port -> target ip & port 
+a.)
+Example from an XS Router (Firmware 5.1.2):
+cass:system> ipNatTable
+inx IfIndex(*ro)      Protocol(*ro)     IntAddr(*ro)      IntPort(*ro)
+    ExtAddr(ro)       ExtPort(ro)       RemoteAddr(ro)    RemotePort(ro)
+    Direction(ro)     Age(ro)
+ 00 10001             tcp               192.168.0.100     1112
+    195.202.39.137    32824             212.3.152.130     50005
+    outgoing          0 00:00:02.00
+b.)
+A packet with SYN flag establishes an entry:
+raven:~# nmap -sS www.ccc.de -p 12345
+ 08 10001             tcp               192.168.0.100     63072
+    195.202.39.137    33016             195.21.255.248    12345
+    outgoing          0 00:00:02.00
+c.)
+However the table entry is deleted for that connection if a RST, FIN or
+ICMP Error is received:
+cass:ipExtIfTable> ipextifnatrmvfin
+inx NatRmvFin(rw)
+ 00 yes /* ethernet 1*/
+ 01 yes /* ethernet 2*/
+ 02 yes /* dial up line */
+d.)
+For idle connections there is a timeout of 1 hour for TCP and 30
+seconds for icmp and udp:
+cass:ipExtIfTable> ipextifnattcptimeout
+inx NatTcpTimeout(rw)
+ 00 3600
+ 01 3600
+ 02 3600
+cass:ipExtIfTable> ipextifnatothertimeout
+inx NatOtherTimeout(rw)
+ 00 30
+ 01 30
+ 02 30
+Notice: Setting down the timeout won't help much, you can force the machine
+        to reboot with nmap -sS down to about 2 seconds *with* RSTet
+        connections. With anything below 30 seconds the router will kill any
+        telnet, IRC and whatsoever idle connection.
+Conclusion: Rebooting the machine from the masqueraded network is trivial by
+            sending lots of SYN packets from different source IPs and ports to
+            an external IP that does not send RST packets back (however even
+            thenn the router memory might overflow)
+e.)
+Very often a forward rule is implemented to allow services from the outside
+through NAT. 
+The default behaviour is to reject connections from the outside:
+Apr 19 23:39:18 cass INET: NAT: refused incoming session on ifc 10001 prot 6
+195.202.39.137:113 <- 128.176.216.234:1046
+However a forward rule can be defined:
+          Service                         user defined
+          Protocol                        tcp
+          Port (-1 for any)               113
+          Destination                     192.168.0.100
+The identd request goes through:
+Apr 20 00:39:28 raven tcplogd: auth connection attempt from
+HOTSPOT2.UNI-MUENSTER.DE [128.176.216.234]
+f.)
+Entry in the NAT Table:
+cass:ipNatTable> ipNatTable
+inx IfIndex(*ro)      Protocol(*ro)     IntAddr(*ro)      IntPort(*ro)
+    ExtAddr(ro)       ExtPort(ro)       RemoteAddr(ro)    RemotePort(ro)
+    Direction(ro)     Age(ro)
+ 05 10001             tcp               192.168.0.100     113
+    195.202.39.137    113               128.176.216.234   1049
+    incoming          0 00:00:05.00
+Conclusion: Rebooting from the outside is simple if a forward rule has been
+            defined (very likely).
+===============================================================================

diff --git a/informationals/teso-i0023.txt b/informationals/teso-i0023.txt new file mode 100644 index 0000000..b21eb1c --- /dev/null +++ b/informationals/teso-i0023.txt
@@ -0,0 +1,156 @@
	1	0023 2000/04/16 Information on BinTec Router DoS
	2
	3	==== TESO Informational =======================================================
	4	This piece of information is to be kept confidential.
	5	===============================================================================
	6
	7	Description ..........: By filling the NAT table of a BinTec Router one can
	8	force the machine to reboot because of memory shortage
	9	Date .................: 2000/04/16 00:00
	10	Author ...............: rookie
	11	Publicity level ......: unknown
	12	Affected .............: BinTec Router (BRICK-XS1/4 tested)
	13	Firmware 4.9.3 has fixed this bug by deleting
	14	Table entries, the 'Final Release' 5.1.2 reintroduced
	15	the bug again
	16	Type of entity .......:
	17	Type of discovery ....:
	18	Severity/Importance ..: low, stupid DoS, easy to use
	19	Found by .............: rookie
	20
	21	===============================================================================
	22
	23	BinTec Router will reboot automatically when memory is short, so the perfect
	24	DoS is to fill up the memory.
	25
	26	A common setup especially for workgroup and small business Access Router to
	27	connect many computers over one or two ISDN lines is NAT (Network Adress
	28	Translation). However, NAT is also considered to be a 'security feature'
	29	because it acts like a stateful transparent proxy for private networks, so it
	30	can be found on other setups, too.
	31
	32	Due to this behaviour a router doing NAT has to manage a table with the
	33	following information for every connection:
	34
	35	internal network ip & port -> router external port -> target ip & port
	36
	37
	38	a.)
	39
	40	Example from an XS Router (Firmware 5.1.2):
	41
	42	cass:system> ipNatTable
	43
	44	inx IfIndex(ro) Protocol(ro) IntAddr(ro) IntPort(ro)
	45	ExtAddr(ro) ExtPort(ro) RemoteAddr(ro) RemotePort(ro)
	46	Direction(ro) Age(ro)
	47
	48	00 10001 tcp 192.168.0.100 1112
	49	195.202.39.137 32824 212.3.152.130 50005
	50	outgoing 0 00:00:02.00
	51
	52
	53	b.)
	54
	55	A packet with SYN flag establishes an entry:
	56
	57	raven:~# nmap -sS www.ccc.de -p 12345
	58
	59	08 10001 tcp 192.168.0.100 63072
	60	195.202.39.137 33016 195.21.255.248 12345
	61	outgoing 0 00:00:02.00
	62
	63
	64	c.)
	65
	66	However the table entry is deleted for that connection if a RST, FIN or
	67	ICMP Error is received:
	68
	69	cass:ipExtIfTable> ipextifnatrmvfin
	70
	71	inx NatRmvFin(rw)
	72
	73	00 yes /* ethernet 1*/
	74
	75	01 yes /* ethernet 2*/
	76
	77	02 yes /* dial up line */
	78
	79
	80	d.)
	81
	82	For idle connections there is a timeout of 1 hour for TCP and 30
	83	seconds for icmp and udp:
	84
	85	cass:ipExtIfTable> ipextifnattcptimeout
	86
	87	inx NatTcpTimeout(rw)
	88
	89	00 3600
	90
	91	01 3600
	92
	93	02 3600
	94
	95	cass:ipExtIfTable> ipextifnatothertimeout
	96
	97	inx NatOtherTimeout(rw)
	98
	99	00 30
	100
	101	01 30
	102
	103	02 30
	104
	105
	106	Notice: Setting down the timeout won't help much, you can force the machine
	107	to reboot with nmap -sS down to about 2 seconds with RSTet
	108	connections. With anything below 30 seconds the router will kill any
	109	telnet, IRC and whatsoever idle connection.
	110
	111	Conclusion: Rebooting the machine from the masqueraded network is trivial by
	112	sending lots of SYN packets from different source IPs and ports to
	113	an external IP that does not send RST packets back (however even
	114	thenn the router memory might overflow)
	115
	116	e.)
	117
	118	Very often a forward rule is implemented to allow services from the outside
	119	through NAT.
	120
	121	The default behaviour is to reject connections from the outside:
	122
	123	Apr 19 23:39:18 cass INET: NAT: refused incoming session on ifc 10001 prot 6
	124	195.202.39.137:113 <- 128.176.216.234:1046
	125
	126	However a forward rule can be defined:
	127
	128	Service user defined
	129	Protocol tcp
	130	Port (-1 for any) 113
	131	Destination 192.168.0.100
	132
	133	The identd request goes through:
	134
	135	Apr 20 00:39:28 raven tcplogd: auth connection attempt from
	136	HOTSPOT2.UNI-MUENSTER.DE [128.176.216.234]
	137
	138
	139	f.)
	140
	141	Entry in the NAT Table:
	142
	143	cass:ipNatTable> ipNatTable
	144
	145	inx IfIndex(ro) Protocol(ro) IntAddr(ro) IntPort(ro)
	146	ExtAddr(ro) ExtPort(ro) RemoteAddr(ro) RemotePort(ro)
	147	Direction(ro) Age(ro)
	148
	149	05 10001 tcp 192.168.0.100 113
	150	195.202.39.137 113 128.176.216.234 1049
	151	incoming 0 00:00:05.00
	152
	153	Conclusion: Rebooting from the outside is simple if a forward rule has been
	154	defined (very likely).
	155
	156	===============================================================================