informationals/teso-i0023.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

0023 2000/04/16  Information on BinTec Router DoS 

==== TESO Informational =======================================================
This piece of information is to be kept confidential.
===============================================================================

Description ..........: By filling the NAT table of a BinTec Router one can
                        force the machine to reboot because of memory shortage
Date .................: 2000/04/16 00:00
Author ...............: rookie
Publicity level ......: unknown
Affected .............: BinTec Router (BRICK-XS1/4 tested)
                        Firmware 4.9.3 has fixed this bug by deleting
                        Table entries, the 'Final Release' 5.1.2 reintroduced
                        the bug again
Type of entity .......: 
Type of discovery ....:
Severity/Importance ..: low, stupid DoS, easy to use
Found by .............: rookie

===============================================================================

BinTec Router will reboot automatically when memory is short, so the perfect
DoS is to fill up the memory.

A common setup especially for workgroup and small business Access Router to
connect many computers over one or two ISDN lines is NAT (Network Adress
Translation). However, NAT is also considered to be a 'security feature'
because it acts like a stateful transparent proxy for private networks, so it
can be found on other setups, too.

Due to this behaviour a router doing NAT has to manage a table with the
following information for every connection:

internal network ip & port -> router external port -> target ip & port 


a.)

Example from an XS Router (Firmware 5.1.2):

cass:system> ipNatTable

inx IfIndex(*ro)      Protocol(*ro)     IntAddr(*ro)      IntPort(*ro)
    ExtAddr(ro)       ExtPort(ro)       RemoteAddr(ro)    RemotePort(ro)
    Direction(ro)     Age(ro)

 00 10001             tcp               192.168.0.100     1112
    195.202.39.137    32824             212.3.152.130     50005
    outgoing          0 00:00:02.00


b.)

A packet with SYN flag establishes an entry:

raven:~# nmap -sS www.ccc.de -p 12345

 08 10001             tcp               192.168.0.100     63072
    195.202.39.137    33016             195.21.255.248    12345
    outgoing          0 00:00:02.00


c.)

However the table entry is deleted for that connection if a RST, FIN or
ICMP Error is received:

cass:ipExtIfTable> ipextifnatrmvfin

inx NatRmvFin(rw)

 00 yes /* ethernet 1*/

 01 yes /* ethernet 2*/

 02 yes /* dial up line */


d.)

For idle connections there is a timeout of 1 hour for TCP and 30
seconds for icmp and udp:

cass:ipExtIfTable> ipextifnattcptimeout

inx NatTcpTimeout(rw)

 00 3600

 01 3600

 02 3600

cass:ipExtIfTable> ipextifnatothertimeout

inx NatOtherTimeout(rw)

 00 30

 01 30

 02 30


Notice: Setting down the timeout won't help much, you can force the machine
        to reboot with nmap -sS down to about 2 seconds *with* RSTet
        connections. With anything below 30 seconds the router will kill any
        telnet, IRC and whatsoever idle connection.

Conclusion: Rebooting the machine from the masqueraded network is trivial by
            sending lots of SYN packets from different source IPs and ports to
            an external IP that does not send RST packets back (however even
            thenn the router memory might overflow)

e.)

Very often a forward rule is implemented to allow services from the outside
through NAT. 

The default behaviour is to reject connections from the outside:

Apr 19 23:39:18 cass INET: NAT: refused incoming session on ifc 10001 prot 6
195.202.39.137:113 <- 128.176.216.234:1046

However a forward rule can be defined:

          Service                         user defined
          Protocol                        tcp
          Port (-1 for any)               113
          Destination                     192.168.0.100

The identd request goes through:

Apr 20 00:39:28 raven tcplogd: auth connection attempt from
HOTSPOT2.UNI-MUENSTER.DE [128.176.216.234]


f.)

Entry in the NAT Table:

cass:ipNatTable> ipNatTable

inx IfIndex(*ro)      Protocol(*ro)     IntAddr(*ro)      IntPort(*ro)
    ExtAddr(ro)       ExtPort(ro)       RemoteAddr(ro)    RemotePort(ro)
    Direction(ro)     Age(ro)

 05 10001             tcp               192.168.0.100     113
    195.202.39.137    113               128.176.216.234   1049
    incoming          0 00:00:05.00

Conclusion: Rebooting from the outside is simple if a forward rule has been
            defined (very likely).

===============================================================================