|
|
|
I'd always been under the impression that a NAT router was, almost by definition, 100% impervious to all but requested traffic.......and that all ports not actively in use by me are automatically blocked. In other words, a NAT router is by default 'stealthed'.
Well..imagine my surprise on running Gibson Research's 'shields up' test.....and finding that port 161 ( SNMP ) is always open on Home Hub 3.
A little searching on the web, and I see that BTs own forums are full of people asking about this. Yet I see no satisfactory response from BT....just anecdotal references that it has something to do with speeding up gaming or possibly checking the number of devices on a home LAN.
The first and most obvious question is.....just how safe is it to have this port defaulted to always open ? The second question is.....WHY ? Can BT provide a sane and sensible answer to this.
|
|
|
Not the first router to have a port open internet side
http://en.wikipedia.org/wiki/Simple_Network_Manageme...
Its used for usually doing things like querying router information/stats. Question really is while there is a socket listening has anyone managed to connect to it and do anything?
An open port that gives nothing back is no real risk, other than advertising that you exist, which replying to a ping already does anyway.
See no way that it can be used for speeding up gaming, i.e. internet rumour machine, as for checking number of devices connected to a LAN, that is something you could do, if it is actually hooked up to something that understands SNMP
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
|
Well....the open port completely removes the notion of running in 'stealth' mode, in which not even ping should respond.
Whether stealth mode really actually means anything from a security perspective is another matter. I've always just felt that little bit more secure knowing that NO ports respond to external probing.
|
|
Register (or login) on our website and you will not see this ad.
|
|
|
A trick that may work is to port TCP 161 to an unused IP address on the LAN
e.g. if the lan is 192.168.1.2 to 192.168.1.253
Then pick a high IP address e.g. 192.168.1.252 and redirect 161 to that port. Have seen this seal off a port before, and as SNMP is not running on PC's usually even if a machine got that IP via DHCP it would be no issue.
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
|
Could you provide more details on the test. It is very hard to port scan udp. Typically it can only work by seeing icmp unreachable message coming back.
However if something between the 2 end's of the tests are blocking that port. Which is a really common thing in data centres it will show as open since no icmp unreachable message comes back.
Did you find it open by testing from lan side.
Were you able to confirm this with a valid snmp client?
|
|
|
A simple telnet on correct port will confirm a listening port, it is also a TCP port.
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
|
|
My Infinity Home Hub (v2 however) gives stealthed results for all ports including 161.
|
|
|
Well....the open port completely removes the notion of running in 'stealth' mode, in which not even ping should respond.
Whether stealth mode really actually means anything from a security perspective is another matter. I've always just felt that little bit more secure knowing that NO ports respond to external probing.
It really doesn't, SG is a hack that knows less than nothing about security (he made his name writing disk recovery software). Ignoring that fact that shields up is a very rudimentary TCP syn scanner (many scans use illegal options and flag combinations that can induce responses from "sheathed" ports anyway). The vast majority of port scans come from bot-nets that often simply pick address ranges at random to scan. Port "stealth" doesn't really have any impact on this process since they will typically only probe a few (maybe only one) ports that they are interested in (i.e. have viable attack tools for unpatched software that uses that port). So for example, not being pingable or not having a response on port 161 will have no effect on bot-nets looking for 8080 proxy relays. So stealth mode is merely security by obscurity which doesn't work in the long term. Personnaly, the only thing I trust his port scanner for is checking that ports I want open actually are internet addressable.
Howerver, if that port is open and SNMP is running on it that IS an issue as the router's firmware may have vulnerabilities in its SNMP service.
Edited by deleted (Wed 02-Nov-11 08:10:12)
|
|
|
A simple telnet on correct port will confirm a listening port, it is also a TCP port.
Actually snmp is running on udp normally. IT also says this here
http://en.wikipedia.org/wiki/Simple_Network_Manageme...
|
|
|
Seems it can be either, but SNMP on UDP is the better option
Am betting GRC just saw the port on 161 and did a look up of the common ports, rather than check the actual response from port
|
|
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
|
Print Thread
deleted
