Home page logo

bugtraq logo Bugtraq mailing list archives

DoSing the Netgear ISDN RT34x router.
From: ssgriggs () JCIUS COM (Swift Griggs)
Date: Fri, 25 Feb 2000 12:59:34 -0700

Hash: SHA1

The Netgear ISDN RH348 and RT328, and possibly the Zyxel P128imh (same

Door #1: SYN scan the router with nmap. It'll deny all connections to port
                23 after that for about 5 minutes per packet. DoSing it in
                this way is trivial. Of course spoofed packets work just

Door #2: Telnet to it. Sit there. No one else can manage it, regardless
                of if you have authenticated or not.
Door #3: Send it tons of ICMP redirects, it'll stop routing packets at
                all during the storm (which can be fairly light) and it'll
                take about 30 seconds to recover. (try winfreeze.c)

Door #4: Send it some contrived RIP packets with host routes for your
                favorite people in the office set to loopback. The default
                is to allow RIP-2B in both directions.

Quick Fix: Use an ACL in the router to deny access to everywhere but your
management station. Turn RIP off if you can, if not then try to only
broadcast RIP, not listen. These routers don't support any other type of
distance vector protocols, and fortunately they don't do link state
protocols at all (ie.. no redistribution of bogus routes learned and
trusted by any evil haxx0r on the network). That's fine with me, I doubt
I'll be housing my ASN on an ISDN line anytime soon, but that's just me.

- --
Swift Griggs - Janitor,  Secretary,   Router dude.
Some  will  rise  by  sin and  some by virtue fall
PGP(GPG) Key ID D38E3D91  | InterNIC Handle SG1991
Key fingerprint  for  the key that  I use is here:
010C A7E3 A630 8107 E9A5  F9AD 82D6 BA10 D38E 3D91

Version: GnuPG v1.0.0 (GNU/Linux)
Comment: Using GPG 1.1


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]