Harden DD-WRT against DNS rebind attacks

Yesterday I watched the presentation by Craig Heffner at DEFCON 18, where he describes using DNS rebind attacks to gain access to routers’ configuration pages from the public Internet. It’s a pretty complicated attack, requiring a rogue domain and server, and whose success relies on two pretty glaring end-user mistakes:

  1. Visiting that rogue domain and server; and
  2. Leaving a weak or default username and password on the router’s admin page.

Most people savvy enough to flash their router with DD-WRT know enough to steer clear of those mistakes, but it still bothers me that DD-WRT remains technically vulnerable to this attack.

How to find out if you’re vulnerable

  1. Find your WAN IP, either by logging in to DD-WRT or visiting canyouseeme.org.
  2. Type http://<your-wan-ip> into a browser.

If you see your router’s login page, you’re technically vulnerable.

What to do about it

As stated before, exploitation of this vulnerability is pretty complicated and requires some seriously dumb mistakes on our part. But as it turns out, we can do something to be 100% sure this never affects us by creating a firewall rule within DD-WRT. The rule that Craig suggests in his presentation may not apply to DD-WRT routers, so I’ve written one that does.

  1. Log in to DD-WRT.
  2. Click Administration, then Commands.
  3. If you already have firewall rules, click Edit under Firewall.
  4. Add this to the command box:
  5. iptables -I INPUT -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -d `nvram get wan_ipaddr` -j DROP
  6. Click Apply.

How does it work?

iptables -I INPUT

This invokes iptables, and -I inserts our rule at the beginning of the INPUT chain.

-s `nvram get lan_ipaddr`/`nvram get lan_netmask`

This matches the source to anywhere on our local subnet. This approach is particularly handy, because the nvram commands will automatically fill in whatever these values are. That means if you change your LAN subnet, you won’t have to update your firewall rule.

-d `nvram get wan_ipaddr`

This matches the destination to our WAN IP address. Again, as our WAN IP changes, so will our firewall rule.

-j DROP

This jumps to the DROP target. The DROP target figuratively “drops” the packets on the floor, with no message to the sender that the packets didn’t get through.

In sum, this firewall rule says: For any packet passing this router, coming from this local LAN and destined for this router’s WAN IP, drop it. Since the DNS rebind attack Craig described relies on internal clients being able to access their router from the WAN IP, we’ve accomplished our goal.

 

2 thoughts on “Harden DD-WRT against DNS rebind attacks”

Leave a Reply

Your email address will not be published. Required fields are marked *