Harden DD-WRT against DNS rebind attacks

Yesterday I watched the presentation by Craig Heffner at DEFCON 18, where he describes using DNS rebind attacks to gain access to routers’ configuration pages from the public Internet. It’s a pretty complicated attack, requiring a rogue domain and server, and whose success relies on two pretty glaring end-user mistakes:

  1. Visiting that rogue domain and server; and
  2. Leaving a weak or default username and password on the router’s admin page.

Most people savvy enough to flash their router with DD-WRT know enough to steer clear of those mistakes, but it still bothers me that DD-WRT remains technically vulnerable to this attack.

Continue reading Harden DD-WRT against DNS rebind attacks