Port 473 Security Issue in WRVS4400N Firmware V2.0.0.8? Router may have been exploited last night.

not12bhere · ‎08-22-2010

After replacing my last router with the WRVS4400NV2, I have been very impressed with the device.

But, after a few weeks of using it, I noticed via the IPS reports that my system was suddenly getting a lot more DOS/FLOOD attention from "foreign" IP's than I had ever seen in the past. Kind of alarmed, I checked my configuration and it was as hardened as the device will allow. So I ran GRC's shields up test.

Ouch.

Port 473 was 'stuck' open every time.

I am not used to seeing a non-stealthed port but had read that earlier Linksys firmware on the V1 device had failed to stealth the port. I had quickvpn disabled, remote management disabled and no SSL connections currently going so I systematically shut down my network looking for the issue by eliminating my firewalls and software as the possible culprits.

Guess what is un-stealthing Port 473 in the WRVS4400N V2?

I had one disabled VPN Client created in the VPN Clients Account section. I deleted the disabled account and Port 473 went stealth on the Shields Up! test.

Apparently, if you create a VPN Client Account, and even if it is disabled, it will permanently open your port 473 to the WAN. I am not an expert in networking by any means, and that may be a requirement of the Quickvpn solution, but that seems a little bit dangerous. I believe the port responding to requests from foreign IP bots is what brought the attention to my network.

Worse yet for me, a "foreign" IP attempted to exploit the open 473 port and if IPS was turned off (as many of us do for performance reasons) would have succeeded! That log file made my anxiety go up a few levels for sure.

Love the device, not too thrilled with that implementation of quickvpn port opening.

Best Regards, and thanks to any experts who chime in.

not12bhere · ‎08-28-2010

Well,

Allright gurus, please help me feel better.

WRVS 4400N Hardware/Firmware crash or attack?

Bottom line, it appears that the WLAN interface of the WRVS4400N stopped functioning last night and it somehow shutdown IPS. When I woke up this morning the internet wouldn't work, and I logged in to check the logs. The logs were cleared the night before. The IPS report was completely empty (that never happens). The firewall log was likewise empty. Before you ask remote management is disabled, the password is annnoyingly difficult, and the IPS was using the latest update.

I think I may have made at least one mistake in my configuration. I used the ACL to deny any/all traffick from certain IP's that had repeatadly shown up on my IPS report for DOS/SYN etc. Does that mean that when they attempt to scan my router, instead of a stealth non-response they get an active denial?

At first I thought it was a simple hardware/software lockup, but now I am not so sure. Even though this is just a soho network, after the WRVS4400N failed last night, my asa5505 in firewall transparent mode behind the WRVS4400N logged numerous packets that it dropped via the ARP Inspection from my outside interface. I have a sinking feeling that my WRVS4400n was completely compromised. . .any similar scenarios or advice is welcome.

Not a good feeling, thanks for any help in advance.