Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Discussions for BiPAC 8800 series: 8800NL, 8800NLR2, 8800AXL, 8800AXLR2
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

Thanks for the update.

To demonstrate that external DNS port 53 packets are entering the router and being forwarded to ISI I added the a rule to the top of the FILTER table FORWARD chain to record these packets in the router log:

iptables -t filter -I FORWARD -p udp -d 128.9.0.107/16 --dport 53 -j LOG --log-prefix "PortForward -> "

An example log entry is shown below which shows an external IP address sending unsolicited packets to port 53 on the WAN interface of my 8800AXL R2, these packets being DNAT'ed to the ISI address and then forwarded as would be expected given the firmware iptables configuration

May 19 09:57:51 <redacted>.home kernel: PortForward -> SPT=10802 DPT=53 LEN=36 UDP packet from [ptm0.1] 88.80.186.137:10802 to 128.9.0.107:53


I have to say that as the IPTABLES mechanism provides the stateful firewall security for the router that prevents unauthorised external access it is unsettling that the HQ engineers do not seem to understand that they have created an open port and a vector by which a DoS attack might be performed against the router. The fact that the INPUT and FORWARD chains default to ACCEPT is also bad practice as they should DROP all packets by default and subsequent rules should ALLOW only selected packets required for correct operation.

Regards
Gary
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by billion_fan »

zathred wrote: Wed May 19, 2021 10:34 am Thanks for the update.

To demonstrate that external DNS port 53 packets are entering the router and being forwarded to ISI I added the a rule to the top of the FILTER table FORWARD chain to record these packets in the router log:

iptables -t filter -I FORWARD -p udp -d 128.9.0.107/16 --dport 53 -j LOG --log-prefix "PortForward -> "

An example log entry is shown below which shows an external IP address sending unsolicited packets to port 53 on the WAN interface of my 8800AXL R2, these packets being DNAT'ed to the ISI address and then forwarded as would be expected given the firmware iptables configuration

May 19 09:57:51 <redacted>.home kernel: PortForward -> SPT=10802 DPT=53 LEN=36 UDP packet from [ptm0.1] 88.80.186.137:10802 to 128.9.0.107:53


I have to say that as the IPTABLES mechanism provides the stateful firewall security for the router that prevents unauthorised external access it is unsettling that the HQ engineers do not seem to understand that they have created an open port and a vector by which a DoS attack might be performed against the router. The fact that the INPUT and FORWARD chains default to ACCEPT is also bad practice as they should DROP all packets by default and subsequent rules should ALLOW only selected packets required for correct operation.

Regards
Gary
Billion will fix the issue by removing that rule from iptables in the next Official Firmware release.
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

Thank you for confirming an updated firmware will be made available to address this issue. I have just successfully updated the 8800AXL R2 to the recently released 2.52.D17 firmware and look forward to the release of the future update with the fix as discussed.
ElderScroll1985
Posts: 3
Joined: Fri Aug 27, 2021 10:24 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by ElderScroll1985 »

Hello.

Are there any updates on this? I can see that this has been posted about 3 months ago which is crazy to me that I don't see an update fixing this issue yet as it does seem like a major one. When can we have a new firmware please?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by billion_fan »

ElderScroll1985 wrote: Fri Aug 27, 2021 10:26 am Hello.

Are there any updates on this? I can see that this has been posted about 3 months ago which is crazy to me that I don't see an update fixing this issue yet as it does seem like a major one. When can we have a new firmware please?
Attached is a firmware that removes the DNAT rule

FW Release Note :

1. “Enhance Firewall Rule”.
2. “Change HTTP Session timeout to 10 minutes”.
3. “Fixed config error in <Configure log page> issue”.
You do not have the required permissions to view the files attached to this post.
ElderScroll1985
Posts: 3
Joined: Fri Aug 27, 2021 10:24 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by ElderScroll1985 »

Perfect, thank you!

Out of curiosity, is there a reason this firmware is not officially published on the website yet?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by billion_fan »

ElderScroll1985 wrote: Fri Aug 27, 2021 12:29 pm Perfect, thank you!

Out of curiosity, is there a reason this firmware is not officially published on the website yet?
Only just received it today, I normally post the firmware here first before official release on our web site
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

Thanks for posting the D18 firmware on this thread.

It feels like we are beta testers at present given it's only available via this thread. I am reluctant to install it until it is formally released on the support site https://support.billion.uk.com/ as we are working from home and cannot afford to have downtime from any issues that it might create.

Do you know when it will be formally released as a public update?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by billion_fan »

zathred wrote: Tue Sep 07, 2021 10:42 am Thanks for posting the D18 firmware on this thread.

It feels like we are beta testers at present given it's only available via this thread. I am reluctant to install it until it is formally released on the support site https://support.billion.uk.com/ as we are working from home and cannot afford to have downtime from any issues that it might create.

Do you know when it will be formally released as a public update?
Hopefully the firmware will be released next week.

Update, firmware can be found here on our official support site

https://support.billion.uk.com/index.ph ... are-252d18
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

I've installed the D18 firmware on my 8800AXL R2 and can confirm that this update has addressed the open DNS port forwarding issue. All other functions of the router appear to be functional and stable. Thank you for addressing this issue.
Post Reply