Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Discussions for BiPAC 8800 series: 8800NL, 8800NLR2, 8800AXL, 8800AXLR2
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

As an experienced former IT security evaluator I have been looking through the IPTABLES configuration on my 8800AXL R2 running the 2.52.d15 firmware. I found an unexpected DNAT entry in the NAT table (iptables -t nat -L -v) which looks like this:

Chain PREROUTING (policy ACCEPT 39M packets, 17G bytes)
pkts bytes target prot opt in out source destination
381 23781 DNAT udp -- ptm0.1 any anywhere anywhere udp dpt:domain to:128.9.0.107

The IP address 128.9.0.107 is registered as belonging to the Information Sciences Institute based in the USA which has links to the USA government and various defence and security agencies.

Can you please explain why your firmware includes this hard-coded reference to a 3rd party external agency that I have not been informed about as a customer and have not agreed and authorised to have access to my internet service.

"The USC Information Sciences Institute (ISI) is a component of the University of Southern California (USC) Viterbi School of Engineering, and specializes in research and development in information processing, computing, and communications technologies. It is located in Marina del Rey, California"

https://en.wikipedia.org/wiki/Informati ... _Institute
Last edited by zathred on Tue May 18, 2021 12:30 pm, edited 2 times in total.
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in iptables NAT table

Post by zathred »

FYI I have contacted ISI directly by email to ask if they have any information on this subject. Note that I have confirmed the 8800AXL R2 is actively routing incoming DNS (port 53) requests to the ISI-owned IP address (128.9.0.107) which I have also confirmed is an IP allocated to an active device.

Email to the Information Sciences Institute, USA on 13-May-2021:

I own a Billion 8800AXL R2 internet router and have discovered that this commercial device forwards selected internet packets via its firmware to an ISI-owned IP address as discussed in the attached link.

Can you shine any light on why ISI is covertly receiving data from my home internet router which is based in England?
Last edited by zathred on Tue May 18, 2021 12:29 pm, edited 1 time in total.
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in iptables NAT table

Post by zathred »

I have also noticed a considerable number of port scans against my router which come from IP addresses in Arlington, Virginia in the USA which just also happens to be another location where the Information Sciences Institute is based.

You advertise your routers as being secure which seems to be direct in conflict with passing data covertly without user permission to 3rd parties behind the scenes.

Just what is going on Billion?
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in iptables NAT table

Post by billion_fan »

zathred wrote: Thu May 13, 2021 11:48 am As a former IT security evaluator for the UK Government I have been looking through the IPTABLES configuration on my 8800AXL R2 running the 2.52.d15 firmware. I found an unexpected DNAT entry in the NAT table (iptables -t nat -L -v) which looks like this:

Chain PREROUTING (policy ACCEPT 39M packets, 17G bytes)
pkts bytes target prot opt in out source destination
381 23781 DNAT udp -- ptm0.1 any anywhere anywhere udp dpt:domain to:128.9.0.107

The IP address 128.9.0.107 is registered as belonging to the Information Sciences Institute based in the USA which has links to the USA government and various defence and security agencies.

Can you please explain why your firmware includes this hard-coded reference to a 3rd party external agency that I have not been informed about as a customer and have not agreed and authorised to have access to my internet service.

"The USC Information Sciences Institute (ISI) is a component of the University of Southern California (USC) Viterbi School of Engineering, and specializes in research and development in information processing, computing, and communications technologies. It is located in Marina del Rey, California"

https://en.wikipedia.org/wiki/Informati ... _Institute
I'm checking with our HQ, once I get update I will let you know
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in iptables NAT table

Post by zathred »

Thanks for looking into this.

There is also a related entry in the iptables FILTER table in the FORWARD chain which ensures that the DNAT'ed packets are actually sent out by the router to the Information Sciences Institute IP address. Note that I have added the DROP rule ahead of this to prevent these packets from being forwarded. The non-zero counter for the DROP rule shows that these packets would otherwise have been accepted for forwarding by the next (firmware) rule.

iptables -L -v -n

Chain FORWARD (policy ACCEPT 17776 packets, 1176K bytes)
pkts bytes target prot opt in out source destination
8 495 DROP all -- * * 0.0.0.0/0 128.9.0.0/16
0 0 ACCEPT all -- ptm0.1 * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

I have received a response from the Information Sciences Institute in the USA:

"In response to your inquiry, University of Southern California Information Sciences Institute (ISI) is responsible for operating one of the 13 root servers that serve the DNS root zone. You can see the list of root servers and their operators here, https://www.iana.org/domains/root/servers , which explains the DNS root servers. Please note the section called "Configuring the Root Servers”, which points out that the names and addresses of the root servers have to be available to any s/w that implements a DNS recursive resolver, and are frequently built directly into the software.

The IP address you’re asking about (from your link) is 128.9.0.107. It is a very old address for the B root DNS server that ISI runs. See <https://b.root-servers.org/news/2004/02 ... -ipv4.html>. It’s not unreasonable that your router has hardwired in the addresses of some root servers. Your vendor should fix this. Please note it’s innocuous, other than perhaps slowing down your router."
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

I think what I am seeing may be a left over development or testing facility which Billion has failed to remove from the production release. The iptables rules create an open port on the external firewall for receipt and forwarding of unsolicited packets and hence the possibility of a DoS attack against the router for example by sending bulk streams of DNS requests which then fills the limited iptables conntrack in-memory list on this low resource device.
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by billion_fan »

Direct reply for our HQ

1. After discussing with our engineering team , we will remove this rule from iptables in the next Firmware release.

Also this part of iptables source code style was out of date.





Chain FORWARD (policy ACCEPT 17776 packets, 1176K bytes)
pkts bytes target prot opt in out source destination
8 495 DROP all -- * * 0.0.0.0/0 128.9.0.0/16
0 0 ACCEPT all -- ptm0.1 * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT



2. Regarding the DNAT entry in the Chain FORWARD of iptables as you mentioned above, That is for NAT -> Virtual Server, DMZ, One to one NAT.

3. In General, Engineering team said that router doesn’t allow any DNS request come from WAN side.





"In response to your inquiry, University of Southern California Information Sciences Institute (ISI)

Ø Your vendor should fix this. Please note it’s innocuous, other than perhaps slowing down your router."

4. Yes, we will fix it by removing that rule in iptables and you can see that ISI also said that is innocuous ,

There is no need to worry about it.
zathred
Posts: 17
Joined: Mon May 25, 2020 10:58 am

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by zathred »

Thank you for providing a prompt and detailed response from your HQ on this issue. The response items (1), (2) and (4) are satisfactory but I'm going to have to disagree with response (3).

I have tested this using an external device to send DNS request packets to port 53 on my 8800AXL R2 router and I can see them flowing through the NAT and FILTER table rules which means they are being accepted by the router rather than being dropped and are then forwarded to the ISI IP address. Note that as these connections use CONNTRACK in-memory table entries to track the stateful firewall exchange then this open port could be used to perform a denial of service attack against the device by flooding it with DNS packets in order to fill the CONNTRACK table which would then prevent any new connections of any type from being created

Of course removing the DNAT rule in the NAT table as proposed by HQ will close this vulnerability.

I think HQ engineering need to look again at their response to (3) as it is clearly inconsistent with the observed facts and they should be able to easily test the described functionality as I have documented in this thread.

Regards

Gary
billion_fan
Posts: 5374
Joined: Tue Jul 19, 2011 4:30 pm

Re: Unexpected DNAT entry in 8800AXL R2 NAT table forwarding packets to 3rd party

Post by billion_fan »

zathred wrote: Tue May 18, 2021 6:17 pm Thank you for providing a prompt and detailed response from your HQ on this issue. The response items (1), (2) and (4) are satisfactory but I'm going to have to disagree with response (3).

I have tested this using an external device to send DNS request packets to port 53 on my 8800AXL R2 router and I can see them flowing through the NAT and FILTER table rules which means they are being accepted by the router rather than being dropped and are then forwarded to the ISI IP address. Note that as these connections use CONNTRACK in-memory table entries to track the stateful firewall exchange then this open port could be used to perform a denial of service attack against the device by flooding it with DNS packets in order to fill the CONNTRACK table which would then prevent any new connections of any type from being created

Of course removing the DNAT rule in the NAT table as proposed by HQ will close this vulnerability.

I think HQ engineering need to look again at their response to (3) as it is clearly inconsistent with the observed facts and they should be able to easily test the described functionality as I have documented in this thread.

Regards

Gary
I'll update my engineers with your response
Post Reply