Brady & Associates, LLC.
Firewall Reporting Tools


Linksys Router Security Alert!

Recently, it has come to the attention of the media that another type of DDOS (distributed denial of service) attack is occurring on the Internet. The new attack has been dubbed mDDOS or miniature denial of service.  These attacks are small enough to get under the radar of an ISP and deny service to individual computer users to deprive them of access to the Internet. This is of particular concern to small businesses who perform a majority of their transactions online.

The key to maximizing the likelihood that you will not become a victim of a mDDOS is to ensure your IP address is not being detected by port scanners and mDDOS scripts.  While many people now run personal firewall software on their computers, such as BlackICE or ZoneAlarm, thereby isolating the ports on their computers, there is apparently another vulnerability that can kill your internet access.

Many Internet users today have small networks in their businesses and homes which rely on the use of the Linksys line of broadband routers and gateways.  Arguably, the most popular brand available.

Unfortunately, the default settings for the router leave it vulnerable to an mDDOS attack as not all ports are 'stealthed'. In particular, port 113 or the IDENT port. 

This port used to be used by IRC servers to determine whether or not an actual connection is being made between your computer and the IRC server, however in recent years this practice has become virtually non-existent.

To keep the IP address of your Linksys router from being detected on the Internet you need to manually 'stealth' port 113.  If you go to www.grc.com and use their Shields Up! port scanning tools you will probably find port 113 return a CLOSED state as opposed to a STEALTH state.

Follow these steps to stealth port 113: (your router configuration screens may look different. These are from a Linksys BEFW11S4 4 port switch with a wireless access point.)

Step 1: Go to http://192.168.1.1  (this is the default setting for the Linksys router, if you have changed it for some reason you will need to go that particular IP address.)  and sign into the administration of the router.  Once your sign in is complete, you will see the following screen:

Step 2: Click on the ADVANCED tab to move to the second screen of the router settings and click on the FORWARDING tab as shown below.  This will present you with the IP forwarding settings for the router.

Step 3: Create an entry in the forwarding table as shown outlined by the red box. This will route any port 113 requests to a non-existent IP address. It is best to use an address that is the last IP address supported by the router.  For example, the DHCP settings for my router specify my IP address range starts at 192.168.1.100 and will accommodate 50 users. This puts my last IP address at 192.168.1.150 so that is the address I have used. As long as there is not a computer attached to the IP address the router will send the traffic to oblivion.  You can then go back to www.grc.com and re-test your router to make sure your changes have been made.

Thanks to one of the visitors to this page, a slightly better strategy would be to assign the IP address to one less than the start of your DHCP range. For example, if your DHCP range starts at 192.168.1.100, then make your port 113 traffic go to 192.168.1.99.  This way if you happen to connect the maximum number of computers (it could happen) you would not need to re-assign the last IP address.  The only way a computer would collide with the DHCP setting would be for you to manually assign the IP address.

Also, do not forget to turn off remote administration and change the default password for the router if you have not done so already.  It is also a very good idea to change the default SSID of the router (and your wireless computers) to an ID that cannot be easily guessed.  Also, you may have heard that it is not good to allow the router to 'broadcast' the SSID.  There are actually two schools of thought on this. If you don't broadcast the SSID, then when packets come into the router they have to be verified every time. This takes time to do and can slow the performance of the router.  

Those of you using a Wi-Fi enabled router should also be using the Wireless Encryption Protocol or WEP to protect access to your wireless network bandwidth. Be sure to use the 128 bit encryption mode rather than the 40 bit mode.

Yes, you may have heard WEP has been broken, but in reality, it takes someone who is VERY skilled and they have to capture hundreds of thousands of packets of your traffic in order to determine your WEP key.  Also, make sure you are not using the wireless access point in an ad-hoc mode as this leaves your network wide open to anyone. 

For additional security you can create entries in your MAC (media access control) Active Link table for each of your computers authorized to access the wireless portion of your network. You will simply enter the MAC address for each of your wireless network adapters into this table. Once activated, ONLY these devices will be allowed to access your network wirelessly.

Using BlackICE, ZoneAlarm, WinRoute Pro or Windows XP Firewall?
Check out our renowned personal firewall log analysis utilities!