NAT firewall hacked?

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: JoshD PostPosted: Sat Dec 04, 2010 2:40 pm    Post subject: NAT firewall hacked?
    ----
I have a small network (5 PCs, 5 IP phones, some network storage, various WiFi devices such as phones, and a Linux box running an Asterisk phone system), which all sits behind the Netgear WGR614v9 router supplied by my ISP, a fibre optic cable provider.

When I first installed the Asterisk system I was interested in remote SIP access to the Asterisk box and set the router to forward the relevant ports to it, but I never got remote access to work, and found I didn't really need it, so about a month ago I switched this port forwarding off (more precisely, I redirected the ports to a non-existent internal IP address).

For some time now the internal network has been failing, going off for a few seconds at a time, but two weeks ago matters reached a head when the internal network completely ground to a halt for an extended period. The Asterisk logs showed a massive hacker attack, using brute force to try different userid/pwd combos, all coming from a single external IP address, with 1.8mm attempts over a six-hour period.

My first thought was that the changes I'd made to port forwarding on the router somehow hadn't properly registered, so I cancelled all port forwarding, and also (as part of a re-install of the Asterisk system), I changed the internal IP address of the server.

Initially all seemed fine, but then a few days ago the network again ground to a halt, and the Asterisk logs showed a similar brute force attack, from a different external IP address. I switched the Asterisk machine off, because I couldn't see any other way to protect it. Later on I checked the router logs, and found a large number of entries, of which this is a small sample:
-----------------------------------

[LAN access from remote] from 189.36.200.50:14580 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
[LAN access from remote] from 65.8.48.199:61606 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
[LAN access from remote] from 91.187.25.245:13666 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
[LAN access from remote] from 84.248.92.129:25885 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
[LAN access from remote] from 85.141.121.136:1040 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:05
[LAN access from remote] from 68.232.85.196:62319 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:04
[LAN access from remote] from 86.126.169.223:53247 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:03
[LAN access from remote] from 58.83.254.46:17395 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:01
[LAN access from remote] from 68.96.112.150:45551 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:01
[LAN access from remote] from 93.91.196.132:26159 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:01
[LAN access from remote] from 87.93.194.233:54705 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:01
[LAN access from remote] from 193.151.107.29:24101 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:00
[LAN access from remote] from 222.71.210.50:49477 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:00
[LAN access from remote] from 95.129.166.223:35691 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:00
[LAN access from remote] from 93.65.250.97:16546 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:00
[LAN access from remote] from 195.150.77.247:42422 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:00
[LAN access from remote] from 86.174.172.168:30095 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:02:58
[LAN access from remote] from 187.16.247.229:15568 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:02:57
[LAN access from remote] from 189.36.200.50:14580 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
[LAN access from remote] from 65.8.48.199:61606 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
[LAN access from remote] from 91.187.25.245:13666 to 192.168.xxx.yyy:54852 Wednesday, Dec 01,2010 18:03:06
-----------------------

Here 192.168.xxx.yyy is an internal network address for a PC (different to the one used by the Asterisk PBX, now powered down). Neither port 54852 (used above), nor 5060 (which I believe was used to try and break into the Asterisk PBX), nor any other port, is forwarded by the router.The only port open to my knowledge is the router remote access port, which I have changed to be a non-standard port number (ie, not 80) and I have a strong password on it.

It looks like the attackers are coming from numerous external IP addresses and are somehow able to look though the router to target machines on the internal network.

On the router WAN setup, the checkbox to disable the SPI firewall is unchecked---ie, the firewall is not disabled. There is no DMZ server, response to ping is disabled, and NAT filtering is set to Secured.

For wireless access we are using WEP access with a 10 digit key. It does not appear that WEP security has been compromised as the attacks all seem to come from external IP addresses.

I have now augmented the ISP-supplied router with hardware firewall (Firebox Core x1000)---ie, the router is still in use, but the Firebox sits downstream of it, between the router and the internal network switch. Interestingly, after installing the Firebox, I saw that we had a DoS (Smurf?) attack from a single IP address on the Netgear router log; but also saw on the Firebox console that the Firebox was seeing these packets as well (and claimed to be denying them)---ie, it looks as if the Netgear router was identifying these packets as a DoS attack, but still passing them downstream, where they were picked up by the Firebox!

I've contacted my ISP for advice about this, and also posted on their forum, but have had no response.

I am not a sophisticated user, and am looking for any advice, but the specific things I am wondering about are:

1) Is Netgear WGR614v9 supposed to protect me against these sort of attacks? ie, I thought that this sort of router was also a firewall---is that correct?
2) Has it somehow failed or been circumvented, or is there another weakness in my system (eg, internal PC infected with virus allowing remote access from hackers? All PCs have AVG-free)?
3) Has adding the Firebox improved my security?
4) What should I be doing now? Should I involve the police?

Many thanks in advance to anyone who takes the time to try and help me.

Josh D.



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group