Howdy. LinkSys DSL 'routers' have some serious information leakage, and potention DDoS usage. The following models have been confirmed as having this problem: BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch) BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch) Querying these devices with the default community of 'public' causes them to set the address that queried as their snmptrap host, dumping traffic such as the following to that address: Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.23[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.3[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.4[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.5[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .." Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.." It looks like a combination of debugging information as well as traffic logging, many customers never use the configuration page, let alone change the SNMP communities. To make the matter worse, LinkSys refuses to distribute an MIB for the device, which is not suprising considering the SNMP implementation on the device is rather broken (it goes into a continious loop). LinkSys is routing all messages regarding SNMP to /dev/null Have a nice day. Matthew S. Hallacy --
Attachment:
pgp00064.pgp
Description: PGP signature
