Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Phant0m]

Hi,

  Yesterday I decided to buy myself a DIR-615 Wireless N 300 Router, its wireless performance is thus far very stable and strong. This router factory firmware loaded is 5.10 HW: E3.

I never use Router features like SPI and DoS Protection, and I always use DMZ for unrestricted filtering, I use a software firewall for protection and monitoring traversing packets.

The problem is, D-Link does limited filtering over DMZ, I’m not use to seeing this with other popular router brands, I’m not happy with this implementation of DMZ. Now what’s worse, the Router (not the computer set on DMZ) itself is responding to different TCP stealth scans like TCP NULL, XMAS, FIN.

How to correct this without enabling protections like SPI, so the Router won’t respond nor drop these types of packets when a computer is set on DMZ.


Thanks in advanced.

Regards,
Phant0m``

[FurryNutz]

This is the function of the router is to filter and use SPI for data packet inspection. If you do not need this kind of filtering then I would recommend not using a router man. These are the main reason of having a router is to let the routers do the filtering and FIREWALL management. These how how these routers are designed to work. When using a router, it's recommended to turn off any additional 3rd party SW firewalls as they are not needed. I would recommend that if you don't need these then I would connect directly to the ISP modem.

[Phant0m]

No way are you a paid technical support for D-Link, ... what you just posted was very unprofessional.

The main function of a router is to forward data packets between computer networks, to share with other LAN or WLAN computers and give WAN access. SPI which is suppose to be a (OPTIONAL FEATURE) is something that was introduced later on to secure LAN and now WLAN devices.

Funny you suggesting to expose a LAN machine to the rest of the network by not using a software firewall on the computer, .. at minimum the Windows built-in Firewall should be used. And I won’t even bother going over your head about the benefits of Application filtering.

Anyways.., who or what reputable site recommends disabling software firewalls on the machines that’s set behind a Router? And obviously you not familiar with DMZ support, or you wouldn’t be suggesting running with no firewall anyways. I clearly stated in my previous post that I’m using DMZ for one of my computers for unrestricted traversing packets, everything remotely initiated should ‘ALL’ be forwarded to the machine set on DMZ. Seeing how SPI is still optional, means to toggle on and ‘OFF’, when 'OFF’ should NOT filter remotely initiated packets that should be forwarded to the machine set on DMZ. And worse, the D-Link router or any router device shouldn’t be responding to TCP stealth-scans even though the SPI feature not used, I can understand if the computer was responding to these types of packets.

This is the first time I’ve been on the D-Link support forum, and at a quick glance, It seems you post a lot, I can’t picture you being terrible with everyone else like you was with the post in response to mine.


Regards,
Phant0m``

[FurryNutz]

WOOOOOOO DOWN SIR.
I didn't mean for you to take it in a bad way man. Hold up.

Number 1, I was being professional and honest with my thoughts man as was meant in no bad way to you. If my words were mis-understood, I do applogize, however that was not my intent.

Number 2, nobody said any one was paid doing support on this forum. This is a free open forum maintained by DLink. We are not paid by Dlink and we come here our own free will to help others.

Number 3, If you understood the router features more, using additional firewall SW is not needed when using a router and if the SPI firewall features are in use. Having additional SW firewalls can be redundant and cause connection issues. This is what the firewall features on the router are meant for and handle very well. I didn't say that you shouldn't use 3rd party. I recommended. I've learned in my experience that the need for 3rd party firewalls should only be used if thats the only security in place or when a device is directly connected to the ISP Modem with out being behind a router.  "SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.

Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state. "

You do have to understand that some of these routers are meant for the average home user that all they want to do is to connect and get online. If your a geek like me and others on there and like to tinker around and tweek things and such, then I would recommend a different model router as they have more features and do more things than some.

[Phant0m]

I’ve read all that of which your quoting, its available in the router ‘Support’ section, and understand perfectly.

I’m a computer technician, and I’ve been aiding with firewall developments since mid 1990‘s. I know about stateful packet inspection (SPI) and tracking sessions and I know about IP and non-IP protocols, TCP and the three-way handshake and different TCP states and the various invalid TCP flag combinations.

Other popular router brands don’t filter, only forwards packets remotely initiating to a machine set up on DMZ, none of this limiting crap that D-Link Router does for DMZ, SPI suppose to be optional, when disabled and DMZ is used, it should be priority. And when SPI is disabled, the Router certainly shouldn’t be responding to TCP stealth-scans.

[FurryNutz]

What you maybe up against is what was developed for this router. If thats the case then I presume it's probably by design and possible that maybe Dlink thought it would be good to still have some level of response even if the SPI has been disabled. It's hard to tell though. Again, Most of these routers are kinda low end and just meant for general use. Can I ask what you are using DMZ for? What applications are you using it on? Just curious. Also who is your ISP and what is your ISP modem?

[Phant0m]

The ISP modem isn’t with router capability, and if it or on the ISP end was going to filter, it’ll be blocking and not responding. Anyways, the previous Router forwarded properly the TCP stealth-scan packets to the machine that was set on DMZ, and leaves the decision making up to the machine to accept or not these types of packets.

I’m convinced my D-Link router (or the factory firmware they loaded) is defective, I turned on SPI Protection, and thrown the test at it, it still responded to the out of session TCP packets (the different TCP Stealth-scans), even with DMZ disabled.

Here is the real joke, the TCP ping stealth-scan test actually gets forwarded properly to the machine when set on DMZ, and still gets forwarded even with SPI protection enabled, ... despite their claims “Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state. ”.

[FurryNutz]

How are you connected to the router? Wired or Wireless?
What 3rd party security SW are you using?
What router were you using before?

I hear of one back door option that seems to be not available on some Dlink routers. I think it has something do to with loop back. I'll check some resources and see what I can find on this. Not sure if this has any effect on what your seeing.

Maybe we can get this narrowed down.

[Hard Harry]

First, I think you will find this post helpful.

http://forums.dlink.com/index.php?topic=12364.0

It's standard forum practice to search the forum before posting. Second, none of us here are Dlink employees. We are not going to pamper you, and we have no obligation to help you.

On to the point, the DIR-615 DMZ does not forward 0-1 as part of DMZ. It keeps those locked for security. It isn't a security vulnerability though, the posts just don't come up as stealth, since they closed. If this causes you trouble, your best bet is to find another router with a firewall which design is different, or try some 3rd party firmware.

By the way, if your a Technician, how about a little empathy? Same team man.

[Phant0m]

Hi Hard Harry,

  It explains things, but doesn’t offer a solution .. as you already know, but I very much appreciate the link.

And I’m well aware of standard forum practice when seeking for information & possible solutions, this support board was linked from official D-Link support page, where I thought officials roams, and since no solution giving and only people reporting about. I didn’t see how it could be interpreted negatively by sending feedback and how I feel strongly about some by-design implementations that seems many D-Link product shares. And perhaps if I was heard, and others with the shared view, perhaps they may reconsider their current design and improve on that to include at minimum a toggle to enable and disable and reach a wider audience. The router device I bought seems to fair well with performance and stability, and a minor addition to the firmware all thats required.

And I’m not saying its a shared view, but from personal experiences, D-Link company doesn’t make those who are transitioning from one brand and over easy or comfortable for the person. While I never tested every big router brand, I do know D-Link thus far is the only one I’ve experienced that restricts DMZ, and the only one to respond to different TCP stealth-scans ... or at least when port 0 or 1 is used. These responses isn’t just with the use of DMZ, with DMZ turned off and even with SPI protection enabled. Also TCP pings gets forwarded properly, and they using ports 0 and 1.

Also I wouldn’t consider these ports “locked for security”, or it wouldn’t be responding, having a computer or router respond to unsolicited packets is waste of resources, especially if there was a attack designed to overwhelm your computer or router while its processing and sending responses back, wouldn’t take much for a script kiddie to knock your Internet out and have all current connections dropped because of this uncommon D-Link product design.

Regarding empathy, unfortunately that went out the window when reading that response which I was hoping it’ll be from a official, but to read a post telling me what a router is and to throw the router I just bought yesterday out the Window .. basically, and hook up directly. I mean If I bought a router, it is to share files across LAN and WLAN, and to have WAN access, for two or more different computers and/or devices. And to read him saying its recommended to disable a software firewall and that one isn’t needed because I’m behind this D-Link router that provides some form of SPI protection, just one type of several different types of protections that a software firewall product can offer.

I came off a little strong FurryNutz, I do apologize FurryNutz for that, I could have handled it a little better. And I do see you are trying your best, and you are helping people, which I applaud you for.

To be honest, I have been reluctant for many, many years to buy a D-Link router for this reason, my very first wireless router was a D-Link one, and even then it filtered DMZ. For that reason I stayed away from D-Link routers up until yesterday, the store I was in didn’t have any left of the other guys brand so I thought I’d give D-Link router a chance.

This D-Link router model I bought, as mentioned by me already and others elsewhere on this forum, .. has excellent performance and seems very stable from my brief time of testing. But I’m going to take you guys advise and return this product back to the place of purchase and wait a couple of days for the next shipment of the other guys router product, this brand is simply not for me.


Regards.

[Hard Harry]

And I’m not saying its a shared view, but from personal experiences, D-Link company doesn’t make those who are transitioning from one brand and over easy or comfortable for the person. While I never tested every big router brand, I do know D-Link thus far is the only one I’ve experienced that restricts DMZ, and the only one to respond to different TCP stealth-scans ... or at least when port 0 or 1 is used. These responses isn’t just with the use of DMZ, with DMZ turned off and even with SPI protection enabled. Also TCP pings gets forwarded properly, and they using ports 0 and 1.

Also I wouldn’t consider these ports “locked for security”, or it wouldn’t be responding, having a computer or router respond to unsolicited packets is waste of resources, especially if there was a attack designed to overwhelm your computer or router while its processing and sending responses back, wouldn’t take much for a script kiddie to knock your Internet out and have all current connections dropped because of this uncommon D-Link product design.

From what I understand, some of Dlink routers (not sure if all) either have two port states. Open or closed.  A closed port will respond as closed when queried. That is the problem I think your seeing. Its like the old joke "Knock knock, is anyone home?" "No". Maybe it has something to do with the way they implement UPnP, maybe it's their QoS? I really don't know, I just know others have exspressed concern about it before. You do have a point that it's a waste of resources. So much so I usually turn those records off in my logs to at least conserve space there. Does Dlink make the best firewall? No. Is it enough for the average home user? Yes.

As for your point about linking here from a official site, I agree. I think there should be a Warning/notice saying "This forum is no longer strictly moderated, and nothing posted here reflects the support/opinion of Dlink". There are some politics involved though that doesn't let them say that though.

As for all the other stuff and the apologies, don't worry about it. Sometimes you get emotional, and then we respond emotionally, and drama insures. Its the people that continue to swear and demean us that I have issues with. I have been in your shoes more then I would care to admit. I sometimes tell my friends "If you hear me swearing, you hear me learning". LOL. I am also a little protective of my friends here, so....Talk Hard, and all that. :-)