Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[kmcree]

Rev A1 1.11NA

GRC Port Authority Report created on UTC: 2009-08-28 at 05:17:03

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received

[cc999]

Clint go here:

https://www.grc.com/port_1.htm

Charlie

[BOFslime]

Just a few things here...

Firstly, there is no security issue here, even if the ports aren't dropping packets (stealth) your systems arn't going to be listening on these ports and thus no security issue. Additionally, unless otherwise configured, you're going to be running NAT, and you would have to forward such port for it to even reach anywhere outside the wan interface of the 825, and the 825 itself is not listening on these ports.

Second, "Shields Up"/GRC run by Steve Gibson is considered a laughing stock of the security community. 

Third, the dir-825 is NOT A FIREWALL, sure it does some firewalling, inherent NAT securities, even stateful tagging as well.  All good, but its not a dedicated security device, if you're concerned about security, get an ASA or run iptables.

For fun, I ran these 'security checks' through my dir-825 (running 1.12NA) and I can't even replicate your 'issue':

0 <nil> Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

D-link admins/techs/reps aren't going to comment on every over paranoid freakout spewed onto the forums any more than your ISP cares about who's probing your wan IP.  There are FAR to many other and REAL security issues out there to manage.

[rickm1350]

I can't replicate the issues either, using GRC.  My 825 shows stealth on ports 0 and 1

[cc999]

Then it must be the firmware. I have the rev B1 with 2.02NA. Does anyone with this firmware have ports 0 and 1 stealth? I believe its a firmware issue even more reason to get fixed immediately.

Charlie C

[Kanati]

B1 here also, with 2.02NA.  Ports 0 and 1 not stealthed.  Looks like a non-issue on the A1 version.

Confirmed my PC listening on these ports.  This router does have a firewall, not like a huge business server with ASA, but good for a home network and has proven effective for small network security.

[BOFslime]

B1 here also, with 2.02NA.  Ports 0 and 1 not stealthed.  Looks like a non-issue on the A1 version.

Confirmed my PC listening on these ports.  This router does have a firewall, not like a huge business server with ASA, but good for a home network and has proven effective for small network security.

How did you verify your pc was listening on these ports?  Unless you enabled them, or you have a virus, there is no way it could be.


As for B1, there is still no threat, only a cosmetic issue.

-Unless you are port forwarding, or 1to1 mapping the IP to your machine, no connections will reach your systems on these ports.
-no Microsoft OS uses these ports for anything
-tcp/udp port 0 is reserved (ie. not used), there are some attacks involving port 0 that attempt to cause buffer overruns, or dos.  a little googleing showed a trojan pinging from port 1024 to port 0, which I assume is simply searching for copy's of itself, but the port is closed and the 825 will simply drop the packet, as would your computer (unless you were already infected with such a virus and it enabled the port to listen.)
-tcp/udp port 1 is resurved for tcpmux - http://en.wikipedia.org/wiki/TCPMUX - a unix service designed to combine ports, not used very often and is considered a security risk if enabled (yeah, you have to turn it on).
-I have never nmap'd (scan) a linux box to date that listed 0, and/or 1 as anything other than closed/filtered, nobody uses this really.
-'stealth' only means a port is being listened on, but only for trusted hosts/sources (and what would look like as open for such host/source).

So in a standard config the device showing these ports as 'closed' is in fact the dir-825 (not forwarded anywhere).  The 825 is not listening on these ports so they are indeed closed.  So, you see, there is no security threat, you can not connect to a closed port.  Yes the 825 B1 should not return that the port is closed and instead simply drop the request, maybe dlink will correct this cosmetic issue in the next code update, but there is no harm in letting it sit a full dev cycle as other issues are addressed.

[cc999]

BOF,

   Why doest the trick to forward that prot to a fake ip address work? I used this trick
on a Buffalo router that had port 113 showing as closed. I forwarded 113 to an ip address
not in my router config and then it showed stealth. Any ideas on a work around to show stealth?

   I now have my 825 plugged into my 655 and all ports are stealth but I really do not want this configuration.
Any help would be appreciated.

Charlie C

[Gadget]

Gadget, you need to go back to ShieldsUp and run not just the first scan, but the second and third scans as well.

Tests:
1) File Sharing (which is what you ran)
2) Common Ports
3) All Service Ports

You will see that the DIR-825 does not stealth ports 0 and 1.  HUGE security issue that everyone should be concerned about.

CC,

I thought I'd explained.  I did run all the tests.  I posted the results of test 1 in the earlier message.  Here's the result from test 2 (common ports):


Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
                            119, 135, 139, 143, 389, 443, 445,
                            1002, 1024-1030, 1720, 5000

    0 Ports Open
    0 Ports Closed
   26 Ports Stealth
---------------------
   26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.




and for test 3 (all service ports)

GRC Port Authority Report created on UTC: 2009-08-30 at 02:35:59

Results from scan of ports: 0-1055

    0 Ports Open
    0 Ports Closed
 1056 Ports Stealth
---------------------
 1056 Ports Tested

ALL PORTS tested were found to be: STEALTH.

This is through an 825, no special filters or other workarounds.  In the future if you post about an issue with your router, be sure you mention which model and what firmware you're running.  You had A model people jumping through (non existent) hoops looking for an issue that may only exist with the B model.

Cheers

[cc999]

Gadget

   Do you have harware B1 or A??? seems B1 has the issue...

Charlie C

[Kanati]

Gadget has the A1 Version...read Gadget's first post.

CC, since this is your post...change the title to say "B1 Security Issue"

[cc999]

bump

[claykin]

Oh, I'm quite sure Dlink knows about this by now.  The problem I have is that they choose not to engage, in a useful way, most posts to these forums.  Aside from the occasional reply from one of the moderators, Dlink is MIA and pretty much leaves it up to users to help.

I'd really like to see them improve this!

[Kanati]

Bump, Bump

[Lycan]

The DIR-825_A is a Ubicom product. By default Ubicom stealth's ports when no traffic is being sent. The 825_b is not a Ubicom platform and does not follow their "stealth" procedure. As BOFslime points out Shields Up is a "joke". As for the users that believe that they're not protected unless their ports return as stealth-ed, then the 825_b is NOT the router for you. We suggest that you purchase a true firewall and not a SOHO NAT device.

I'm locking this thread.

Please see http://forums.dlink.com/index.php?topic=8180.new#new