Choose style:

Author Topic: ISP NastyGram DNS Open Resolver  (Read 6367 times)

0 Members and 1 Guest are viewing this topic.

Offline Mahri7

  • Newbie
  • Posts: 2
  • Thanks: 0
  • Registered : 19/09/2014
    YearsYearsYearsYearsYearsYearsYearsYears
ISP NastyGram DNS Open Resolver
« on: September 19, 2014, 01:38:45 am »
A forum search returned this thread from January http://forum.securifi.com/index.php?topic=260.0 on the topic of the routers capability to be used as an Open DNS Resolver. I and apparently many others according to the reviews on Amazon have all gotten nasty grams from our ISP's to shut off domain proxy and fix the open DNS resolver issues on our routers. I have the newest released software ending in -w33. So what is the fix for this? Apparently you have quite a few upset users.

Amritendu

  • Guest
Re: ISP NastyGram DNS Open Resolver
« Reply #1 on: September 19, 2014, 09:00:25 am »
@Mahir7, we have come across this issue recently reported by some users. We have a firmware fix for this, but  not available through the the LCD/web update. Please contact us on support@securifi.com and we can help you update your Almond with this new firmware and that should take care of this issue. 

Offline Mahri7

  • Newbie
  • Posts: 2
  • Thanks: 0
  • Registered : 19/09/2014
    YearsYearsYearsYearsYearsYearsYearsYears
Re: ISP NastyGram DNS Open Resolver
« Reply #2 on: September 21, 2014, 03:24:23 am »
You really need to push this as an update everyone can do from their router not just someone coming and asking for it. Having this vulnerability on a router that is supposed to be for ease of use should be secured right out the gate. Let the techy users that want to have this option disabled do it for themselves. I sent the email so I will wait for the response before testing the router again via http://openresolverproject.org/  which I reccommend every almond user do to make sure you take care of this security vulnerability.

Amritendu

  • Guest
Re: ISP NastyGram DNS Open Resolver
« Reply #3 on: September 21, 2014, 05:35:26 am »
Point noted and this is something which would be done very soon, possibly by next week. The whole idea of Almond was to provide a no restriction experience to all users, irrespective of basic and advanced! Hence it is a flexible enough device to allow advanced users run a open DNS if they want to. Nevertheless, its true that it might cause issues to the ISPs/denial of service to them.
« Last Edit: November 20, 2014, 02:48:44 pm by Amritendu »

Offline bammann

  • Newbie
  • Posts: 1
  • Thanks: 0
  • Registered : 22/10/2014
    YearsYearsYearsYearsYearsYearsYearsYears
Re: ISP NastyGram DNS Open Resolver
« Reply #4 on: October 22, 2014, 11:25:11 am »
I too have received this notification.  To be honest I am fairly irritated that a patch isn't available for download - unless I missed a post elsewhere and am responding to an old thread w/out the latest info.

Amritendu

  • Guest
Re: ISP NastyGram DNS Open Resolver
« Reply #5 on: November 20, 2014, 02:46:40 pm »
Anyone having a similar issue, please download the firmware from https://drive.google.com/file/d/0B6cFyWWSXjqEUGI2SjNLeG9hZVk/view?usp=sharing and update your Almond. Following are the instructions, how to update it.

(1) Please download the firmware and save it on a laptop/computer.

(2) Connect this laptop/computer wired or wireless to Almond. Tap on "More" on the LCD screen and then tap on "Web Administer". Note down the URL and put the same on your browser to access the Web UI of the Almond. (URL/IP:10.10.10.254, Username: admin, Password: admin). Now you should be accessing the Web user interface of Almond, select "Software" on the Web UI and then upload the saved file from your computer. Please do not unplug Almond from power socket during the update process. This should resolve the issue!

(3) Once the software update is over, check the "Status" icon and see whether it is connected or not. If not connected with a green square box, tap on "Wizard" and set it up as router again.

(4) Just for your information, you can cross-check the resolution from http://www.thinkbroadband.com/tools/dnscheck.html  and it should show you, "Success! We detected your IP address as xxx.xxx.xxx.xxx and did not find an open DNS resolver running"

Offline commorancy

  • Newbie
  • Posts: 1
  • Thanks: 0
  • Registered : 29/11/2014
    YearsYearsYearsYearsYearsYearsYearsYears
Re: ISP NastyGram DNS Open Resolver
« Reply #6 on: November 29, 2014, 12:56:03 am »
Anyone having a similar issue, please download the firmware from https://drive.google.com/file/d/0B6cFyWWSXjqEUGI2SjNLeG9hZVk/view?usp=sharing and update your Almond. Following are the instructions, how to update it.

(1) Please download the firmware and save it on a laptop/computer.

(2) Connect this laptop/computer wired or wireless to Almond. Tap on "More" on the LCD screen and then tap on "Web Administer". Note down the URL and put the same on your browser to access the Web UI of the Almond. (URL/IP:10.10.10.254, Username: admin, Password: admin). Now you should be accessing the Web user interface of Almond, select "Software" on the Web UI and then upload the saved file from your computer. Please do not unplug Almond from power socket during the update process. This should resolve the issue!

(3) Once the software update is over, check the "Status" icon and see whether it is connected or not. If not connected with a green square box, tap on "Wizard" and set it up as router again.

(4) Just for your information, you can cross-check the resolution from http://www.thinkbroadband.com/tools/dnscheck.html  and it should show you, "Success! We detected your IP address as xxx.xxx.xxx.xxx and did not find an open DNS resolver running"

Thank you for the fix. It seems to be working correctly after application.

However, one thing I would mention is that because the Almond and Almond+ are so easy to use and are, thus, being sold primarily by users who are not in any way technical (which is the whole premise of the interface design and the touch screen), it is, therefore, the responsibility and burden of Securifi to push mainline security fixes to the device as soon as they are detected and corrected. Should the Almond or Almond+ become vulnerable to an attack vector, your security team should be the first to determine the vulnerability of the Almond and Almond+ devices and push out a mainline firmware release as soon as possible.

Withholding a firmware release that patches a critical security flaw to 'special circumstance cases' which requires the user to go Google this patch is never a good idea. In other words, since every Almond device that does not have this patch applied is clearly vulnerable to DNS amplification attacks, this means that there are likely a fair number of these devices in service that could be used in an attack. Since the Almond device also supports updates from within the device, this is where the patch should appear. Not on this forum as a separate install procedure. Users won't know to go looking here for such a patch.

For this reason, the burden falls to Securifi to GA this patch to the general population of devices so that these devices are no longer vulnerable. If a large scale DDoS attack were launched as a result of your unpatched devices, a lot of people are going to come looking at you for answers as to why your team didn't send out this patch as GA (especially when you have a fix available as documented in this thread).

I would highly recommend that you GA this patch pronto and push it out so that device owners will see the update and eliminate this vulnerability from their device.

The issue is less about nasty grams from ISPs and more about patching critical security vulnerabilities timely and through regular channels. Every company producing devices like this needs to take security patching seriously and push patches as soon as they are aware and corrected through the normal update channels.

Thanks.

Amritendu

  • Guest
Re: ISP NastyGram DNS Open Resolver
« Reply #7 on: December 02, 2014, 12:59:31 pm »
We have implemented R200 firmware available through LCD update. You can directly do it through the LCD without having to go through the manual process.
« Last Edit: December 03, 2014, 08:30:31 am by Amritendu »

 

Page created in 0.064 seconds with 18 queries.

bottleneck