My SMC has been keeping out trespassers (they would not be shot, just ignored). But then I wanted to use a
newer router (which I already had in my dungeon, for just in case...).
Network : routers
The ethernet switch combines UTP twigs to one bigger branch. All twigs have the same IP range (for example 192.168.56.xxx) and the remaining branch also is part of that IP range. Higher switches combine the branches into a stem, thereby giving shape to the tree structure that we call our network.
But there are many trees out there and we want to see the branches and twigs of the other trees as well. And this is where the router comes in; the router is a box with two ports:
Longshine LCS-IR2114 : Overview
My SMC has been keeping out trespassers (they would not be shot, just ignored). But then I wanted to use a
newer router (which I already had in my dungeon, for just in case...).
So I took the liberty to setup the Longshine LCS IR2114 for my network. Below you see the menue bar of the router, after you have logged in to it via your browser. The router itself is visible in the picture to the right. This is a very handy router. The foot in the base can be turned and has two holes to accept 2.5 mm screws. This enables a vertical mount, which is convenient for cooling purposes.
The factory default is that the IR2114 has its DHCP server running on the LAN ports. So you just connect a
naked PC to either of these LAN ports and get an IP address from the router. Then you can change the IP range
to your own (if required).
If you have changed the IP range and rebooted the router, you can reconnect and start a browser to setup the
internals of the device. The default user/password combination is pressing 'Enter'
If you are tying the router into your running LAN, make sure the 2114's DHCP server is (temporarily) shut down in order to prevent conflicts with your current DHCP server.
I have been using the IR2114 for a few days now. There were some difference with my previous one
(the SMC listed below)"
but all of the differences were positive. This router has the firewall ALWAYS enabled. Running a
router without a firewall wouldn't make sense in the first place, so the Longshine engineers decided to have
it running all the time.
If you are running a web- or FTP server at home, you can go to
the DoS page.
Longshine LCS-IR2114 : WAN side
To the right you see the screen which is to be used by people with a cable modem. For those ISP's that will
only allow one MAC address to access the modem (and this is an upgrade), you can enter that specific MAC
address in the upper row. First, of course, you need to check 'Modify'.
Then you enter the ID you got from your cable ISP. It seems that this is not always the case. Some cable modem ISP's do not require your cable ID to be entered here. For Ziggo users in The Netherlands: this is where you need to put your 'cp number'.
And that's about it. You could decide to run with static DNS but that's a bit tricky. In the past, Ziggo has changed DNS's several times without any notice. So it's best to request a DNS via DHCP each time over.
The domain name is optional (if I read the manual correctly) so here I will enter 'fruttenboel', my default network name.
Longshine LCS-IR2114 : LAN side
These are the settings for your internal LAN. The upper line states the IP address of the router. Here it
still is addressed as '201' but that's because I am setting up the device as a LAN peripheral. As soon as it
is running as the active router, it's IP address will be changed into '99' again.
The netmask speaks for itself.
The DHCP server in this example is still disabled. That's because the IR2114 is not supposed to hand out IP
addresses. That's what the SMC is still doing. As soon as the SMC is taken out, the DHCP server is enabled
again with a DHCP IP range of 100 thru 199.
I don't know what a WINS server is and I don't want to know it either.
Longshine LCS-IR2114 : Sub menue's
As soon as you mouse-over 'Advanced setup' or 'Network status' a sub menue pops up. As can be seen in the
picture of this paragraph. This is the sub menue of the 'Advanced setup'.
Longshine LCS-IR2114 : Management
Today (22 august 2009) the Longshine took over guarding my Internet fence. It ran quite fast. Just some basic
setup, a power cycle and that was it. Now it runs instead of the SMC.
Some cautious tests show that the data speed of the LAN seems a bit lower than it used to. Especially when
browsing the web it looks like speed was sacrifice. I blame it on the very safe settings I entered in the
Denial Of Service prevention center. Some tests will shed more light on this.
The tests were done and proved that I set up the router too seriously. For a home based router you do not need
the DoS protection mechanisms. Now the speed is optimal again.
In this screen you can enter a new password.
When logging in:
Since I am a bore for the chinese, I disallowed router control from the WAN side. If they want to manipulate settings they should just buy one, like I did. For the rest it's all kind of standard.
Longshine LCS-IR2114 : Virtual server
Not sure what this is all about. I should really start reading the Tanenbaum book. The IP address in the
listbox is from my webhost and at these times I was sending files by FTP to them.
But that's the only clue I have so far.
Longshine LCS-IR2114 : DMZ
The DMZ is the De Militarized Zone of your router. Also known as a Data Management Zone or Demarcation Zone or
Perimeter Network. DMZ sounds nice. What it does is simple: expose part of your network to the harsh
environment of the internet.
The DMZ is a physical or logical subnetwork that exposes some of your external services to a larger, untrusted
network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to your Local
Area Network (LAN); an external attacker only sees equipment in the DMZ, rather than the whole of the network.
If you plan to expose a Windows based server to the internet in your DMZ, think twice. A Linux machine will
stand a chance. But still, why take the risk?
Longshine LCS-IR2114 : Packet Filter
Here you can diable the Firewall function, if you use a trick:
Oh, the results of the port scans?
Longshine LCS-IR2114 : Static route
Static route is for connecting your local network to a system with more than one router. Suppose you have a
cable account and an ADSL account. Then you need
Longshine LCS-IR2114 : DynDNS
The LCS IR2114 allows you to register your IP address via the following DynDN servers:
Longshine LCS-IR2114 : DoS attacks
This screen lets you personalize your defence against crackers. Inititally I enabled all of them. And in order
to be pingable, set the amounts of pings and UDP's to one per second. It will still prevent a DoS (Denial of
Service) attack, but you or someone else will still be able to do some necessary tasks involving either of
these techniques.
A few hours later, I have turned off the UDP Food and Ping Flood options. It looked like they seriously worsened WAN sided traffic speed. Especially connecting to 'new' sites got slower. But not on all computers and not for all sites. I got the impression that traffic speed went down on sites that were infected by the Google Analytics virus.
In the mean time I have disabled all options. I was running with the upper three options enabled. I could connect via FTP to my webhost, but uploading (or even changing directory) was not allowed. The router terminated the connection. So I disabled all the options and now I can FTP again.
After I disabled all radiobuttons on the DOS attack page, I was uncertain if the firewall was still enabled or
not. In the SMC I had to manually activate the firewall. Here, nowhere in the setup is a crossmark for the
firewall.. So I went to the web and started the toughest test on
http://nmap-online.com/.
When the site was done testing my IP address, it reported that all ports are filtered. I.e. there is a
firewall running and it is protecting me like a German Sheepdog. And now that I think of it, these
radiobuttons on this page may well be switches to disable parts of the firewall...
Today Longshine responded to my request. The firewall is always running. On this page you can activate
additional security measures that only make sense when you run a webrelated service at home (webserver, FTP
server, mailserver, etc). These filters can really slow down your network traffic so use them with care.
If, like I, you only use the router to keep the chinese out
(like here)
you can leave all of these checks unmarked (i.e. blank fields).
Longshine LCS-IR2114 : Status
As you can see: I'm connected. I have a new IP address (the former was in the 84.24.180 range), another subnet
mask but the same DNS's. Domain name was the same of course.
Longshine LCS-IR2114 : Sessions list
This screen lists the computers inside your LAN that are accessing the router to reach the internet and also
what site is being visited. Only the active connections are listed; there is no history. You cannot look back
which computer connected to which remote IP yesterday or even 5 minutes ago.
Longshine LCS-IR2114 : Users list
The user list shows which PC's were connected via DHCP. Mercury and Neon are windows based PC's and these
prefer dynamic IP addresses by default. The Asus EEE-PC is connecte wirelessly and also prefers to use a
dynamic address.
Longshine LCS-IR2114 : Setup wizard
Use it when in doubt. It is short, concise and helpful. And it works.
SMC Barricade 7004VBR EU
This used to be my router. It's been in use now since 2004 until August 2009. It hasn't let me down in the
sense that it let attackers through. It sometimes let me down when it got stressed too much and then gave up.
Then it needed a kick in the butt by pulling the power plug for 10 seconds.
Of course I had a spare (a better one, the Longshine LCS IR2114) lying around, which is running since the 22nd of August.
SMC 7044VBR : logon
This is a router. It is there to keep persons out and others in. So it needs some kind of protection or safe
guarding. It needs a lock on the door, to prevent that a knock on the door breaks the lock. Of course, if you
have big knockers, I may make an exception for you... ;o)
Therefore routers are equipped with login screens. You need to have the user/password combination to gain access to the internals of the machine. To keep the knockers knocking at the gate. If you have big knockers... oh well, you know the drill.
If you have a new router, it comes with a default password (in most cases stamped on the bottom of the box).
This is to get a one time unsafe access. You definitely need to alter this default password immediately. If
you keep the default password, anyone (who is familiar with this kind of router) can immediately gain access
and take over control of the router. Such a villain will certainly change the password for you!
Don't say this is impossible in your case. If you have an access point for WLAN, it is breakable and any
determined villain can thus enter your network BEHIND the router! If you don't change the default password,
you're rebuilding the Maginot line and your nazi will just as well refrain from facing it and just ride around
it.
SMC 7044VBR : Status screen
On the right is the most important screen of this SMC router. I haven't seen this on many others. It contains
ALL you need to know NOW for a quick system checkup. One view in this screen tells me:
SMC 7044VBR : Status field
Here we see the status field. In a nutshell this is what it is all about:
The router has an IP address in my LAN. It is listed in the upmost line, together with the subnet mask I set..
The Barricade runs a DHCP server for the LAN side. This is totally seperated from the DHCP client on the WAN
side. The amount of DHCP clients on the LAN side is listed in the very last line.
Next come the status of firewall and uPnP. The former is important. The latter is not (I hope).
SMC 7044VBR : DHCP server status
If you click the picture you get a bigger picture with better readable tokens.
This is the DHCP client's log. It shows the status of the LAN side DHCP server. For each attached device it shows
SMC 7044VBR : System log
If you click the picture you get a bigger picture with better readable tokens.
Any action that is targeted at the router is logged in a file. The file is shown in the network log screen. It shows (among others)
One computer is not gained access to a picture because it has the work 'poker' in its name. This is so to keep out annoying ads from poker tournament sites; I block the lot of them by having the word 'poker' in the router block list. And now this harmless picture is kept ou as well... Fine with me.
SMC 7044VBR : DHCP settings
Here we see the LAN IP settings and the DHCP control section. The ..99 address is the address of the router in
my network. For some silly reason I could not use IP address 1 for the router/gateway so I chose this one.
The DHCP server is enabled. The lease time is 'Forever'. And the DHCP range is set to be from 100 to 199. Enough for the odd DHCP clients to get a decent address. And it leaves plenty of room for the fixed IP address computers to have an IP address assigned.
Attacks
The router is here to keep attackers out. Still, the villains keep on assaulting my precious LAN for some uncertain reason. As if I have something important to hide. These pages are hosted by a professional webhoster. At home I just have some Linux machines and a lot of imagination. I guess they just want to find out how to cripple EVERYBODY in the free world.
Anyway, I analyzed the logs of a random period of 18 hours and these were the attackers of my IP address:
117.67.3.151 China 125.39.71.32 China 125.89.77.187 China 125.89.77.187 China 125.89.77.187 China 150.140.166.31 Greece 168.126.20.126 Korea 168.126.20.126 Korea 188.17.99.131 Russia 188.17.99.131 Russia 212.156.64.242 Turkey 212.204.230.201 Netherlands 213.194.149.3 Spain 213.194.149.3 Spain 218.29.54.178 China 218.29.54.178 China 218.60.132.229 China 218.60.132.229 China 218.60.132.229 China 221.192.8.90 China 221.192.8.90 China 221.192.8.90 China 222.231.38.231 Korea 222.73.204.93 China 58.211.218.74 China 60.173.10.154 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.143.52.26 China 61.145.123.141 China 61.145.123.141 China 61.151.254.122 China 61.151.254.122 China 61.151.254.122 China 61.151.254.122 China 61.151.254.122 China 61.189.153.251 China 61.191.63.198 China 61.242.89.178 China 85.16.71.181 Germany 85.185.157.31 Iran 85.185.157.31 Iran 89.149.254.185 Germany 95.168.170.159 GermanyThe country designator was derived with the friendly help of Linux:
$ whois 61.242.89.178 | grep countryIf you still think Windows is good enough, don't try this at home. Commercial whois servers will allow you ten searches per day. Linux does it by itself and will do 10000 if you want.
Still, 75% of the attackers were chinese. Some of my aquaintances keep on fooling themselves by telling about 'chinese script kiddies'. I think it's a lot worse than that. The chinese government are not particularly charmed by the internet. They also are not known for their mercy. If these attackers were script kiddies, chances are they get imprisoned real soon (and possibly shot) due to state undermining activities.
I think these attacks are carefully orchestrated by chinese government agencies. Possibly also North Korean
parties could be involved, hiding behind a chinese IP range.
The non-chinese attacks may be caused by script kiddies (if they exist at all) since these attacks seem to be
random and small scale. The chinese probes may be more hostile than many people care to believe. Electronic
warfare on another scale and level, hiding behind childs play.
Page created on 30 July 2009 and
Page equipped with FroogleBuster technology