SMC Router Firewall Blocks Access to WAN Addresses 255, 0

My SMC2804WBRP-G Barricade g Router and another's 7404 model router both
exhibit what I believe to be unwanted behaviour when "SPI and Anti-DoS
firewall protection" is enabled in that it disallows access to Internet
addresses ending in 0 or 255, regardless of the Internet Protocol used. I
have no idea whether it is unusual for HTTP and FTP servers to be assigned
such addresses but an important one for me ends in 255 - a Yahoo Groups file
server named f4.grp.yahoofs.com. If you are a YG user, you may access this
server when you download from the Files section of a group; the files are
spread across a number of servers in the same domain with names such as f3,
f4, f5...

I have no problem accessing files on f3 and f5 servers. Pinging and TRACERT
for f3 and f5 also work fine but fail on f4. Moreover, the security log
reports multiple SMURF attacks when PING or TRACERT from my PC attempt 0 or
255 addresses on the Internet:

05/27/2004 22:18:22 **Smurf** 192.168.2.100->> 66.218.66.255, Type:8,
Code:0 (from LAN Inbound)

I read this log as saying the Firewall has detected and blocked a SMURF
attack from my PC at 192.168.2.100 against the Yahoo server. I have no idea
if a Ping or a TRACERT packet is a SMURF attack - seems unlikely so that
report may be erroneous. It would seem to me to be logical that the firewall
should block ICMP Echo Requests from the WAN but not from the LAN because
there is an option "Discard Ping to WAN" enabled. It also appears that the
firewall is simply dropping any packets in which the 4th octet of the
destination address is 255 or a 0, regardless of the protocol and whether
the destination address is LAN or WAN. It should pass those destined for the
WAN, block those for the LAN.

I have been going around in circles with SMC Tech Support. So far the only
way to allow access to the Yahoo file server is to disable the Firewall -
that seems pretty risky! And Yahoo has not volunteered to assign a different
address to its server.... Are they wrong to have used 255?

Any experts here that would support or contradict my logic?

TIA,
Tom

On Thu, 27 May 2004 22:40:33 -0400, "Tom Holden"
<(E-Mail Removed)> wrote:
>
>05/27/2004 22:18:22 **Smurf** 192.168.2.100->> 66.218.66.255, Type:8,
>Code:0 (from LAN Inbound)
>
>I have been going around in circles with SMC Tech Support. So far the only
>way to allow access to the Yahoo file server is to disable the Firewall -
>that seems pretty risky! And Yahoo has not volunteered to assign a different
>address to its server.... Are they wrong to have used 255?
>
>Any experts here that would support or contradict my logic?
>

I can ping f4.grp.yahoofs.com without problems, using my ZyWALL
firewall. It seems your firewall thinks you are trying to ping a
broadcast address (because of it ending in 255). This is obviously a
bug as the firewall doesn't know what the subnet mask Yahoo! is using
but appears to be assuming it is 255.255.255.0, for some strange
reason.

Now that's interesting - I had to disable a 7004ABR because I
couldn't access many sites; the latest theory was that one of
the upstream providers (well, fatter pipe, higher level) had
both disabled ICMP (!) and left something in place that
caused fragged packets - no ICMP, no tracert / ping, no way
to actually detect the problem.

Further, the 7004 is used on the RS232 port, as no wideband
service here yet.

SMC and the ISP and the upstream providers had no clues, and
I have no NAT or other firewall in place.... Also no PC modem
sharing....

Anyone shed light on this? Anyone know of another router with
a serial/modem port on the WAN side?
thanks / mark


shopping.nowthor.com wrote:

> On Thu, 27 May 2004 22:40:33 -0400, "Tom Holden"
> <(E-Mail Removed)> wrote:
>
>>05/27/2004 22:18:22 **Smurf** 192.168.2.100->> 66.218.66.255, Type:8,
>>Code:0 (from LAN Inbound)
>>
>>I have been going around in circles with SMC Tech Support. So far the only
>>way to allow access to the Yahoo file server is to disable the Firewall -
>>that seems pretty risky! And Yahoo has not volunteered to assign a different
>>address to its server.... Are they wrong to have used 255?
>>
>>Any experts here that would support or contradict my logic?
>>
>
>
> I can ping f4.grp.yahoofs.com without problems, using my ZyWALL
> firewall. It seems your firewall thinks you are trying to ping a
> broadcast address (because of it ending in 255). This is obviously a
> bug as the firewall doesn't know what the subnet mask Yahoo! is using
> but appears to be assuming it is 255.255.255.0, for some strange
> reason.

In alt.internet.wireless Mark <(E-Mail Removed)> wrote:

> Anyone shed light on this? Anyone know of another router with
> a serial/modem port on the WAN side?
> thanks / mark

That's a little off track from the subject line, but yes.

I had a Multitech "Proxy Server" that had a serial port on one side and a
10BaseT connection on the other side. It acted as a dhcp server and router
to a shared internet connection. The internet connection was a dialup
modem or a serialized link onto the internet via another device.

The model that I had is doscontinued, but Multitech has some similar
devices. They call them proxy servers, but that is altogether inaccurate.

SMC also has some, but I suppose they all suffer from the SPI problem.

---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5

On Fri, 28 May 2004 04:48:30 -0700, Mark spoketh
>
>Anyone shed light on this? Anyone know of another router with
>a serial/modem port on the WAN side?
>thanks / mark
>

Symantec's Firewall/VPN appliances have a serial port that you can
connect to a modem. The same goes for the Nexland routers, as they are
essentially the same product.

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

On Fri, 28 May 2004 04:48:30 -0700, Mark <(E-Mail Removed)> wrote:
>
>Anyone know of another router with
>a serial/modem port on the WAN side?
>

The ZyXEL ZyWALL 2X. Has a serial port to connect a modem to. Doesn't
work well with US Robotics modems, though (for some stupid reason).
I'm selling these for $129.95 apiece at
http://shopping.nowthor.com/0760559110178.html available for immediate
delivery.

There was a thread on this NG about this very subject quite recently. The
upshot is that you're correct. This is a bug in SMC's firmware. Your
router cannot know the subnet mask of a foreign subnet, so it can't know
whether an address ending in 255 is legal or not. I'm sure SMC's intentions
were good; they were trying to make all their customers into good netizens,
but it can't be done that way. It is up to the object of the Smurf attack
(or their ISP) to detect the attack and defend against it.

What we need is a letter-writing campaign to SMC!

Ron Bandes, CCNP, CTT+, etc.

"Tom Holden" <(E-Mail Removed)> wrote in message
news:0Bxtc.35811$(E-Mail Removed) ...
> My SMC2804WBRP-G Barricade g Router and another's 7404 model router both
> exhibit what I believe to be unwanted behaviour when "SPI and Anti-DoS
> firewall protection" is enabled in that it disallows access to Internet
> addresses ending in 0 or 255, regardless of the Internet Protocol used. I
> have no idea whether it is unusual for HTTP and FTP servers to be assigned
> such addresses but an important one for me ends in 255 - a Yahoo Groups
file
> server named f4.grp.yahoofs.com. If you are a YG user, you may access this
> server when you download from the Files section of a group; the files are
> spread across a number of servers in the same domain with names such as
f3,
> f4, f5...
>
> I have no problem accessing files on f3 and f5 servers. Pinging and
TRACERT
> for f3 and f5 also work fine but fail on f4. Moreover, the security log
> reports multiple SMURF attacks when PING or TRACERT from my PC attempt 0
or
> 255 addresses on the Internet:
>
> 05/27/2004 22:18:22 **Smurf** 192.168.2.100->> 66.218.66.255, Type:8,
> Code:0 (from LAN Inbound)
>
> I read this log as saying the Firewall has detected and blocked a SMURF
> attack from my PC at 192.168.2.100 against the Yahoo server. I have no
idea
> if a Ping or a TRACERT packet is a SMURF attack - seems unlikely so that
> report may be erroneous. It would seem to me to be logical that the
firewall
> should block ICMP Echo Requests from the WAN but not from the LAN because
> there is an option "Discard Ping to WAN" enabled. It also appears that the
> firewall is simply dropping any packets in which the 4th octet of the
> destination address is 255 or a 0, regardless of the protocol and whether
> the destination address is LAN or WAN. It should pass those destined for
the
> WAN, block those for the LAN.
>
> I have been going around in circles with SMC Tech Support. So far the only
> way to allow access to the Yahoo file server is to disable the Firewall -
> that seems pretty risky! And Yahoo has not volunteered to assign a
different
> address to its server.... Are they wrong to have used 255?
>
> Any experts here that would support or contradict my logic?
>
> TIA,
> Tom
>
>

Yes, Ron. I started both threads, adding comp.security.firewalls to this one
and summarizing what came out of the earlier one so that more owners of SMC
routers with firewalls might take note. Thanks for your explanation - I
don't fully understand what the implication of the subnet mask is but
appreciate your corroboration that it is a bug. Additionally, I discovered
that, when I tried to use DMZ to drill through to the Yahoo server's IP
address, the Firewall restricts entries to between 1 and 254 so no-go again!
I guess that's more of SMC's spirit of forced good netizenship, but I'll bet
it's really just a short cut to simpler Firewall coding. Maybe that's why
they are slow to admit to a bug.

BTW, I seem to have had replies from several different people at SMC
Technical Support: Prasenjit, Kalpana, Vikraam.V, Mohana sundaram . a,
Saravanan.D, the last one almost 48 hours ago saying "I am forwarding this
to my next level engineer for further analysis and we will keep you update
as soon as possible". The lack of continuity and the chronic lack of
understanding of the problem I described has been frustrating. I wonder
whether support is in SMC's head office in California or in Cyberabad,
India.

To join the letter-writing campaign, just e-mail (E-Mail Removed) !

Tom
"Ron Bandes" <RunderscoreBandes @yah00.com> wrote in message
news:rLKtc.67217$(E-Mail Removed). net...
> There was a thread on this NG about this very subject quite recently. The
> upshot is that you're correct. This is a bug in SMC's firmware. Your
> router cannot know the subnet mask of a foreign subnet, so it can't know
> whether an address ending in 255 is legal or not. I'm sure SMC's
intentions
> were good; they were trying to make all their customers into good
netizens,
> but it can't be done that way. It is up to the object of the Smurf attack
> (or their ISP) to detect the attack and defend against it.
>
> What we need is a letter-writing campaign to SMC!
>
> Ron Bandes, CCNP, CTT+, etc.
>
> "Tom Holden" <(E-Mail Removed)> wrote in message
> news:0Bxtc.35811$(E-Mail Removed) ...
> > My SMC2804WBRP-G Barricade g Router and another's 7404 model router both
> > exhibit what I believe to be unwanted behaviour when "SPI and Anti-DoS
> > firewall protection" is enabled in that it disallows access to Internet
> > addresses ending in 0 or 255, regardless of the Internet Protocol used.
I
> > have no idea whether it is unusual for HTTP and FTP servers to be
assigned
> > such addresses but an important one for me ends in 255 - a Yahoo Groups
> file
> > server named f4.grp.yahoofs.com. If you are a YG user, you may access
this
> > server when you download from the Files section of a group; the files
are
> > spread across a number of servers in the same domain with names such as
> f3,
> > f4, f5...
> >
> > I have no problem accessing files on f3 and f5 servers. Pinging and
> TRACERT
> > for f3 and f5 also work fine but fail on f4. Moreover, the security log
> > reports multiple SMURF attacks when PING or TRACERT from my PC attempt 0
> or
> > 255 addresses on the Internet:
> >
> > 05/27/2004 22:18:22 **Smurf** 192.168.2.100->> 66.218.66.255, Type:8,
> > Code:0 (from LAN Inbound)
> >
> > I read this log as saying the Firewall has detected and blocked a SMURF
> > attack from my PC at 192.168.2.100 against the Yahoo server. I have no
> idea
> > if a Ping or a TRACERT packet is a SMURF attack - seems unlikely so that
> > report may be erroneous. It would seem to me to be logical that the
> firewall
> > should block ICMP Echo Requests from the WAN but not from the LAN
because
> > there is an option "Discard Ping to WAN" enabled. It also appears that
the
> > firewall is simply dropping any packets in which the 4th octet of the
> > destination address is 255 or a 0, regardless of the protocol and
whether
> > the destination address is LAN or WAN. It should pass those destined for
> the
> > WAN, block those for the LAN.
> >
> > I have been going around in circles with SMC Tech Support. So far the
only
> > way to allow access to the Yahoo file server is to disable the
Firewall -
> > that seems pretty risky! And Yahoo has not volunteered to assign a
> different
> > address to its server.... Are they wrong to have used 255?
> >
> > Any experts here that would support or contradict my logic?
> >
> > TIA,
> > Tom
> >
> >
>
>

ROTFL

"Tom Holden" <(E-Mail Removed)> wrote in message
news:ltStc.60467$(E-Mail Removed) ...
> I wonder
> whether support is in ... Cyberabad, India.

In alt.internet.wireless Tom Holden <(E-Mail Removed)> wrote:
> My SMC2804WBRP-G Barricade g Router and another's 7404 model router both
> exhibit what I believe to be unwanted behaviour when "SPI and Anti-DoS
> firewall protection" is enabled in that it disallows access to Internet
> addresses ending in 0 or 255, regardless of the Internet Protocol used. I

The FAQ on the SMC page defines a "smurf attack" as a denial of service
caused by a ping to a broadcast address.
http://www.smc.com/index.cfm?action=...AQ&note_id=174
The fact that they block outbound smurf is a little excessive.

I did register a complaint today, along the lines of you complaint,
including a copy of the "smurf warning" that I received via email, and
tracert that stops at the router outbound.

---
Clarence A Dold - Hidden Valley (Lake County) CA USA 38.8-122.5