Re: risks of using a router without a firewall

From: Hairy One Kenobi (abuse_at_[
Date: 09/14/05

Date: Wed, 14 Sep 2005 11:01:51 GMT

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
> From: "Doug Fox" <>
> | Dear List;
> |
> | I have installed a D-Link broadband DI-601 router for Internet access.
> |
> | I scanned the router using nmap, nessus, and superscan. They could not
> | identify any open ports. In addition, according to D-Link, all D-Link
> | routers block all incoming ports.
> |
> | In this scenario, is my network safe from DoS, DDoS, Buffer Overflow,
> | teardrop, IP spoofing, etc. attacks.
> |
> | Any comments/suggestions are appreciated.
> |
> | Thanks,
> |
> As always I suggest specifically blocking both TCP and UDP ports 135 ~ 139
and 445 on *any*
> SOHO Router.
> Remember, a NAT Router is NOT a full FireWall implementation.

But it should suffice, for a lot of people. The router itself is only
susceptible to particular attacks and - generally being based on a form of
embedded UNIX - tend to be pretty good at handling this sort of thing. Worth
checking that you have the latest release level loaded, though. The last
dLink I set up had a manual for the new firmware revision, but the old
version loaded. Useful. Not.

When it comes to DoS attacks (distributed or otherwise), you are pretty much
at the mercy of your ISP - they will have to get involved, should your local
link near saturation. They undoubtedly would anyway, as a DoS attack will
also take out other people running from the same box in the street.

In addition to Dave's suggestions, think carefully before opening up a uPnP
port. Most modern routers have the option, but it's not something to take
too lightly.

You should also test these ports specifically, as opposed to a full scan -
many routers can determine that a port scan is in progress, and will block
traffic. The results you had may (I stress "may") be misleading - although,
TBH, I doubt that they are. These things are intended to be secure


Hairy One Kenobi

Disclaimer: the opinions expressed in this opinion do not necessarily
reflect the opinions of the highly-opinionated person expressing the opinion
in the first place. So there!

Relevant Pages

  • Re: open ports
    ... > Im accessing the internet using a broadband router. ... > symantec security check to scan for open ports. ... > aware of a web server running on my PC. ... the opinions expressed in this opinion do not necessarily ...
  • Re: A question that has been asked a 100 times before
    ... > Open port scans were showing all ports as stealthed. ... > I have recently bought a US Robotics 5461 router. ... > know very little about it and don't yet know how to set up a firewall. ... the opinions expressed in this opinion do not necessarily ...
  • Re: Software Firewall NAT Router or Both
    ... >>Without the router its your pc that is being tested. ... >>I would run both and also look at configuring the router to show all ... The firewall also gives application control on outbound ... the opinions expressed in this opinion do not necessarily ...
  • Re: Router wobble
    ... > Trend is a big make here in the UK nearly everyone uses there cutters ... IOW, router is faulty. ... >>> So anyway what are your opinions on this wobble is it acceptable ...
  • Re: OT: Recommend me an ISP.
    ... it'd only be a tenner a month for 'unlimited' access) but not too ... keen on the fact you seem stuck with using their router. ... any opinions from you lot? ...