Using a router to block a modem

Last time I noted that, for those of us with separate routers and modems, the IP address 192.168.100.1 may provide access to the modem, through the router. In my limited testing, I found this to be true with modems from four different manufacturers.

The good news is that the modem has assorted technical information about its connection to your ISP and this information may be useful when things go wrong. The Defensive Computing thing to do is to poke around when things are working well, to get a feel for the normal state. How many upload and download channels are there? What are the normal messages in the error logs? What are the signal levels? Etc.

My testing also found that the modems worked a bit differently. Two companies (Linksys, RCA) offered all the technical information without a password. Another company, Zoom, offered some information without a password, but required a password for the full gory details. The third company, Motorola/Arris, is the reason for this blog.

Most of the Motorola SURFboard modem web pages are read-only. That is, they simply report technical information. But, one page has two clickable buttons, shown below. One button restarts the modem, the other resets it.

The problem is that there is no password protection. And, since the modem IP address is known, malicious JavaScript running inside a web page can click the buttons for you.

I became aware of the danger in a recent blog by Joe Giron, Owning Modems And Routers Silently,that describes just such a JavaScript attack. If a victim can be tricked into viewing a malicious web page, the attack can reset and/or reboot a Motorola SURFboard modem (among other targets).

The code is fairly straightforward, a sample from the blog is shown below.

var x; for(x=0;x{document.write(" width='3' height='5'>");}

Just how much of a hassle is it if the modem is reset? I don’t know, but neither do I want to find out the hard way.

Needless to say, if your modem offers password protection, changing the default password makes you safer. To keep the password always available, consider writing it down on a piece of paper, along with the IP address of the modem and taping it, face down, to the modem.

If your modem has no clickable buttons, or any other parameters that you can change, you’re done. There is no problem to solve.

But how to defend an Arris/Motorola modem?

By telling the router not to let us talk to it in the first place. That is, we need to configure the router to block WAN side access to 192.168.100.1.

This is slightly off the beaten path. Normal interactions with the firewall in a router are concerned with incoming traffic. Steve Gibsons Shields UP! service, for example, lets us verify that the firewall is blocking incoming data. But here, we need to control outgoing traffic.

BLOCKING AN IP ADDRESS

I tested four routers, and found that three of them could block access to the modem. As you would expect, the procedure and terminology was totally different in each router.

Three routers were tested by connecting them to my LAN. Each router had its own network, separate from the main LAN. That is, the main LAN is 192.168.4.x and, before connecting the routers to it, they were configured to use 192.168.55.x. To these three routers, 192.168.4.1 was their default TCP/IP gateway and 192.168.4.100 was their WAN-side IP address.

Each router had a single computer connected to it, via Ethernet.

In each case, the computer connected to the three test routers was able to access the main router web interface (192.168.4.1), the modem on 192.168.100.1 and the Internet. Again, this coming from a 192.168.55.x network.

As I mentioned last time, you might expect a router to realize that 192.168.100.1 is an internal-use-only IP address, and thus, not let requests for it leave the WAN port. But, that’s not the way they roll. Each router happily sent the request for this private IP address out its WAN port.

Using the web interface of each router (192.168.55.1) I tried to block access to my Motorola modem.

ASUS The first router I tested was an Asus RT-N56U, a dual band N router, running firmware released in January 2015.

In the Firewall section, there is a Network Services Filter tab. Here you can block a destination IP address.

Simply adding 192.168.100.1 as a “Destination IP” in the Network Services Filter Table blocked the modem. As shown above, the router can block up to 32 “network services”.

TP-LINK

Next up was a TP-LINK TL-WR841N, a single band (2.4GHz) N router running its latest firmware, released in October 2014.

There is an Access Control Section that lets you create groups of LAN side computers called Hosts, and groups of Internet computers called Targets. Hosts can be identified by either an IP address or a MAC address. Targets are defined with either an IP address or a domain name (domain name filtering only works with HTTP, not HTTPS).

You then define rules as a combination of Hosts and Targets.

I blocked the modem by creating a rule (called “blockmymodem” in the screen shot above) with a hosts group that encompassed the entire LAN (192.168.55.*) and a Target group consisting of just 192.168.100.1.

You can see a demo of the web interface for many TP-LINK routers here.

DOWNSIDE

While both the TP-LINK and Asus routers blocked access to the modem, neither produced a useful error message. In each case, HTTP access to 192.168.100.1 simply timed out. If you configure one of these routers to block your modem, then good luck in the future remembering that you did so.

The router that could not block modem access was an ancient Asus WL-520GC, a single band WiFi G router. Its last firmware release was in April 2008. The closest it came was being able to block a computer (identified by a LAN IP address only, not a MAC address) from accessing the entire Internet.

PEPWAVE

Finally, I tested the router actually in charge of my LAN, a Pepwave Surf SOHO  (Pepwave is a division of Peplink, a high end router manufacturer).

If nothing else, the Surf SOHO has the best terminology, you block the modem with an outbound firewall rule. With the latest firmware (v6.1.2 released July 2014), this is in the Advanced section, under Firewall Access Rules.

As shown above, the source protocol, IP address and port number are all set to “any”. The destination IP address is 192.168.100.1 and the rule policy is “deny” (as opposed to “allow”).

As with the Asus and TP-LINK routers, an HTTP request to 192.168.100.1 simply timed out. But, the Peplink router has another option: event logging.

With this turned on, a message is written to the event log of the router, when the outbound firewall rule has blocked something. The format of the message is far from user friendly, and it seems to be undocumented, but at least it exists.

You can see a demo of the Peplink firmware, albeit for a higher end model, here. 

BLOCK EVEN MORE?

Is blocking a single IP address sufficient? I have already seen two modems that respond on multiple IP addresses and that’s in very limited testing.

With new spy revelations all the time, there may even be a private IP address that works as a back door. What better place to hide spying hardware or software than in a modem that sits hidden and (normally) inaccessible behind the router? 

It would be safer to block any IP address that starts with 192.168.

The documentation for the Asus RT-N56U says that you can also block 192.168.*.* where the asterisks represent any valid number in an IP address. TP-LINK does not support wildcards, but does let you specify a range of IP addresses for an “Access Target”. 

This is a tricky area however, as you run the risk of this rule possibly blocking access to the router itself. Technically, outbound blocking should work the way we want it to, as the rule should only apply to the WAN port.

The website in a router sits between the LAN and the WAN. No packets need to leave the WAN port for a LAN resident device to communicate with the router. Still, given the huge number of router flaws that have become public, I would not make any assumptions on how a given router handles this.

Personally, I was hesitant to create an outbound firewall rule blocking all 192.168.x.x IP addresses on my Pepwave router. But, their tech support assured me that outbound firewall rules only apply to packets leaving the WAN port, so the rule would not block the web interface of the router itself.

Those of you familiar with IP version 4 addresses are no doubt thinking about blocking the other private IP ranges.

For the maximum safety a router can also be configured to block any IP address that starts with 10 from leaving the WAN port. And, finally, any IP address that starts with 172.16 through 172.31 should also be blocked.

I say this assuming that the router is assigned a public IP address by the ISP. If the ISP assigned a private IP address (most likely10.something) then blocking that IP range will probably knock you off the Internet. 

Also, site-to-site VPN connections have a valid reason for passing private IP addresses out the WAN port. 

Configuring a router to block access to private IP addresses may be the least important task on a security checklist, but, it should be on the list.

Update: Feb 25, 2015. DSLReports has a list of modems and their private IP addresses. Most modems in their list use 192.168.100.1 but some use 10.0.0.1, 10.1.10.1 or 192.168.0.1.