XII. Firewall/Security Features

TL;DR - Always log out of your router's web interface when you have finished administering it and do not open other sessions whilst you are logged in. Regularly check that settings like DHCP or DNS have not been changed and always keep your firmware up to date.

What is a CSRF Attack?

A CSRF attack is an attack performed by a hack whereby they take advantage of an active administration session of a web connected device (hardware or server) in order to control or change the settings of that device. This may be to steal or corrupt data (in the case of a server) or, in the case of network hardware, to change settings to redirect traffic or put in their own remote access methods for later use. This doesn't just apply to your own servers, but also any web site or online service that you access.

With networking hardware (such as a router) that might be to change passwords, enabled remote access, set up a secret VPN host or change DNS server settings in order to redirect web site requests to fake (imposter) destinations. 

Although there are some protections, it is very difficult for your Internet connected device to completely protect against this type of request because there is little way to distinguish between legitimate parameters/changes you meant to send in the session and those which a virus/trojan is sending in a session which has been left open. Vendors will continuously improve firmware/software to help protect against new methods so that is another reason to always keep firmware up to date.

Viruses which conduct CSRF attacks are not necessarily installed by opening infected attachments - they can be run as 'drive-by downloads' from infected/compromised sites using Javascript or other client-side code.    Even though less popular or illicit sites might be more likely to lure and infect, popular legitimate sites can become infected too, either by being compromised themselves or by linking to 3rd party ad/content providers who have become compromised.

As the CSRF attack will typically run from your browser, it may occur on the LAN but also remotely if you are using remote admin of your device - i.e. accessing its web interface from elsewhere on the Internet. If you administer many remote routers, every one of them could be attacked.  The normal advice of not enabling remote access (unless needed), strong passwords and enabling brute force attack protection (if your device supports it) all stands for other reasons, but typically will not protect against CSRF attacks because they occur in an already authenticated session. Our general router security advice is available in a our previous document here.

Web sites, and web-enabled software and hardware, as well as browsers can protect against CSRF attacks to some extent, but not completely.  By their very nature, the trojan may be indistingishable from a human, and its access is coming from your authenticated browser on your PC.

How to help protect against CSRF attacks

• Before administering your router (or other web accessible device) through your browser, close any other open tabs (or close and re-open your browser). This is especially important if you administer many routers remotely.
• Only log into your router when you need to administer it or change settings.
• Whilst you have an active session to the browser, do not open any other browser tabs or windows.
• Once you have finished administering the device, specifically log out of the router. Do not just close the brower, the active tab or window. Specifically click the 'log out' button on whichever device you are accessing. Nearly every web-enabled device will have a logout button or link, as well as web sites.  So always log out of your bank web site, your NAS drive, your router, your printers etc.
• On Vigor routers, the logout button is at the top of the web interface page.  
• Always keep up to date backups and previous backups of your previous config. You could even do periodic file comparisons.

A DrayTek router will also end as session after a period of activity but that should not be relied upon because a CSRF needs only moments to act so always log out manually and do not disable auto-logout unless you really know what you're doing, understand the risks and will remember to log out manually. To be clear, do not rely on auto-logout - log out yourself before opening other tabs/windows.

Checking for compromises on your DrayTek router

It is very difficult to detect an CSRF, until you are the victim of whatever plans the hacker has put in place, for example attacking your bank account. Your first assumption would be that the bank itself has been hacked or someone on the inside is responsible because you know you have not shared your login info.  Remember that a CSRF does not need your login info because you have already logged in for it, and left an active session.

With a router, as mentioned earlier, the most common things to check for are remote access settings changed, DNS server settings, unexpected or changed VPN profiles, new admin users, changes to WCF but it could be any of your settings, depending on the goal of the hacker.  A change to DNS settings is often used because it doesn't affect normal operations until the hacker decides to trick you wish a fake web site.

As an example your DNS settings (for all subnets if you have more than one) should be blank, set to your ISPs own DNS server addresses or another DNS server that you have intentionally used (e.g. Google, openDNS etc.):

Check that remote management hasn't been enabled if you haven't enabled it yourself:

Check that no extra admin users have been added or their details changed:

Check that VPN hasn't been enabled if it shouldn't have been:

Check for any unexpected or changed VPN profiles:

VPN Dial-in Profiles:

If you use any kind of remote management tools/framework, check that your command server (TR-069/SNMP server) settings have not been altered. 

Check that any Port Forwards or Open Ports have not been set without your knowledge (NAT Setup).

The above is not an exhaustive list. Depending on the hacker's intention - theft, damage or mischief, they may have changed any settings.  

If you think you have been attacked

If settings have been changed, and those settings seem nefarious or unexplained:

• Double check the settings weren't authorised or carried out by a colleague
• Change your admin passwords
• Ensure that remote access is locked down (with an access list if possible)
• Enable brute-force protection (if your device supports it)
• Change settings back or restore a config backup
• Ensure your device is running the latest software/firmware
• Report it to your produce/device vendor (e.g. DrayTek) including product name, firmware in use (at the time of the attack), what was changed and any syslog data active at the time.
• In normal usage, always follow the advice in our router security guide.

---

How do you rate this article?