D-Link Forums
D-Link Wireless Routers for Home and Small Business => Information => Archive => Topic started by: taekwon3dan on October 06, 2010, 04:49:49 AM
-
Ran GRC port scan test and says it fails for Ports 0 and 1 (closed instead of stealth). Is this something to be concerned about?
-
Ran GRC port scan test and says it fails for Ports 0 and 1 (closed instead of stealth). Is this something to be concerned about?
I heard about a nice website recently called Google. It finds all the info you want!You should really try it out, it's amazing!
Anyway: Don't be concerned. You're not missing out on anything (except for the Google miracle)
-
Under your theory, there would be no need for this forum (for quick exchange of accurate, reliable info relating to the dir-655) since everything is searchable in Google. That flies in the face of logic and reason.
Well, there is a lot of junk info out there in Google in case you didn't notice.
In fact, I did do a Google search prior to posting and the information seemed equivocal at best. I did find another thread relating to the dir-825 with a similar issue but no one ever explained why closing (instead of stealthing) these ports was considered safe from a security standpoint, let alone the factual basis for making such an assertion.
Now, I've tested a lot of routers, and the dir-655 is the only one of those tested that failed this test. Is there a particular reason why D-link has this port closed but not stealthed, like other manufacturers?
If you have found reliable info in Google that answers these questions, please post a link to it.
-
My 655 A2 shows all as stealthed.
-
My 655 A2 shows all as stealthed.
Well, that is all the more reason why I want to know why my unit (Rev B1, 2.00NA) is not. I have reset the router numerous times with the same result.
This may or may not be a security issue, and that is what I want to find out. If it is, I would like to get this resolved. Otherwise, this is an OUTSTANDING router, in my opinion.
-
You may want to inform us of your advanced firewall setting so we have something to formulate an opinion on.
This type of test event makes some pretty exciting Router Log entries. Make sure you have your logging on and that you view it after the tests.
-
And why bother since you a. actually no known apps ever use these ports & b. you have >65000 other ports to use.
Perhaps your ISP blocks these ports...ruled that one out yet?
-
Perhaps your ISP blocks these ports...ruled that one out yet?
I guess you don't read things carefully. I have already stated that I tested other routers (wnr3500L, WRT610N, e3000, rt-n16, wzr-hp-G300nh to name a few) in the same environment and they all pass except the dir-655.
What reliable source of information can you cite that says a hacker cannot exploit these ports?
In addition, if these ports are stealthed for other d-link routers, why the difference/discrepancy for the dir-655, Rev B?
-
You may want to inform us of your advanced firewall setting so we have something to formulate an opinion on.
This type of test event makes some pretty exciting Router Log entries. Make sure you have your logging on and that you view it after the tests.
All firewall settings are at default (I did not change anything). I will turn logging on and report later.
-
All router settings at default doesn't really help because most of us have the A series and have no idea of the firmware B2.0.
Is it the same? I doubt it.
I guess you will have to be helped by someone with the new B series.
-
May say closed instead of stealth due to IPv6 which is supported in the B1.
Will have to investigate further.
-
All router settings at default doesn't really help because most of us have the A series and have no idea of the firmware B2.0.
Is it the same? I doubt it.
I guess you will have to be helped by someone with the new B series.
FIREWALL SETTINGS PAGE:
SPI Enabled
UDP ENdpoint Filtering (Address Restricted)
TCP Endpoint Filtering (Port and Address Restricted)
Enable Antispoof Checking (Unchecked)
Enable DMZ Host (unchecked)
-
May say closed instead of stealth due to IPv6 which is supported in the B1.
Will have to investigate further.
Interesting. It is at "link-local only" from drop-down menu. Other choices are Static IPv6, DHCPv6 (stateful), stateful autoconfiguration, PPPOE, IPv6 over IPv4e Tunnel, and 6 to 4.
WNR3500L with latest firmware supports IPv6 (disabled) and it passes the port tests.
Interestingly, I just received an email "response" from D-Link asking for information I had already given in my initial report.
-
I did find a post dated several years ago re the dir-825 with a similar problem and one "expert" suggested setting an unassigned ip address on dmz, but another thought that it could create undue burdens on the router. Regardless, this does not seem to be a real solution to the problem.
One idea I am thinking of is to cascade this router behind my FIOS router as a WAP. I really don;t want to do this if I don't have to, as the FIOS router is very crappy.
-
Looks like some trojans do use ports 0 and 1:
http://www.speedguide.net/port.php?port=0
http://www.speedguide.net/port.php?port=1
Sent D-link an inquiry - still no answer.
-
You do realize it is only the router responding to this not the computer.
In other words I am saying your computer is safe and if you want to test this out.
Unplug the router so your are connected straight to the modem.
Make sure your software firewall is on then run the test and you should get all stealth.
GRC is flawed as it just reports "responses" and not what the real source is.
-
taekwon3dan: Thanks for keeping us updated. Please continue to do so.
-
You do realize it is only the router responding to this not the computer. ...
I am under the impression that the router responding is the problem.
-
Looks like some trojans do use ports 0 and 1:
http://www.speedguide.net/port.php?port=0
http://www.speedguide.net/port.php?port=1
Sent D-link an inquiry - still no answer.
Trojans use all kinds op ports, 1 and 0 are no an exception to that phenomenon. The fact that a connection test reports responses on ports depends on the client behind the router. Routers do not have (and are not suppose to have) permanently closed ports, they only manage (through their firewall) the use of ports. Unless you buy a specific firewall router which is manageable.
So I really don;t see what answer D-link should provide, since you seem to inquire after a feature that is not there. IMHO, you're chasing a ghost here.
-
First of all, I don't have a modem but instead a FIOS router which, if I use as a primary router, passes the test. It is impossible to connect my computer to ethernet ONT without a router.
All the other routers I have tested (Netgear, Linksys, Buffalo, FIOS Actiontec) all pass the test as stealthed, so providing this feature is RUDIMENTARY and BASIC.
Indeed, the previous versions of DIR-655, as I understand from other posters, PASS this test, so there is no reason why REV B1 should NOT pass. D-Link can certainly get the job done if they want to....EASILY.
One of the primary reasons for using a router is as a first defense firewall device. If it cannot provide a basic feature, then I must wonder about D-Link as a reputable router manufacturer.
I have a case open with tech support. Their initial reaction has been one of DENIAL. That it SHOULD pass and I am not doing something right. They will test at their end and get back to me.
-
One of the primary reasons for using a router is as a first defense firewall device. If it cannot provide a basic feature, then I must wonder about D-Link as a reputable router manufacturer.
Wrong. The primary task is...routing. The added features (SPI, anti spoof etc) are merely very basic 'firewall' features. I think you would rather have bought a true firewall/router, because expecting firewall perfomance from these basic features in the DIR655 really is uncalled for.
-
Wrong. The primary task is...routing. The added features (SPI, anti spoof etc) are merely very basic 'firewall' features. I think you would rather have bought a true firewall/router, because expecting firewall perfomance from these basic features in the DIR655 really is uncalled for.
Again, you don't read all the words! I don't disagree with your assessment that ONE OF the primary functions/reasons of using a router is routing.
Re desiring a basic firewall feature is "uncalled for" -- Oh really?!?! How come all the other home routers on the market, including previous versions of dir-655 have this feature??
Notice this "accolade" of a feature touted in D-Link's own website!:
"To prevent possible attacks from the Internet, the DIR-655 uses dual active firewalls (SPI & NAT) to help protect your valuable data. Below is a list of DIR-655 features...
•Dual active firewall protection (SPI & NAT) helps block malicious attacks on networks from the Internet "
I find your statement baseless.
-
Those are the most basic firewall functions available, a bit how (let's say) MAC address restrictions comapre to WPA2. And even more: they have nothing to do with the issues discussed here, their function is very different from that.
-
First of all, I don't have a modem but instead a FIOS router
So you are using two routers.
Like this?: Fios router > dir 655 > device
-
So you are using two routers.
Like this?: Fios router > dir 655 > device
No, di-655 >> LAn/WLAN devices
Actiontec (FIOS) WAN connected to dir-655 LAN port (bridge for TVs)
-
Cobra,
The workaround I have in mind is to use Actiontec as a primary router (connected to ethernet FIOS ONT) and then connect the WAN port of the dir-655 to a LAN port on the Actiontec. They are on different subnets.
I am reluctant to do because the Actiontec has low-end CPU and only 100MB ports, so it is slower than dir-655.
-
Have you tried setting the 655 to bridge mode?
-
Have you tried setting the 655 to bridge mode?
Yes, that is another option.
That would subject the clients under 655 to only 1 NAT right (i.e., the NAT subject to Actiontec)? So bridge to Actiontec (LAN-LAN connection) with 655 in bridge mode and use 655 as an WAP, right?
Wouldn't I be subject to the poor WAN-LAN throughput of the Actiontec?
Thanks.
-
First of all, I don't have a modem but instead a FIOS router which, if I use as a primary router, passes the test. It is impossible to connect my computer to ethernet ONT without a router.
All the other routers I have tested (Netgear, Linksys, Buffalo, FIOS Actiontec) all pass the test as stealthed, so providing this feature is RUDIMENTARY and BASIC.
Indeed, the previous versions of DIR-655, as I understand from other posters, PASS this test, so there is no reason why REV B1 should NOT pass. D-Link can certainly get the job done if they want to....EASILY.
One of the primary reasons for using a router is as a first defense firewall device. If it cannot provide a basic feature, then I must wonder about D-Link as a reputable router manufacturer.
I have a case open with tech support. Their initial reaction has been one of DENIAL. That it SHOULD pass and I am not doing something right. They will test at their end and get back to me.
I agree completely. I just posted a similar question on this forum about why my new DIR-601 router fails a stealth test and shows ports 0 and 1 as closed instead of stealthed! Very disappointing.
-
Try to forward port 0 (zero) to a ip-number outside your ip range.
That would solve your problem
-
Actually it doesn't solve the problem. This router will not allow ports 0 or 1 to be forwarded for some reason. They still report as closed no matter what combination of settings I have tried. This is why people are so angry and disappointed with the D-Link routers--several of them, not just the DIR-601 exhibit this behavior. There is also no new firmware for the DIR-601 to correct this problem.
-
To summarize what has happened since my last post, D-Link support never got back to me.
Because it was within the return period (store), I got an RMA and returned it for full credit.
I got a different router from another manufacturer, and I am very happy with my decision. I don't think I'll ever buy a D-Link again.
-
This is the response I got back from D-Link technical support when complaining about not being able to stealth ports 0 and 1:
Steve,
I will pass your request to the PM for the product. Thank you for the feedback.
Not too encouraging considering people seem to be complaining about this issue on this and other routers for over 2 years!
I guess I'll never buy a D-Link product again either. I'm going back to Linksys/Cisco.
-
Well...
Port 0 is an invalid port and does not official exist
Port 1 is TCP Port Service Multiplexer
-
So, the put it more clearly: You are all complaining about ....nothing
Get a degree.
-
So, the put it more clearly: You are all complaining about ....nothing
Get a degree.
Actually, you are quite incorrect. Although I agree port 0 is officially not a supported port, it can be pinged as can port 1, regardless of port 1 being a multiplexer port. That means that a hacker can potentially verify you have a router at a give IP address when it gets a "Closed" status back instead of no status (stealth).
You can argue that there is nothing a hacker can do with the ports closed but I prefer to not let hackers, whom are much, much more knowledgeable and determined than I am, to not even know my router exists.
It's a simple concept. I don't understand why D-Link doesn't get it or just doesn't care.
Put another way, even if it is not a serious issue, from a pure business perspective, D-Link management are foolish to no implement this because of all the complaints over the past two years and the fact that their major competitors all implement this. What more logic do you need?
-
You can argue that there is nothing a hacker can do with the ports closed but I prefer to not let hackers, whom are much, much more knowledgeable and determined than I am, to not even know my router exists.
Everywhere you go on the web knows your router exists and knows your WAN IP address or you would not have a connection.
Hey, try testing sometime without the router just modem to PC and I bet you get stealth. Since you probably have the OS firewall on even with the router connected then maybe you will understand it is only the router responding not your computer as the computer is stealth. Your WAN IP stops at the router so it is virtually impossible to hack the computer as it has a different IP ---> LAN.
With the router on the network, open a command prompt and type ipconfig and you will see your computer has a different IP then if you go to http://whatismyip.com
-
Those all knowing hackers don't need port 0 or 1 to find you...
-
This issue comes as a total shock to me!!
I am a network engineer and got this router for home use and I am horrified to find out that 2 ports are CLOSED. Free firewalls like AVG never have such problems so for a company like D-Link, this is shameful!
I have the router for 4 days now.
Is there a new firmware in the works? A beta? Anything?
As long as a port says it exists may it be 0 or 1000 it does not matter, if a port is CLOSED or OPEN I will know it exists it's just a matter of time to hack in. The router should be "stealth" aka not respond to requests neither yes nor no. What is this some kind of backdoor compliance issue? I think I might report this to the FCC... How can this product pass the FCC???
-
Is there still no solution?
-
The ports are now closed with the latest firmware.