Buggy routers are all over the internet, say researchers

Router vendors, particularly in the home/SOHO market, are so bad at implementing DNS caching they should abandon that functionality, according to a study presented earlier this month to the Usenix Security Symposium.

The German cross-institution research group comprising Philipp Jeitner, Haya Shulman, Lucas Teichmann and Michael Waidner found many routers vulnerable to “injections of fake [DNS] records via misinterpretation of special characters”, and “in 15 of the 36 routers the mechanisms that are meant to prevent [DNS] cache poisoning attacks can be circumvented.”

DNS, the domain name service, is the lookup mechanism that tells a user’s computer Google can be found at the IPv6 address 2404:6800:4006:814::200e:. 

Routers implement DNS caching because in the pre-broadband era, responses to DNS queries might be slow; if the record isn’t held in the cache, the router forwards the DNS request upstream to their ISP.

However, as the authors write in XDRI Attacks - and - How to Enhance Resilience of Residential Routers, errors in vendors’ DNS implementations are so common they should instead use standard DNS software such as BIND.

Even better, don’t bother performing DNS functions in the users’ network: “Removing DNS improves the resilience of routers and client networks, without a significant loss of performance”, the study said.

“In our internet-wide study with an advertisement network, we identified and analysed 976 residential routers … out of which more than 95 percent were found vulnerable.

“Overall, vulnerable routers are prevalent and are distributed among 177 countries and 4830 networks”.

The attacks the researchers used focused mainly on injecting special characters to poison the router’s DNS cache.

AVM, DrayTek, Tenda, Edimax, Mercusys, STRONG, CenturyLink, Actiontec, Bintec and Huawei devices were found vulnerable.

Corrected: the author misread a table in the paper, and in the original version of this story incorrectly identified products from Asus, D-Link , Linksys, Cisco, Telekom and Vodafone as vulnerable.