Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
johncolanduoni 12 hours ago

Many IoT devices (or Windows when the LAN network location is set to “Private”) expose a wider surface area to local network addresses. Having a competent firewall on your residential router is still useful, especially for those that have no idea how to configure their endpoints securely.

Comparing a residential router to a network operator’s router is spurious: those routers don’t perform any sort of filtering for the public internet traffic flowing through them.

dracotomes 7 hours ago | parent [-]

Is there any residential router that exposes internal endpoints be default? I've yet to come across one that does not have a deny-any policy on it's WAN interface and has incoming destination NATs setup up.

What use is reducing the attack surface of a device which only ever initiates connections?

Edit: also there are network operators that block customer traffic on certain ports liike NetBIOS, SMB or SMTP to name a few.

johncolanduoni 38 minutes ago | parent | next [-]

If your home router is compromised (which is what the parent comment was talking about, considering it mentioned CVEs) the attacker who now controls it can easily make connections to devices on your network via the router’s local address.

As for how the router that is theoretically not accepting incoming connections from the internet itself gets compromised in the first place: among other issues some routers can be RCEd by a webpage visited by someone inside the LAN[1]. That’s just one example, you can find tons of these if you search for router vulnerabilities. In practice out of date routers end up in botnets frequently.

It has nothing to do with network operators blocking SMB traffic; the attacker can communicate with the router via whatever C2 mechanism they put in the malware, which probably won’t even involve opening a port on the router. The SMB or what have you to the endpoint would be entirely within the LAN.

[1]: https://www.malwarebytes.com/blog/news/2023/02/arris-vulnera...

lazide 3 hours ago | parent | prev [-]

Many happily do Network PNP, etc. which allows them to open ports on the public facing side of the router.