Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Routers Vulnerable To DNS Hijacking

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes At least one and likely more D-Link routers as well as those of other manufacturers using the same firmware are vulnerable to remote changing of DNS settings and, effectively, traffic hijacking, a Bulgarian security researcher has discovered. Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link's DSL-2740R ADSL modem/wireless router. The firmware in question is implemented in many networking equipment manufactured by D-Link, TP-Link Technologies and ZTE.

64 comments

  1. Every day by Anonymous Coward · · Score: 3, Funny

    I get on my knees and give thanks to OpenWRT.

    1. Re:Every day by Anonymous Coward · · Score: 1

      If you like OpenWRT so much why don't you marry it?

    2. Re:Every day by Anonymous Coward · · Score: 1

      I don't think it's legal, yet.

    3. Re:Every day by FatdogHaiku · · Score: 5, Funny

      When a binary and an analog love each other, that's all that matters.
      How they compile in the privacy of their home is no ones business.
      And soon you may hear the pitter patter of little dependencies...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    4. Re:Every day by fustakrakich · · Score: 3, Funny

      Yeah, but then the includes move in...

      --
      “He’s not deformed, he’s just drunk!”
  2. Manual config by jargonburn · · Score: 1

    I actually specify Google's public DNS server in my computer's network config. The router's DNS is only there as a backup.
    Also: Using D-Link? *tsk*

    1. Re:Manual config by wierd_w · · Score: 4, Interesting

      The hardware isnt all that bad most of the time, it's the shitty horrible firmwares they run.

      Frequently, it's an old, horribly butchered hackjob of openwrt under there these days. Something unholy running a 2.6 era kernel, and with drivers with more hacked patches attached than a 4th century beggar's clothes.

      Getting that old filth flushed out and replaced with something properly maintained is a GOOD thing. The router (hw wise) itself usually isnt all that bad.

      Netgear tends to be a bit better, but overpriced. Belkin can go die in a fire though.

    2. Re:Manual config by drinkypoo · · Score: 1

      Are any of these routers actually quality hardware? All the routers I've ever had have been crap. All versions of WRT54G overheat, for example, as do most other home routers.

      Within the next couple of hours FedEx is supposed to drop off my new home router, which is a Lenovo SFF machine with 3GB RAM and a 1.8GHz C2D. I'm popping a quad-ethernet into it. Then I'm going to heat up this RB411 I've got here and use it just for the WiFi. I've been using an RB192 and it seems to have just died on me. If the RB411 dies I guess I'll have to find a PCI-E WLAN NIC which works in Linux in Host mode. The machine supposedly had 1xPCI and 1xPCIE, and I need the PCI slot for the quad eth. But since the machine is so balls-heavy, I'm going to feel compelled to do more than just firewalling on it...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Manual config by wierd_w · · Score: 2

      If you dont mind taking one apart, it is pretty easy to install the missing cooling inside a home router.

      Most have a 3v level based serial connector that can be tapped for driving a fan. Just getting some circulation in there helps immensely.

      This has more to do with the manufacturer not wanting any moving parts than it does with poor design though.

      I have a WNDR3400 that I use for various fun projects (It's running OpenWRT) that is a few years old now. I have replaced it with a more capable home router some time ago as the main workhorse. However, the logic board that drives that little silly dome light is a +5v system. I have removed the dome completely, removed the logic board with the lights on it, and used the header strip it connected to, to drive a pretty beefy fan. I can drive its little CPU at 100% nonstop and it does not get much above room temp.

      If the biggest problem you have is with cooling, stop being a wimp and just drive a fan off the serial console port connector inside. Pretty much all consumer routers have one.

    4. Re:Manual config by fuzzyfuzzyfungus · · Score: 1

      They all tend to be fairly miserable(though thermal issues are often more a product of the desire to have more space for ugly branding and fewer vents, which can be fixed with a bit of applied violence); but I do have to give the hardware credit for often being rather amazing for the price. The firmware is shit more or less across the board; but it is astounding how much actual computer they can cram into a $20 router.

    5. Re:Manual config by Anonymous Coward · · Score: 1

      I actually specify Google's public DNS server in my computer's network config.

      I'm sure Google is happy to hear that. Personally I think they know quite enough about me already, without also being aware of every single hostname my network resolves.

    6. Re:Manual config by epyT-R · · Score: 1

      You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

    7. Re:Manual config by drinkypoo · · Score: 1

      If the biggest problem you have is with cooling, stop being a wimp and just drive a fan off the serial console port connector inside. Pretty much all consumer routers have one.

      Well, the one WRT54G I added a fan to still crashed its pathetic little ass off, I never have understood why the community loved those things so well. I tried five of them before I realized that everyone is a fucking idiot, apparently. I don't like to believe that I'm smarter than the masses, both because it looks like an ego trip and because usually that sort of reasoning leads to disappointment, but now I know the WRT54G is garbage across the board. So now I don't trust anyone on this subject.

      As it turns out, a whole PC with a case and drives and everything is around fifty bucks, which is dramatically less than a decent home router any more — most of them are well over $100, and many of them over $200! This is completely batshit crazy when I can build a PC with quad-ethernet and Wireless-N for less money brand new if I compromise.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Manual config by wierd_w · · Score: 1

      Yeah-- I was meaning "good for the price"

      A home router is little more than a SoC these days. Does not have the robustness that an actual dedicated computer has. What it DOES have is low energy draw, small physical footprint, and "Good for the price" hardware.

      Getting some quality software in there, and a little cooling, they can work quite well even under pretty heavy loads. They just aren't data center grade.

      They ARE getting some pretty powerful SoC in them though in recent offerings. Some are up to 1.2ghz ARM platforms now. Probably a side effect of the android phone market.

      My old WNDR3400 I use for fun projects just has a 400mhz MIPS (Little endian) SoC though. Has a USB2.0 port, which makes it a fun thing to play with all the same though. (It's BARELY enough to put a compatible USBVGA dongle on, and some USB permanent storage.)

    9. Re:Manual config by drinkypoo · · Score: 1

      You're better off with the quad ethernet card being pcie and the wlan card pci, especially if the ethernet is 1gb or more.

      That's true, but the QE card came from a yard sale for five bucks, so unless it's bad I think I'm pretty well-off with that one. The machine has one GigE port onboard, and I'll feed that into a D-Link 1Gbps unmanaged switch for a storage segment just for my PC and some Pogoplugs. Everything else in the house is either wireless or 100Mbps, so it won't actually matter at all.

      I do have an atheros-chipset wlan PCI card which might do master mode, but it's only 802.11g. If it were 802.11a+n then I'd probably go looking for a PCIE QE card to go next to it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Manual config by Bengie · · Score: 1

      The dual port network card in my PC router is worth more than $100. No matter how many packets I throw at my router, the interrupts per second never go above 300. Interrupt coalescing is awesome. It even coalesces across my LAN and WAN ports. It does this while keeping latency low. I get a 0.04ms ping. from my PC to my router through my switch. I can't measure lower than that because of thread scheduling.

    11. Re:Manual config by wierd_w · · Score: 1

      The WRT54G was one of the first consumer routers where the maker "Fucked up", and used FOSS software without a license, and then had to release the source code.

      As a consequence, it was one of the first devices to attract major community attention, even with all its warts.

      Later versions of the device were so horribly underpowered compared to the original hardware release that they just arent worth any effort. Compared to more recent SoC based home routers, they are garbage. (TINY system flash size, abysmally slow CPU. TINY system RAM, etc.)

      When shopping for a consumer router, I look for one that is listed in the OpenWRT support list, with the best intersection of price and hardware inside.

      Simply because it has a 50$ pricetag does not mean it is the best router. It just means that the manufacturer has set a 50$ MSRP.

      Personally, I think one of those tiny "Fitlet" miniPCs that were mentioned earlier this month would make a great home router. They have a mini PCIe slot inside them, have an actual DIMM slot, and a few other perks. Sadly, I cant seem to find a price or retailer.

    12. Re:Manual config by epyT-R · · Score: 1

      If you don't need the extra performance, then that $5 board is just fine. Even dual ethernet boards with decent chipsets are ripoffs.

    13. Re:Manual config by drinkypoo · · Score: 1

      Well, somewhere i've got a mystery Quad Tulip with genuine DEC chips, but the NIC I'm planning to use is a Phobox P430TX. It's four totally discrete Intel 21143TD chips with Level One level shifters (whatever you actually call the chips that handle the ethernet line itself) behind an intel 21152AB PCI to PCI bridge. If it doesn't pan out then I've gotta track down that tulip, which is probably deep inside a crate someplace.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    14. Re:Manual config by MikeMo · · Score: 1

      It seems most consumers will only buy whichever router is the cheapest. They have no concept of quality, performance, features, configurability, etc. when it comes to routers. So, router makers have to keep making them cheaper and cheaper or they don't sell at all. Kinda like the whole PC market, only worse. Obviously, they get to the point where they barely run, barely have any thermal headroom, have the cheapest possible components, and buggy firmware.

    15. Re:Manual config by drinkypoo · · Score: 1

      As it turns out, and as I would probably have noticed if I paid more attention to model numbers, all the intel chips on this card are DEC clones. Linux, naturally, just calls them tulips. Huzzah!

      Also as it turns out, the PCIE interface is weird. It has an almost-PCIEx1-almost-PCIEx16 video card in it which appears to just provide the DVI output for the onboard intel 960 graphics. I'm sure this is old hat to other people but I haven't messed about with an even vaguely modern corporate PC in a while, just clones and servers. Presumably I could still stick a normal X1 card in it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    16. Re:Manual config by _merlin · · Score: 1

      AVM FritzBox is the only quality hardware I've seen in this space.

    17. Re:Manual config by fustakrakich · · Score: 1

      Just turn the wifi power down a bit, and don't bother trying to overclock it.

      --
      “He’s not deformed, he’s just drunk!”
    18. Re:Manual config by houghi · · Score: 1

      I just run my own DNS server pdnsd because it is easy to configure. That way I have access to sites that are blocked otherwise by law (Torrent sites) and I do not give Google even more information then what they already get.

      I can also easily add the domains from mvps and others to block. Bit of scripting and it is done.

      --
      Don't fight for your country, if your country does not fight for you.
    19. Re:Manual config by Anonymous Coward · · Score: 0
      WRT54G? What is this, 1995?

      Even a TL-WR740N (that you can get for $10) will run circles around it, won't overheat, will eat less than 5W and run OpenWRT perfectly.

      Your 3GB shit is absolutely overkill for a "home" router, and kind of ridiculous.

    20. Re:Manual config by Anonymous Coward · · Score: 0

      The 'level shifter' is called a PHY.

    21. Re:Manual config by Skater · · Score: 1

      My experience with the WRT54G v1.1 was ten years of trouble free use. I replaced it only because I wanted a faster network (I move large files around frequently). In fact, I still have my WRT54G, and I needed to come up with a way to get internet access for one device to multiple devices at a show we run, so I installed dd-wrt or openwrt on it and had it connecting to two wireless networks (one with net access and our private one). Even when I was running a live video stream through that connection, the WRT54G performed perfectly. I wish my newer Netgear router was as reliable as my WRT54G was; it requires a power cycle every few weeks.

    22. Re:Manual config by fuzzyfuzzyfungus · · Score: 1

      I'd be inclined to say 'amazing' for the price. I understand the use case for rPi, beaglebone black, cubieboard, etc. when you need video and actually good GPIO(even more so if you need proper PWM, i2c/SPI, etc. BBblack, especially, has some pretty powerful specialty I/O options); but routers are so aggressively priced that they are often a pretty good deal for adding network capabilities to assorted projects on the fast and cheap.

      I'm always up for other suggestions, of course; but I'm currently a big fan of the little 'travel/portable' routers that the RT5350 seems to have spawned a bunch of. Ethernet, USB, 802.11B/G/N, typically a serial port(I got lucky with the ones I purchased, the pads were even labelled and everything), and a few GPIOs, all for $15 or less. Kind of weak (usually 32MB RAM and ~400MHz MIPS core); but feel the price.

    23. Re:Manual config by Anonymous Coward · · Score: 0

      There were a number of revisions to the WRT54G hardware. Some of the later revisions sucked. I'm betting you were late to the party. Seriously, I think Linksys sold that thing for over 5 years---I know it outlived anything that released around the same time.

      The first 4-5 hardware revisions were solid, and I recommended it constantly. After seeing people with trouble, I stopped. Things went downhill shortly before the Cisco acquisition. Not sure how they've been since. I'll forgive anyone an initial design flaw, especially on new tech---but when it happens on multiple post-release revisions of successful hardware then it's clearly a case of deliberate cost-cutting and poor QA. And I seriously object to wasting my time to save them a few pennies.

  3. CPE are horrible by jaredmauch · · Score: 1

    I've been working on various aspects of the CPE equation for almost 2 years now as part of the various OpenResolverProject, OpenNTPProject, and other related aspects. Most CPE can't even do DNS correctly, let alone securely.

    Take Netgear for example, they can't even process RFC1035 4.2.2 correctly to say a client should support DNS over TCP (it's not just for zone transfers), but instead of just not responding, or sending back some error that allows the DNS client to try the next resolver it has, you get it sending REFUSED: https://www.cloudshark.org/cap...

    These devices are unmaintained outside of the few who actually upgrade them, and it's most likely still got default passwords on it causing all sorts of other possible pain and xss abuse/malware concerns. This is only going to get worse as more things have an IP address and communicate with the rest of the world.

  4. Hey let's attack routers now! by Anonymous Coward · · Score: 0

    So it seems hackers have found yet another way to attack us. Its weird because I was dealing with some strange stuff on a D Link log a while back. It was like a DOS attack only it wasn't, but it was coming from one address so I simply blocked that address and stopped it. I never used to pay much attention to router logs, but I guess its just another place to check.

    1. Re:Hey let's attack routers now! by wierd_w · · Score: 1

      Routers are an obvious choice to deploy payloads against.

      Most are running a hackfest 2.6 era kernel with not-well-vetted hackfest drivers. Most have an autoupdate feature which silently updates the firmware when you log into them from their web interfaces.

      With a combination of a DNS hijack, this autoupdater, malicious intent, and a suitable "Upgrade package"-- these routers can be zombified VERY easily.

      Once pwned like this, they become willing and capable servants in a botnet.

    2. Re:Hey let's attack routers now! by ShaunC · · Score: 1

      I'm pretty sure I recall reading that most of Lizard Squad's botnet, the one used to attack PSN and XBL, is comprised of rooted routers.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  5. Why leave remote administration on? by ciscoguy01 · · Score: 5, Insightful

    Why leave remote administration on?
    I would avoid opening the web UI of any home router on the WAN side.
    It's mostly unnecessary and a needless security exposure.

    --
    .
    1. Re:Why leave remote administration on? by wierd_w · · Score: 2

      Indeed, but getting the router's DNS table to point to your malicious package when it checks for "Available Updates" works even when the LAN side does the admin through the web UI.

      Leaving the WAN side open is just ASKING for trouble.

    2. Re:Why leave remote administration on? by ciscoguy01 · · Score: 2

      The funny thing is, hundreds of thousands of Cisco routers are open to the WAN with only a pw, no username at all. Somehow we get by. Heh.

      --
      .
    3. Re:Why leave remote administration on? by Anonymous Coward · · Score: 1

      From the original story, quote:

      "... even if it's only accessible from within the local area network, hackers can still use cross-site request forgery (CSRF) techniques to reach a router's interface.

      CSRF attacks hijack users' browsers to perform unauthorized actions when they visit compromised sites or click on malicious links. Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers.

      Large scale CSRF attacks against router owners that were designed to replace DNS servers configured on their devices with servers controlled by attackers were observed on the Internet in the past. "

    4. Re:Why leave remote administration on? by nehumanuscrede · · Score: 1

      You're braver than I am :D
      ( Assuming your Wan faces the internet )

      In a corporate environment, sure.
      In the wild ? hahahahahaha No.

      Better to be on site when doing any configuration tweaking anyway. A typo is the
      only thing standing in the way of locking yourself out of it and / or knocking if offline
      completely.

      I personally don't allow anything other than very specific hosts which are members of the
      wired Lan access to router / switch management. No remote sites, no wireless or VPN
      connections. ( Of course, talking about a home network. Corporate is different story. )

  6. dsl2741b firmware by Anonymous Coward · · Score: 0

    guys, I'm using dsl-2741b how do I discover if it use zynos or not?
    other than that, can you recommend good dsl router? I was looking at asus...

    1. Re:dsl2741b firmware by epyT-R · · Score: 1

      old sff pc with two gigabit nics and a separate switch.. Install linux or bsd of your choice and configure, or use distros tailored to the purpose like zeroshell or m0n0wall.

    2. Re:dsl2741b firmware by ciscoguy01 · · Score: 1

      old sff pc with two gigabit nics and a separate switch.. Install linux or bsd of your choice and configure, or use distros tailored to the purpose like zeroshell or m0n0wall.

      Uh, right. Now that makes no sense at all for most people.
      Zynos is not bad, just turn off remote administration if you don't need it.
      If you *do* need remote admin, make sure to establish a good username and pw.

      --
      .
    3. Re:dsl2741b firmware by ciscoguy01 · · Score: 1

      Asus is a motherboard company.
      They just have a marketing deal to sell routers.
      That said, it's probably fine.
      But let me just say, Engenius has the features and the WIFI performance. Very strong.
      And they are indeed a networking company.

      --
      .
    4. Re:dsl2741b firmware by drinkypoo · · Score: 1

      Asus sells a lot of computer-related electronics these days, most of their hardware is of very good quality. I bought one of their earlyish USB2 DVD-burners back in the EEE701 days. It's done quite a bit of traveling, and I've still got it and it still works.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. dis guy by Anonymous Coward · · Score: 0

    he be ETHICALLY haxxin!!!1!

    1. Re:dis guy by jones_supa · · Score: 1

      Heh. I know, the name might sound dorky to some, but I'm actually glad that some guys named a group "Ethical Hacker research team". There's so many "security researchers" which in practice just provide direct ammunition for the black hats.

    2. Re:dis guy by jones_supa · · Score: 1

      Ah, now I hear that he actually published the vulnerability without informing the manufacturer(s) first. Thus, let me cancel that comment.

  8. Come on already by hcs_$reboot · · Score: 1

    Put OpenWrt on it and problem over.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Come on already by drinkypoo · · Score: 1

      Put OpenWrt on it and problem over.

      A lot of these el cheapo routers won't take an alternate firmware, they don't run Linux and they don't have sufficient hardware resources in a lot of cases, notably ram and flash. Unfortunately, a lot of these sort of devices have the same name as devices which will take Linux. When you're lucky, a revision number which can be used to determine compatibility appears on the device, but is usually not visible through the packaging.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Come on already by Anonymous Coward · · Score: 0

      Put OpenWrt on it and problem over.

      That's your solution to everything. I'm starting to rethink our marriage.

    3. Re:Come on already by Anonymous Coward · · Score: 0

      Those vxworks based wrt54gs were great routers...the routing and firewall software beat the pants off netfilter and u32... NOT!

    4. Re:Come on already by ciscoguy01 · · Score: 1

      Put OpenWrt on it and problem over.

      OpenWrt is not without it's issues.
      It's not a panacea. Unless you need a package that has been implemented on that platform.
      If you do, OpenWrt is appropriate.
      DDWrt might be slightly easier to configure, but certainly not without it's own problems.
      But other platforms are better for average home users. Easier to use.
      Man, so many people get glazed looks when asked to make a change to even a simple home router. They are so simple!
      When the guy from the cable company did my install and I made the few little changes that needed to be made, his eyes opened wide that I knew how to do that!
      He seemed shocked.

      --
      .
    5. Re:Come on already by operator_error · · Score: 2

      This is what the OpenWRT Table of Hardware is for. One nice feature of the list is de-facto announced end-of-life, so you'll know when to retire your old gear. DD-WRT doesn't do this with their hardware compatibility list so you're left thinking they'll push out an update for your unit, except they don't.

      OpenWRT lists support for an interesting and cheap TP-Link router on their front page (the TP-Link TL-MR3420). What makes this 40 euro router so interesting is its support for both an ethernet WAN port, along with another GSM WAN port which affords the user internet provider redundancy. It's been on my to-do list for a while to pick one up.

      European Pre-Pay GSM can be super-affordable too. Here's an Austrian ISP that will sell you 9Gb of 4G data for 9.90 euro. In The Netherlands Bliep will sell you 3G data for .50 cents a day, and 4G data for 1 euro a day.

      Does anyone have any experience with such a router? I don't even try to discuss such configurations with the installation folks from the wired ISPs. The last guy was here simply amazed I had one with OpenWRT; and that I wasn't interested in the ISP's modem for anything except being a basic firewall and cable link to the OpenWRT unit.

    6. Re:Come on already by hcs_$reboot · · Score: 1

      Really?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    7. Re:Come on already by Anonymuous+Coward · · Score: 1
      There are a lot of routers with an USB that are supported by OpenWRT, TL-MR3420 is not that interesting. I've got my TL-WDR3600 (gigabit, 2 usb ports, 5GHz support) for less than $40. Unfortunately no hardware NAT support on OpenWRT, so I'm limited to ~300Mbs on wan.

      If you have a USB-port, you can stick whatever device supported by linux in-there, not just "GSM" modems. The limitations are mostly because of the crappy stock firmware. And many recent HSPA and LTE modems are themselves linux-based routers, and appear like a CDC ethernet interface, so they just work, auto-magically.

  9. usb vga dongle ? by Anonymous Coward · · Score: 0

    What can you do with this usb vga dongle ? does openwrt have drivers ?

    1. Re:usb vga dongle ? by wierd_w · · Score: 1

      If it is supported, YES.

      There are 2 drivers that work with USB to VGA dongles. One is the SISVGA driver, the other is the DisplayLink driver.

      This provides a simple framebuffer device to the system that can drive a VGA monitor. You need to custom build your openwrt image to have it turned on though, and to enable the main system console to run on the virtual console hosted by the framebuffer device (And NOT on the physical serial port usually inside most routers.)

      Here's a blog detailing the process for getting the displaylink driver working.

      Putting a USB2 hub on the lonely USB2.0 port on the back, putting a keyboard, mouse, and USB2VGA dongle on, you can directly hack away on the router. Even without the keyboard and mouse, the framebuffer device can be used to display data about the current status of the router in real time, and other fun things.

  10. So... by Anonymous Coward · · Score: 0

    > The firmware in question is implemented in many networking equipment manufactured by D-Link, TP-Link Technologies and ZTE.

    So which models?

  11. Douche bag by Anonymous Coward · · Score: 0

    Publishing an exploit with out notifying the company first == DICK move.

  12. DSL-2640 by Anonymous Coward · · Score: 0

    My mother has a stock DSL-2640 ... is it vulnerable too?

    Thou leaving remote admin open in that piece of junk wouldn't ever even cross my mind! :o

  13. Donev did not report the vulnerability to D-Link by Anonymous Coward · · Score: 0

    Where's all the comments about Donev not informing D-Link before releasing exploit code.

  14. "Ethical Hacker"? by Nanoda · · Score: 1

    "The exploit was created by Todor Donev, member of a Bulgarian security research outfit called Ethical Hacker[...]"
    "Donev did not report the vulnerability to D-Link and as far as he knows it is currently a zero-day[...]"

    I don't think that word means what you think it means. :-/

  15. Avoid DNS via hosts & go faster too by Anonymous Coward · · Score: 0

    Hosts do these things for more speed, security & reliability:

    1.) Protect vs. malicious sites/servers (beyond malicious ads: See 2-10 next)
    2.) Protect vs. fastflux botnets + stop communication to C&C servers
    3.) Protect vs. dynamic dns botnets + stop communication to C&C servers
    4.) Protect vs. DGA botnets + stop communication to C&C servers
    5.) Protect vs. downed DNS (adds reliability)
    6.) Protect vs. DNS redirect poisoned dns
    7.) Protect vs. DNS amplification attacks
    8.) Protect vs. trackers
    9.) Protect vs. spam
    10.) Protect vs. phishing
    11.) Protect vs. bandwidth caps
    12.) Get you past a dnsbl
    13.) Keep you off dns request logs
    14.) Speed up websurfing by adblocks & hardcoded fav. sites
    15.) Work on ANY webbound app (think stand-alone email programs) multiplatform.
    16.) Give you easily texteditor controlled data for the above
    17.) Do all that & block ads (better than addons) more efficiently in cpu cycles + memory usage

    * Bolded items concern DNS & how hosts protect you vs them!

    APK

    P.S.=> Browser addons don't do the above for you:

    Ghostery's Advertiser owned - "A fox guards the henhouse"-> http://en.wikipedia.org/wiki/G...

    AdBlock's 4++gb & 100% CPU usage flooring inefficiency -> https://blog.mozilla.org/nneth... + ClarityRay defeats it + it 'souled-out' & is crippled by default paid off to not do its job http://techcrunch.com/2013/07/...

    BOTH do far less than hosts do & less efficiently - hosts by way of comparison, do MORE w/ less.

    Both add complexity/room for breakdown/exploit + from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).

    Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried).

    For the BEST hosts file?

    APK Hosts File Engine 9.0++ SR-1 32/64-bit -> http://start64.com/index.php?o...

    The BEST antivirus (MalwareBytes) http://www.av-test.org/en/news... recommend & host it http://hosts-file.net/?s=Downl...

    ... apk

  16. Is it externally exploitable? by Anonymous Coward · · Score: 0

    I wish when people released exploits or news of exploits for home routers they would state if it is exploitable via the external port. This is all most people should care about.

    If something is only exploitable via the web interface, or via an internal interface, the issue is considerably less interesting. This information needs to be front and center for all vulnerabilities of home routers. Frankly, I don't even want to hear about a vuln that requires access to the web interface. It's uninteresting, because giving non-trusted users access to the web interface is a misconfiguration in my book.