24

My traffic goes trough 6 routers in sequence.

+----------+                       +----------+
|          |           192.168.3.2 |          |
| Internet |           +---------->+ Router 4 |
|          |           |           |          |
+-+--------+           |           +-+--------+
  ^                    |             ^  192.168.4.1
  |                    |             |
  v  203.0.113.74      |             v  192.168.4.2
+-+--------+           |           +-+--------+
|          |           |           |          |
| Router 1 |           |           | Router 5 |
|          |           |           |          |
+-+--------+           |           +-+--------+
  ^  192.168.1.1       |             ^  192.168.5.1
  |                    |             |
  v  192.168.1.2       |             v  192.168.5.2
+-+--------+           |           +-+--------+
|          |           |           |          |
| Router 2 |           |           | Router 6 |
|          |           |           |          |
+-+--------+           |           +-+--------+
  ^  192.168.2.1       |             ^  192.168.6.1
  |                    |             |
  v  192.168.2.2       |             v  192.168.6.2
+-+--------+           |           +-+--------+
|          |           |           |          |
| Router 3 +<----------+           | Computer |
|          | 192.168.3.1           |          |
+----------+                       +----------+

Each router is of a different make with different firmware (German, American, Chinese, Swedish..)

If a fault is found on a router, or backdoors installed, or for any reason, one RouterLvl1 is compromised, the attacker should hack all the other routers from lvl2 to lvl6 to get to my PC.

I did this because I had a lot of old unused little and cheap routers. Does it make sense? In your opinion, is the security of each router adding to the global security?

the french
  • 265
  • 3
  • 3
  • 28
    It's a lot less secure now that I know your internal IP!!! :evil laugh: – Conor Mancone Nov 27 '20 at 16:12
  • 1
    Unless you have a specific reason to use routers (to separate networks, force routes, protect LAN machines with open ports, etc.) I guess you won't gain anything. – reed Nov 27 '20 at 16:27
  • 5
    It depends what threats you are worried about. e.g. the network infrastructure does nothing to protect against many phishing attacks, and if you open up a service to the internet your multiple network hops gains you absolutely nothing. – JeffUK Nov 27 '20 at 17:23
  • 3
    @JeffUK It's also useless if you download a virus directly, which is a common way people get them. Most of the time when a router gets compromised it isn't so that an attacker can use them to take over your network (which is not as easy as it sounds these days), but rather so that they can be used as botnets, and now you have 5 more routers to become a part of a botnet! – Conor Mancone Nov 27 '20 at 17:36
  • 3
    Routers aren't security devices, you need firewalls. Some routers include rudimentary firewall capabilities, and NAT also provides a form of security. Is that what you're asking about? – Barmar Nov 28 '20 at 13:36
  • 8
    I added a nice ASCII graphic to illustrate the network better. I hope you like it. If not, revert it to how it was –  Nov 29 '20 at 15:41
  • 1
    Nice work @MechMK1! – ThoriumBR Nov 29 '20 at 21:31
  • If they were all *firewalls*, then **maybe** this would enhance security, although beyond the second or third firewall I expect there would be point of diminishing returns, if not throughput. – Todd Wilcox Nov 29 '20 at 22:27
  • Wasn't there a joke like this about antivirus software? You use an American firewall against Russian malware, a Chinese firewall against American malware, an Iranian firewall against Chinese malware, an Israeli firewall against Iranian attack and a Russian firewall against Israeli malware? – Nzall Nov 30 '20 at 14:23
  • This adds a whole lot of complexity, expense, and performance loss for *rapidly* diminishing returns. You'd be safer and cheaper off just airgapping at this point. – Shadur Nov 30 '20 at 14:55

5 Answers5

83

It may look good on paper, but it's a terrible idea.

You assume that the only way to get in your PC is from the first hop, the router closer to you, and that to hack one device, the previous one should have been hacked too. That assumption is incorrect.

Extending your network a little further, there are several enterprise-grade routers, managed by a team of experienced system administrators, and if your assumption were correct, to hack your PC those routers should have been hacked too, right? But we know that is not how it works.

Now, back to the real world. One attacker does not need to hack every single device between their computer and yours, only one (or even none) is enough. If the attacker wants to employ a MitM attack against you, now he have 6 routers to attack and need to achieve only one. As they are chained, MitM in one means most traffic is under his control. SSL will protect you here, but non-SSL protocols (SMTP, IMAP, DNS, FTP) are all vulnerable.

So instead of having only one target, the attacker can have six. And you will have six times more work keeping those routers updated and secure. One 0-day in one router is less probable than one 0-day in any of six routers.

And if seems unlikely to an attacker to target one of the internal routers in the chain, remember that the user can be lead to a page making requests to internal IP subnets (10.0.0.0/8, 192.168.0.0/24, 192.168.0.1/24, and so on) while he watches cat videos. If any router responds, it can be attacked from the user PC.

If the attacker can execute code on the user PC, it can run traceroute and get the address of every router, and use the user PC as a proxy to attack each one directly, from inside. NAT does not protect them at all.

We use to say that any chain is as strong as its weakest link, and you are adding lots of non-necessary links on your chain.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • For the firewalls of these routers, the assumption should hold though. – Bergi Nov 28 '20 at 12:28
  • 1
    The big thing I don't like about this answer is it ignores the fact that OP is probably using NAT. In order to get to router lvlN, the attacker has to find some way to poke through router lvlN-1 if router lvlN-1 is using NAT. Because of that, would this not be theoretically more secure (if paranoid, and adding latency)? – Dessa Simpson Nov 28 '20 at 19:36
  • NAT is good at hiding network interfaces and ports of the internal machine(s) - and nothing more. And this is a side effect of NAT, any sane firewall should do the same. The "good" traffic still has to pass the whole chain of devices. And something "bad" can always mimic as "good". – fraxinus Nov 28 '20 at 20:24
  • 5
    NAT does not change anything. If someone attacks any router of the chain and can replace DNS responses (they are clean text). the entire traffic is compromised. The attacker can change SMTP traffic, POP/IMAP traffic, can sniff FTP/Telnet credentials... And NAT does nothing to protect him. – ThoriumBR Nov 28 '20 at 22:21
  • 11
    Good answer. In other words, multiple routers increases the size of the [attack surface](https://en.wikipedia.org/wiki/Attack_surface). – John Wu Nov 29 '20 at 06:52
  • 1
    @ThoriumBR - Yes, but how can an attacker attack "any router of the chain" if the previous ones are uncompromised? There's just no way he can connect to the "router in the middle", let alone try to mount any attacks. – Vilx- Nov 29 '20 at 12:28
  • 2
    No way to connect to, say, RtLvl3? Send the user to a page with javascript that make requests to `192.168.3.1` and RtLvl3 will respond. The attacker can attack each one directly, but the attacker would need the IP of each router. Hard, but not impossible: if the attacker can execute code on the PC, a `traceroute` will show him the IP of each one. – ThoriumBR Nov 29 '20 at 14:26
  • 2
    Agreed - if someone made a design/implementation decision error and configured all the devices, then more layers doesn't do anything (eg, allowing RDP in from the internet on 3389/tcp or ssh on 22/tcp ) And there's a user whose password is guessable (*looking at you Rob*) then no amount of layers adds anything. – Criggie Nov 29 '20 at 21:17
  • @DuncanXSimpson NAT in almost no way enhances security. It might seem to provide some security through obscurity, but history has shown time and again that obscurity is no security at all. The fact that the computer itself doesn't have a public IP is literally the smallest possible amount of network security that there is. – Todd Wilcox Nov 29 '20 at 22:29
  • You're all technically right - I should have said a firewall that is set up with a default deny inbound policy. This answer seems to only be true if each router does not block inbound packets that aren't ESTABLISHED or RELATED. – Dessa Simpson Nov 29 '20 at 22:34
  • 1
    To clarify further: At minimum it's not worse security wise because compromising router lvlN requires compromising router lvlN-1 to even get access to lvlN. – Dessa Simpson Nov 29 '20 at 22:37
6

It depends upon security from what?

If a typical single router is compromised, then what does the compromise do?

Generally this enables it to be used as a zombie attack platform that attributes back to you and not the attacker. It allows traffic redirection. Potentially it can be used as a platform to attack inside the network, but hopefully your computers are not wide open to unsolicited access even within your network. IoT (Internet of things) is a whole other disussion.

So in your case with multiple routers (assuming they are not all WiFi enabled), the first router LVL1 is subject to exactly the same attack space and misappropriation.

So the question becomes do the subsequent routers help or hurt?

Yes they may inhibit active internal network scans but that's about it. You'll already have a severe problem with LVL1 compromised.

They will also impact effective MTU values, reducing throughput slightly.

Some realtime bidirectional audio & video applications can experience problems with multiple levels of NAT.

Some reasons why you may desire multiple routers.

Your ISP maintains unrestricted access to their provided router. You may want a second router bridged from your first router to keep them out of your network.

You may want secondary or even tertiary WiFi access points to control network access for friends and neighbors.

user10216038
  • 7,552
  • 2
  • 16
  • 19
4

If all routers are in the same subnet, you are just increasing the attack surface and decreasing your security.

If all routers use NAT to route IPv4 traffic, you are marginally increasing the security. Only marginally because attacks against routers' firmware are uncommon.

If you allow IPv6 traffic, they marginally increase the security if they act as firewall. If however they are transparent to IPv6 traffic, they are just more targets, all accessible from internet. Once attacked, such a router could be used as platform for MitM attacks.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
3

I have seen this design once in a slide, to protect from Government-level backdoors, but it was meant as a joke and had only 3 layers. More in general, it would be intuitively to use both a Huawei and Cisco router so that each protects from US and Chinese backdoors, respectively.

The problem is both with chaining (as others have displayed, it makes the design worse) and with the protection that a router can provide.

I think that the main problem here is the concept of hacking your PC. The word hacking, or correctly cracking is so broad that it's not fully applicable here.

While the question was phrased getting to my pc, I interpret that the OP's question, under the scope of security, was probably hacking into the pc.

A malicious router can, at any time, interrupt, divert or generate traffic. As others illustrated, having a daisy chain of 6 routers not only extends the attack surface (by putting one router offline maliciously, you are offline). Not only that: if one of the 6 routers' power cord fails, you are offline as well!!!

In order to hack your PC from the network, an attacker must use a vulnerability in your PC (hardware, OS or application) and exploit it from LAN. A single NAT prevents your PC from being accessed from the outside. But if use the routers as 6 NATs, each adding a layer of IP rewrite, you are electing the last node as the attack target. If there is a backdoor allowing an attacker to gain control and send traffic from within your LAN, that router has to be compromised. You have 1/6 probability to pick the malicious one depending on the order you chain the router.

Also, as others have explained, traffic can be diverted (MitM) by just any of the routers. Let's use the maths of "Among us" game: if one router is the impostor and you randomly choose who will route your traffic, you have a 1/6 odds to pick the impostor. If you choose all, you will have an impostor in your network to bust.

Note that plain routers don't have ways to prevent attacks. You need an intrusion detector that can analyse traffic and detect anomalous patterns. Some corporate appliances employ this technology.

In conclusion, I think that the question is not asked correctly because you are not asking yourself correctly about the attack perimeter. But I understand this question was asked for sake of curiosity.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
-4

So instead of having only one target, the attacker can have six

By "Teleporting" a packet to the internal routers ?

If your first "Core" Router is well secured, it should block any attack from reaching your internal routers.

Marvel44
  • 1
  • The use case and threat scenario has already been defined as "the first router is compromised". – schroeder Nov 28 '20 at 09:26
  • 4
    The job of a router is to route packages, even those that contain (most forms of) an attack. No teleportation is needed to reach the sixth router, just ask the fist one nicely (by sending an IP packet targeted to the sixth). – ManfP Nov 29 '20 at 02:45