|Router Security||IP Addresses||
Website by |
As you would expect, every computer on a network has a unique number. And, by "computer," I mean any computing device (phones, tablets, ROKU boxes, routers, Amazon Echos etc.). The unique numbers are called IP addresses and they are written as four decimal numbers separated by periods (rather than commas). A common IP address is 192.168.1.1. Each number can, technically, range from zero to 255.
Routers differ from other computing devices in that they have (at least) two IP address: a public one and a private one. The public side of a router is visible on the Internet. The public side is also referred to as the WAN or Wide Area Network side of the Internet. The router has no control over the public IP address, it is assigned by the ISP (Comcast, Verizon, Spectrum, etc.). The public IP address is not a secret and there are many websites that display it (ipchicken.com, checkip.dyndns.com and www.ip-adress.com/what-is-my-ip-address).
In contrast, the router has total control over the private side (a.k.a. LAN or Local Area Network) IP addresses, both for itself and for all the computing devices that connect to it.
The range of allowable LAN side IP addresses is called a subnet (as in sub-network, as in only use these few numbers of all the billions of possible numbers). A very common subnet range of numbers are those that start with 192.168.1 and only vary in the fourth and last number. This is often written as 192.168.1.x where the x is a placeholder for all the possible numbers in the fourth position (0 to 255).
These are the decisions that need to be made regarding LAN side IP addresses:
Every router has default values for the three decisions above and the defaults will, of course, work. Dealing with IP addresses and subnets is optional, but recommended for a few reasons.
For one, you will be a bit safer by not using the defaults. This is because some malware targets routers by their default IP address. Also, some devices on the Local Area Network work best with a fixed, permanent IP address and the defaults for your router may not allow for any fixed IP addresses. Using a subnet that is off the beaten path can also come in handy for VPNs. If, someday in the future, you setup a site to site VPN, having each site use its own subnet is cleaner and easier. And, should you ever want or need to plug a router into another router (which I suggest when setting up a new router for the first time), it will not work well if each router uses the same subnet.
The downside to configuring IP addresses and subnets is that a mistake can totally screw things up. So, the four decisions mentioned above (and detailed below) are best done early in the game. This way, if the change screws things up, the router can be reset without losing any other configuration changes you may have made.
The first decision is the subnet, which specifies the range of allowable IP addresses on the LAN. This range also determines the maximum number of devices that can connect to the router. For most people, most of the time, a range that allows for 250 connected devices should be sufficient. Pretty much every home router uses a subnet that supports a maximum of 250 (give or take) connected devices.
A subnet that allows for 250 devices is specified with the first three numbers of the four numbers in an IP Address with an X serving as a wildcard. For example, very popular subnets are 192.168.0.x, 192.168.1.x and 192.168.2.x subnets. Because they are popular, they are best avoided. Using a subnet such as 192.168.200.x makes you safer because no router uses subnet 192.168.200.x by default.
Why the devotion to subnets that start with 192.168?
Some IP addresses are not allowed on the public Internet, they are reserved for internal (LAN side) use only. That is, you can, and should, use them in your home or office. IP addresses that start with 192.168 are on this reserved list. So too are all IP addresses that start with 10. You will never find any IP address on the public Internet that starts with either a 10 or with 192.168. Meanwhile, every home in the world can use the 192.168.1.x subnet without a problem.
Whether you opt for a subnet that starts with 192.168 or one that starts with 10, it is best to avoid subnets used by other devices.
If you prefer 192.168, then avoid networks where the third number is 0, 1, 2, 3 (Amped Wireless, Huawei), 4 (Zoom), 5 (used by Hawking), 7 (Eero), 8 (used by GLi and Huawei), 9 (Gryphon), 10 (Motorola,NetComm), 11 (Buffalo), 15 (D-Link, Linksys), 16 (Linksys), 19 (Anonabox), 20 (Motorola,NetComm), 30 (Motorola), 50 (Peplink), 55 (Luma), 62 (Motorola), 72 (Asus Lyra), 85 and 86 ( Google), 88 (used by MikroTik), 100 (used by assorted cable modems and Huawei), 102 (Motorola), 121 (Ubiquiti Alien router), 123 (LevelOne, Sitecom), 168 (Sonicwall), 178 (used by FRITZ!Box), 218 (Firewalla), 223 (Trendnet), and 254 (D-Link, Actiontec).
In September 2018, malware was found looking for routers on the 192.168 dot 0, 1, 2, 15, 25 and 100 subnets, an extra good reason to avoid them.
If you prefer IP addresses starting with 10, then the subnets to avoid are 10.0.0.x (Netgear, Asus, Cisco, 2Wire, etc), 10.0.1.x (Apple), 10.1.1.x (Belkin, D-Link), 10.1.10.x (SMC), 10.10.1.x (Asus), 10.10.10.x (used by HooToo in their HT-TM05 TripMate Titan Wi-Fi sharing device) and 10.90.90.x (D-Link). Some easy to remember networks would be 10.11.12.x and 10.20.30.x. That said, easy to remember should not be a priority, security should be. So, something that no one would guess, like 10.43.27.x is better. If you live at 123 Main Street, then 10.123.123.x is a great choice.
If you know of other subnets used by routers, please send me an email.
Hand in hand with picking a subnet, is the concept of a subnet mask. The mask is what defines your subnet to the router. The bad news is that subnet masks are bit masks and thus much more confusing than necessary for non-techies. The good news is that almost every home network uses the same subnet mask, so we can skip the details.
A subnet of 192.168.200.x means that all devices on the network will have IP addresses that start with 192.168.200. It also means that the network can not contain more than 255 devices. The highest and lowest IP addresses often have special meanings, so I would limit this subnet to 192.168.200.1 (avoiding zero) through 192.168.200.253 (skipping 254). Thus, a max of 253 concurrent devices, which is enough for almost everyone.
The subnet mask for any network where the first three numbers are the same is 255.255.255.0. The 255 means that that part of the IP address is part of the subnet, the 0 means that it is not. So, 255.255.255.0 means that the first three numbers are being used to define the subnet. A subnet mask of 255.255.255.0 is actually 24 binary ones, followed by 8 binary zeros.
The image above shows how you define the subnet for an Asus router. The subnet mask goes hand in hand with assigning the router an IP address (our next topic below).
The image above shows how to define the subnet for a Peplink/Pepwave router. The subnet mask comes into play both when defining the IP address for the router and when defining the DHCP range (more below). Note that after the subnet mask Peplink displays a slash followed by the number 24. This is nerd talk for the 24 binary ones that are the real subnet mask. For now, ignore the middle section about VLANs.
IP addresses that start with 10 default to a different subnet scheme. Here, the subnet is defined simply by the first number. A subnet mask, of 255.0.0.0. indicates this. Any IP address that starts with 10 would be valid (10.1.2.3, 10.4.5.6, 10.199.198.197, etc). This allows for over 16 million concurrent devices, which is a bit much for a home/consumer router to deal with.
But, there is no need to use the default. Unless your network needs to accommodate more than 253 concurrent devices, you are better off using the first three digits to indicate the subnet, even when your IP addresses start with 10. So, again, a subnet mask of 255.255.255.0 indicates that the first three digits will all be the same on your network.
Within a given subnet, routers are usually assigned the number 1. There is no technical requirement for this, it's just a custom. Thus, on the 192.168.1.x subnet, the router will almost always be assigned 192.168.1.1. Likewise, on the 192.168.200.x subnet, the router is likely to be 192.168.200.1.
Here too, this custom makes it easier for malware to find the router, so you are a bit safer if your router is not the number 1 device.
For example, in September 2018, malware was found targeting routers on 7 different subnets, but in each case it assumed the router's IP address ended in 1.
The second most popular IP address for a router is one that ends with 254, as shown in this Dec. 2017 article: A List of Common Default Router IP Addresses. So, 254 is out too.
Zero often has a special meaning when it comes to computer networks, so it is best not to use zero either. That leaves 2 through 253.
But, Trend Micro says not to use IP addresses ending in 100 for the router. See Protecting Home Networks: Start by Securing the Router May 18, 2017.
So, what to do?
You get the most flexibility by using either a very low (2,3,4) or very high (251,252,253) number.
But, just as choosing a subnet required knowing about subnet masks, changing the routers IP address, requires knowing about DHCP.
Computing devices that connect to a router get their IP address either statically or dynamically. Static means that the computing device has been pre-configured to always use one specific IP address. A router, for example, always has a static IP address. Dynamically assigned IP addresses are the norm. The problems with static IP addresses are: it takes more expertise to setup, not all devices support static IP addresses and it doesn't travel well (an IP address that is valid on one subnet will not be valid on another subnet).
The protocol for giving out (and taking back) dynamic IP addresses is DHCP (the D is for Dynamic, the P is for Protocol). I mention it here, because changing the IP address of the router, impacts the available IP addresses that DHCP can hand out.
In the picture above, from the same Asus router as before, we see that DHCP will give out IP addresses from 192.168.1.2 through 192.168.1.254. Considering that the router is statically assigned to 192.168.1.1, DHCP is using every possible IP address. In theory, this router could talk to 252 concurrent devices.
The Lease Time refers to how long a computing device can use its dynamic IP address before it has to go back to the router and ask for another one. 24 hours is a common default lease time. Asus routers make you specify the time in seconds. Peplink is easier, as seen in the earlier screen shot above, you can specify the lease time in days, hours and minutes.
The point to all this, is that if you change the IP address of the router, it will impact the pool of IP addresses that DHCP can use. If, for example, the Asus router in these screen shots were assigned to 192.168.1.3, and no change was made to DHCP, then its possible that DHCP would give 192.168.1.3 to an iPhone. That would be really bad. IP addresses have to be unique on any given subnet. My experience has been that most routers were smart enough to automatically adjust the DHCP range on their own, when I modified the router IP address. Still, if you do change the router IP address, be sure to verify that the new address is not also in the range used by DHCP.
As we see in these screen shots, the Asus router defaults to assigning every possible IP address to the DHCP server to be given out (leased) to computing devices that connect to the router. This is not the best approach. Some devices work better with static IP addresses, so it is best to set aside a few IP addresses for that purpose. In the Peplink screen shot above we see that DHCP can only use 192.168.200.10 through 192.168.200.211. The remaining IP addresses can be statically/permanently assigned.
Two devices that should have a static IP address are a NAS (Network Attached Storage) and a network printer.
Using a non-standard subnet and assigning the router a non-standard IP address makes your network safer, but it is not a perfect defense.
For one thing, a service called WebRTC, that runs inside a browser, can leak the internal IP address of the router. The Test your Router page has links to a number of online tester pages that report whether WebRTC is enabled in your web browser. If you don't use WebRTC, then you will be safer having it disabled in every web browser that you use. Many of the tester pages have instructions for disabling it. The Ublock Origin browser extension can disable WebRTC, but does not disable it by default.
All that said, should bad guys learn the LAN side IP address of the router, there are still many ways to keep them from interacting with the router. Not using a default password goes without saying, but assorted routers have other defenses such as limiting access to Ethernet connected devices, limiting access by IP address and more. A list of these other defenses is on the Security Checklist page in the LOCAL ADMINISTRATION section.
One example of a router attack that depended on its IP address is a bug in D-Link routers that was reported in January 2015 (DNS hijacking flaw affects D-Link DSL router, possibly other devices). Quoting:
"A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users' traffic ... Attackers don't need to have access credentials for the affected devices in order to exploit the vulnerability, but do need to be able to reach their Web-based administration interfaces ... Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers."
The critical point being that using the same LAN IP addresses that everyone else does, makes you more vulnerable to certain types of attacks.
The March 2017, WikiLeaks data dump, Vault 7: CIA Hacking Tools Revealed, included a page called JQJDISRUPT - WAG200G that discussed hacking a Linksys router. Of a particular attack, a CIA employee wrote: "it was determined that puppetmon.py was not going to work to get Cannoli on the Linksys target. When running puppetmon.py it eventually always returns errors. User xxx advised that it would only work if the target was in the 192.168.x.x space." The same page describes another attack that only worked if the routers IP address was 192.168.1.1.
Other attacks that need to know (or guess) the internal IP address of the router: