|Router Security||IP Addresses||
Website by |
As you would expect, every computer on a network has a unique number. And, by "computer," I mean any computing device (phones, tablets, ROKU boxes, routers, Amazon Echos etc.). The unique numbers are called IP addresses and they are written as four decimal numbers separated by periods (rather than commas). A common IP address is 192.168.1.1. Each number can, technically, range from zero to 255.
Routers differ from other computing devices in that they have (at least) two IP address: a public one and a private one. The public side of a router is visible on the Internet. The public side is also referred to as the WAN or Wide Area Network side of the Internet. The router has no control over the public IP address, it is assigned by the ISP (Comcast, Verizon, Spectrum, etc.). The public IP address is not a secret and there are many websites that display it (ipchicken.com, checkip.dyndns.com and www.ip-adress.com/what-is-my-ip-address).
In contrast, the router has total control over the private side (a.k.a. LAN or Local Area Network) IP addresses, both for itself and for all the computing devices that connect to it.
The range of allowable LAN side IP addresses is called a subnet (as in sub-network, as in only use these few numbers of all the billions of possible numbers). A very common subnet range of numbers are those that start with 192.168.1 and only vary in the fourth and last number. This is often written as 192.168.1.x where the x is a placeholder for all the possible numbers in the fourth position (0 to 255).
These are the decisions that need to be made regarding LAN side IP addresses:
Every router has default values for all the above decisions and the defaults will, of course, work. Dealing with IP addresses and subnets is optional, but recommended for a few reasons.
For one, you will be a bit safer by not using the defaults. This is because some malware targets routers by their default IP address. Also, some devices on the Local Area Network work best with a fixed, permanent IP address and the defaults for your router may not allow for any fixed IP addresses. Using a subnet that is off the beaten path can also come in handy for VPNs. If, someday in the future, you setup a site to site VPN, having each site use its own subnet is cleaner and easier. And, should you ever want or need to plug a router into another router (which I suggest when setting up a new router for the first time), it will not work well if each router uses the same subnet.
The downside to configuring IP addresses and subnets is that a mistake can totally screw things up. So, the four decisions mentioned above (and detailed below) are best done early in the game. This way, if the change screws things up, the router can be reset without losing any other configuration changes you may have made.
So, using the subnet 192.168.200.x as opposed to 192.168.1.x makes you safer because no router uses subnet 192.168.200.x by default.
Many, if not most, routers use the 192.168.0.x, 192.168.1.x or 192.168.2.x subnets. Why the devotion to 192.168?
Some IP addresses are not allowed on the public Internet, they are reserved for internal use only. That is, you can, and should, use them in your home or office. IP addresses that start with 192.168 are on this reserved list. So too are all IP addresses that start with 10.
You will never find any IP address on the public Internet that starts with either a 10 or with 192.168. Meanwhile, every home in the world can use the 192.168.1.x subnet without a problem.
If you prefer 192.168, then avoid the subnets that other devices default to. That is, avoid networks where the third number is 0, 1, 2, 3, 5 (used by Hawking), 8 (used by GLi), 9 (used by Gryphon), 10, 11, 19 (used by Anonabox), 50 (used by Peplink), 55 (used by Luma), 72 (used by Asus Lyra), 85 and 86 (used by Google routers), 88 (used by MikroTik), 100 (used by assorted cable modems) and 178 (used by FRITZ!Box). If you know of others, please send me an email. In September 2018, malware was found looking for routers on the 0, 1, 2, 15, 25 and 100 subnets, a good reason to avoid them. Some good subnets would be 192.168.68.x or 192.168.77.x or 192.168.200.x.
If you prefer IP addresses starting with 10, then the subnets to avoid are 10.0.0.x (Netgear), 10.0.1.x, 10.1.1.x and 10.10.10.x (used by HooToo in their HT-TM05 TripMate Titan Wi-Fi sharing device). Some easy to remember networks would be 10.11.12.x and 10.20.30.x. That said, easy to remember should not be a priority, security should be. So, something that no one would guess, like 10.43.27.x is better. If you live at 123 Main Street, then 10.123.123.x is a great choice.
Hand in hand with picking a subnet, is the concept of a subnet mask. The mask is what defines your subnet to the router.
A subnet of 192.168.200.x means that all devices on the network will have IP addresses that start with 192.168.200. In this case, the subnet mask is 255.255.255.0. The 255 means that that part of the IP address is part of the subnet, the 0 means that part is not. So, in English, 255.255.255.0 means that the first three numbers are being used to define the subnet. Not that you need to know this, but this mask is 24 binary ones, followed by 8 binary zeros.
The image above shows how you define the subnet for an Asus router. The subnet mask goes hand in hand with assigning the router an IP address (our next topic below).
IP addresses that start with 10 default to a different subnet scheme. Here, the subnet is defined simply by the first number. A subnet mask, of 255.0.0.0. indicates this. That said, unless your network needs to accommodate more than 250 devices, you are probably better off using the first three digits to indicate the subnet. So, again, a subnet mask of 255.255.255.0 indicates that the first three digits will all be same on your network, even though the first digit is a 10. As noted above, in the list of 10.x.x.x networks to avoid, Netgear and HooToo are doing this.
Along the same line, within a given subnet, routers are usually assigned the number 1. There is no technical requirement for this, it's just a custom. Thus, on the 192.168.1.x subnet, the router will almost always be assigned 192.168.1.1. Likewise, on the 192.168.200.x subnet, the router is likely to be 192.168.200.1.
Here too, this custom makes it easier for malware to find the router, so you are a bit safer if your router is not the number 1 device.
Regardless of the subnet, everyone is in the habit of assigning their router an IP address that ends with 1. On the 192.168.1.x subnet, for example, you will, almost always, find that the router is assigned to 192.168.1.1. As noted above, this is a custom rather than a technical requirement and you will be safer by not following the crowd. For example, in September 2018, malware was found targeting routers on 7 different subnets, but in each case it assumed the router's IP address ended in 1.
The second most popular default IP addresses for routers end with 254 as shown in this Dec. 2017 article: A List of Common Default Router IP Addresses. So, 254 is out too.
Zero often has a special meaning when it comes to computer networks, so it is best not to use zero either. That leaves 2 through 253.
But, Trend Micro says not to use IP addresses ending in 100 or 254 for the router. See Protecting Home Networks: Start by Securing the Router May 18, 2017.
What, specifically, to do?
You get the most flexibility by using either a very low (2,3,4) or very high (251,252,253) number. I normally opt for low, admittedly out of habit.
But, just as choosing a subnet required knowing about subnet masks, changing the routers IP address, requires knowing about DHCP.
Computing devices that connect to a router get their IP address either statically or dynamically. Static means that the computing device has been pre-configured to always use one specific IP address. A router always has a static IP address on your network. Dynamic is the norm. The problems with static are: it takes more expertise to setup, not all devices support static IP addresses and it doesn't travel well (an IP address that works with one subnet will not be valid on another subnet).
The thing (really a protocol) for giving out dynamic IP addresses is DHCP. I mention it here, because changing the IP address of the router, impacts the available IP addresses that DHCP can use.
In the picture below, from the same Asus router as above, we see that DHCP will give out IP addresses from 192.168.1.2 through 192.168.1.254. Considering that the router is statically assigned to 192.168.1.1, DHCP is using every possible IP address. In theory, this router could talk to 252 concurrent devices. The Lease Time refers to how long a computing device can use its dynamic IP address before it has to go back to the router and ask for another one.
The point to all this, is that if you change the IP address of the router, it will impact the pool of IP addresses that DHCP can use. If, for example, the router were assigned to 192.168.1.3, and no change was made to DHCP, then its possible that DHCP would give 192.168.1.3 to an iPhone. That would be bad. IP addresses have to be unique on any given subnet.
My experience has been that most routers were smart enough to adjust the DHCP range on their own, when I modified the router IP address. Still, if you do change the router IP address, be sure to verify that the new address is not also in the range used by DHCP.
On a related note, there are some devices that should use a static IP address. Two that come to mind are a NAS (Network Attached Storage) and a network printer. I always like to keep some IP addresses away from DHCP so they can, in the future, be statically assigned to something.To pull this all together consider a router at 192.168.200.2 and DHCP giving out 192.168.200.10 through 192.168.200.250. This leaves a few IP addresses for static use.
That said, there is a facility for making a dynamic IP address non-dynamic but that's not a security issue in any way.
Using a non-standard subnet and assigning the router a non-standard IP address makes your network safer, but it is not a perfect defense.
For one thing, a service called WebRTC, that runs inside a browser, can leak the internal IP address of the router. The Test your Router page has links to a number of online tester pages that report whether WebRTC is enabled in your web browser. If you don't use WebRTC, then you will be safer having it disabled in every web browser that you use. Many of the tester pages have instructions for disabling it. The Ublock Origin browser extension can disable WebRTC, but does not disable it by default.
All that said, should bad guys learn the LAN side IP address of the router, there are still many ways to keep them from interacting with the router. Not using a default password goes without saying, but assorted routers have other defenses such as limiting access to Ethernet connected devices, limiting access by IP address and more. A list of these other defenses is on the Security Checklist page in the LOCAL ADMINISTRATION section.
One example of this is a bug in D-Link routers that was reported in January 2015 (DNS hijacking flaw affects D-Link DSL router, possibly other devices). Quoting:
"A vulnerability found in a DSL router model from D-Link allows remote hackers to change its DNS (Domain Name System) settings and hijack users' traffic ... Attackers don't need to have access credentials for the affected devices in order to exploit the vulnerability, but do need to be able to reach their Web-based administration interfaces ... Rogue code loaded from a website can instruct a browser to send specially crafted HTTP requests to LAN IP addresses that are usually associated with routers."
The critical point being that using the same LAN IP addresses that everyone else does, makes you more vulnerable to certain types of attacks.
The March 2017, WikiLeaks data dump, Vault 7: CIA Hacking Tools Revealed, included a page called JQJDISRUPT - WAG200G that discussed hacking a Linksys router. Of a particular attack, a CIA employee wrote: "it was determined that puppetmon.py was not going to work to get Cannoli on the Linksys target. When running puppetmon.py it eventually always returns errors. User xxx advised that it would only work if the target was in the 192.168.x.x space." The same page describes another attack that only worked if the routers IP address was 192.168.1.1.
Other attacks that need to know (or guess) the internal IP address of the router: