Slashdot Mirror
CERT Finds Routers Increasingly Being Cracked
alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."
to all our routers. Then all our routers would belong to us!
What if...
;)
Microsoft Made Routers?
"Anybody who tells me I can't use a program because it's not open source, go suck on rms. I'm not interested." (LT 2004)
Tripwire makes Tripwire for Routers - Tripwire has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.
P.S. - I don't work for Tripwire, but I do like their products. 8-)
All Ad hominem replies happily ignored as the sender shall be deemed to lack the faculties to comprehend the equation.
Well, that's what they get for using DOS as the OS for their routers. Sheeeesh!! Some people will never learn!
Co-founder and designer at Music Nearby: http://musicnearby.com
Sorry, I've just always wated to do that. Impulses got the better of me. Feel free to mod it down.
I could send this story to the guy who's in charge of security where I work. But he's my boss, and he already thinks I'm Mr. Knowitall...
Damn... If only he read /., what a crime...
My Karma was at 49, then they switched to words. All that work for nothing!
Imagine bewoulf cluster of these!
Thanks in advance.
--Patrick Bateman, Esq.
In the past few months we've had DOS attacks to our routers constantly for the past few months... Took the admins that long to figure out what the hell was happening to all the bandwidth.
:)
and even longer to figure out who's doing it... lame admins heh..
and I'm supposed to care about this exactly why? Jesus, get a fucking life. Go out and get drunk or smoke marijuana, or drop acid or something. Huff paint thinner if you have to - but don't just sit there at your computer all day - go catch a buzz!
Cisco requires a service contract to upgrade your IOS. People like to use this as an excuse. What a lot of people don't know is that at the bottom of most Cisco security advisories there is a telephone number for you to call if you do not have a service contract. So stop using the 'I can't afford to pay for a service contract' excuse .
from the article:
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.
OK, here's the dumb question: Who is working so hard? Kids on IRC???
Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.
Most companies and people that run them don't understand what it takes to properly setup and maintain a network.
I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.
LoRider
The password for all of our routers is admin.
Not really, but it is on 75% of our client's machines.
We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.
Things you think are in the Constitution, but are not.
Home users are increasingly switching to broadband cable/DSL over slowmo phone co. lines. And home broadband routers like Linksys' are getting increasingly inexpensive; even wireless ones are approaching commodity pricing. What will be the fallout when there's a router in every home? Router Wars 2003?
Cisco charges for IOS updates, or requires than you have a CCIE on board to get them for you, and in some cases won't give you one at all without a support contract. This is why routers go unpatched, insecure, broken, whatever.. Someone needs to bitch at Cisco.. oh wait, several people have and they didn't care.. hmm.
I also forgot that lots of midrange routers that didn't sell well are now completly unsupported, so the companies who do have them are shit-out-of-luck, no IOS upgrades for you!
Why not just remove remote access from critical routers to begin with, and just have physical access to them? Unless your router is located in some unlocked janitors closet, it should be pretty safe from hijacking if remote access is disabled. But, everyone has to be lazy and have their remote access..somethings I can see, in some situations..but this is just lame.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
enable
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem
Oh yeah, real hard. 5 lines of commands is super difficult.
A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You're the fuckwit. Taco runs this site.
Kevin the coward
I'm not usually one to defend Slashdot editors, but I think his statement is valid, though he didn't properly clarify it.
The majority of DDOS attacks to date have relied of hackers breaking into many computers beforehand, often these are home computers (PCs) running over cable or DSL lines. Compared to that type of a system, a commercial router (particularly one located close to a backbone) is capable of a hell of a lot more traffic generation.
Every so often when DDOS is discussed, there is mention that "someone" is acquiring DDOS resources and then "hiding" them and/or just not using them (yet). With the recent hijackings and now Anthrax, both surprises, is a massive DDOS attack in the works?? None of the DDOS network building discussions have talked about "who". Is there reason to have big worries about the internet right now?
A router IS a computer, you fuckwit. Usually a specialized computer with embedded software allowing it route quickly and easily. But routers are also sometimes servers or desktops; the machine I am typing this on is a router/desktop/firewall.
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."
theo
--
Life is short; think quickly.
Life is short; think quickly.
Because, he's rather obviously referring with "computer" to "workstations and servers". Christ. Every time someone says "computer" and means "plus $300 piece of hardware", I don't say "but my calculator is a computer" just to be annoying.
I mean, we're all impressed that you know that by golly, a router "is a computer".
So the guy wasn't thinking. It doesn't in any way inhibit us from getting information from the post, taking context into mind. No reason for you to go postal.
Well since I certanly don't want my little home router being a bane to everyone else out there (it's a cheapo linksys; fire-resistant gear dawned!) and all I want is it to keep slinging data around my home's abundant supply of computers and out the wall, what could someone with a simple home system do to help make usre that their system doesn't become part of routerwarz02.
foosh.
Usually a specialized computer with embedded software allowing it route quickly and easily.
Didn't you just re-enforce the original post? Maybe the original post could have been clarified by using "personal computer" instead of just "computer," but it was still an accurate statement.
R.
So your computer + 6 NICs == 1 commercial router.
What was your point again?
subject says it all
The volume of noise a router could generate absolutely dwarfs what a computer could do.
Of course, a router is a computer.
I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.
SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:
Good mfences make good neighbors.
Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.
We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.
Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)
ostiguy
ostiguy
This is an awesome linux-based router solution that I've setup for clients in the past. Just like most OSS, whenever there's a vulnerability, they fix it fast, and you don't have to pay for a CCNE.
Astaro Security Linux
Just because I AM paranoid doesn't mean they're NOT out to get me.
Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.
Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.
When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.
I do not deploy Linux. Ever.
This article is short on details about using routers for DDOS. I heard about only one hole in IOS which gives "root" access to the router- an exploit of the embedded http server. Nobody I know runs it on their boxes. There is a risk of admins as educated as people who have IIS running and don't know it, but I hope that most of them only have one low-end router on ISDN link. By the way, is there a way to use router for TCP or UDP based attacks? ICMP flood with root access should be easy.
Somwhere out in the matrix.......
"Subject Z-23 has just repsonded."
"Excellent, start the P0rn spam now."
Service guarantees Citizenship! Questions Guarantee GITMO.... Amerika Uber Alles!
The NSA has been saying this for a while now.
CERT has been saying this for a while now
Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.
Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.
So... how much do you think the number of attacks on routers went up because of this post on slashdot? heh. I think CERT might need to revise their numbers now.
Cheers,
-Alex
you don't have much effect over how secured a Cable/DSL router is.. i have a Netgear RT314 and the most i can do is a bit of configuration and some firmware updates..
or is this spefically bigger routers used by companies?
Personally I don't understand why they're doing it. When you attack a server or a host you hurt the server or the host. When you go after a router you effect all the servers and host on the network it covers, or if the router is connected to other routers it will bring down the connection between them. Now the part I don't understand if why do this if it effects them too?
And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.
I'm just this guy, you know?
tripwire provides you no added security to stop people from breaking into your system. All it will do is tell you if someone has broken in. And its useless if you install it on a system thats been live for any period of time, since you can't guaruntee that it wasn't cracked in the time that it was live.
Now tripwire is good to have on a system, but it shouldn't be the sole security policy. Its a supplement, at best. Would you feel secure with no locks on your house but with a spiffy gadget that could tell you if someone had been inside? I wouldn't...
I think this critisism is a bit harsh. Under certain circumstances the statement is necessarily true, depending on how you interpret it.
A fully compromised router should be able to at least match, and probably almost always exceed the capacity to cause problems for any machine upstream of it than any computer downstream of it, since any computer downstream of a router can't generate traffic any faster than that router can
This is true as long you make certain assumptions about how the router works, how computationally intensive the attack is, and the geometry of the network(*).
Also, the statement: "A router IS a computer, you fuckwit," is inflamatory and pedantic. For the purposes of what we are talking about a computer is something that traffic flows to and from, and a router is something traffic flows through. Everyone knows what he means, and the distinction is conceivably instructive; according to the article more DOS attacks are coming from things that are called routers. Lumping routers in with computers may be technically correct, but is not helpful. The aim of the article is to get out the message that the things commonly called routers are causing more DOS problems than things commonly called computers.
* E.g. assuming the router can do more than just copy traffic, that the attack doesn't require a lot CPU to generate the data for the attack, and there aren't many paths from the attacker and the attackee.
The article seems to indicate the use of factory-installed passwords as the problem. There's nothing inherently more vulnerable about routers other than the fact that the people configuring them tend to think of them as peripherals (like a printer) rather than as computers.
That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.
Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?
Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...
An integrity checker such as Tripwire is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.
The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.
In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.
As I'm sure you know, such clueful sysadmins are in short supply.
Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.
For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.
Good mfences make good neighbors.
1: Port scan a known network to have DSL routers, ISDN routers, switches or cable modems or what have you. Your own ISP works great.
2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.
3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.
It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc
Don't even get me started on HP JetDirects !
Clearly this is Microsoft's fault.
He meant Personal Computer, you fuckwit.
Allied Telsyn do for a lot of their routers.
Cisco IOS updates easy to get. if you have a serial # on your router, you should be able to finagle yourself a CCO login from that. either that or find someone else who has one to use.
:)
And even if you aren't LEGALLY supposed to use the update, it's not much of a big deal really... quite a few people I know just update them, and don't care much about the actual licensing part of it. it's abstract enough that few can find out about it anyway.
I'm not advocating theft, but to say that you don't have a CCIE around is a load of BS.
I'm not going to let the lack of a support contract stop me from securing a product that I spent a bunch of money for.
besides, when you have a WAN with say, 200 2600's or so, you only need a few registered routers. just switch around between good/bad ones for support calls
EOM
Why is it that we (meaning big companies like Cisco, US government, Microsoft, etc) have so much trouble? Just look at all the messes! Sep 11, nimda, code $color_of_choice, DMCA, etc! They are almost always in the business of fixing problems after they become problems!!! ARGH!!! That is one of the most beautiful things about Free and OS Software... a lot of problems get fixed before (out of proportion just like in any estimation done by any research/analysis study) $trillions in losses occur due to some major effing catastophe. Why?? pre-emptive code auditing. Free/OS software is expected to have flaws and faults that's why people are encouraged to look and examine the code! Find, fix, enhance!
/usr/libexec/locate.updatedb
Now, the US Gov, Microsoft etc. seem to not care (they don't seem to make outward attempts anyway) if what they are doing is stupid/wrong. Let's bomb Iraq 4-5 times a month then complain Saddam is a threat to freedom and is happy about Sep. 11! Hey, let's just act like we own the place then millions of people get pissed off at us and we call THEM terrorists because our way is about freedom and you must be against freedom if you are against us!
...(Back on topic now)
When a router is hacked (especially big ones) they have the capability to use a DOS attack on a mammoth amount of people. DOS = denial of service.... not just packet flooding. Imagine if you changed the DNS information or routing information and starting sending EVERYONE from the router to slashdot.org. I am sure Slashdot would drop like a rock. Plus all those people can not view any website and no one can view slashdot. That is a huge DOS. Why are routers easy targets? Monopoly.
I don't know any current stats but like in 1998 or 1999 something like 80% of the internet infrastructure was Cisco based. I am sure there are at least one common flaw amongst most Cisco routers. Some say it is that reason, others say it's incompetent admins. I say a little from column A, and a little from column B. Cisco needs to make IOS upgrades easier to obtain. Go buy a Cisco router off of ebay and try to upgrade the IOS. Aint going to happen unless you are a CCIE or have a service contract with them. Of course there are illegal ways as well. The point being, you probably are screwed. And to the admins... please... read documentation and understand what you are doing and do it with prior thought before you plug in and turn on. Don't use exec password:cisco and enable password:class (It has been a while since my Cisco training... do they still use that for the lab routers?)
Excuse me while I
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
True, a lot of administrators do not take the time to properly secure their routing infrastructure. The problem becomes more blurred by those who insist on web interfaces to equipment. I'd gather that most web interfaces don't provide the proper level of detail one needs to properly maintain/operate routers.
The biggest issue I have is with true os-routers/network peripherals. The F5s, Linux routers, and others while very functional are multi-user operating systems. Networks routers should route, not script. I think the bar will raise considerably as soon as a lot of the networking industry understands this.
Lastly, while very possible to policy route data in the compromised router, it'll take large scale ISP breakins to cause major black holes. ISPs like AT&T, C&W, and Genuity filter BGP routes from their customer's BGP sessions to prevent bogus advertisements. However, this doesn't prevent them from fat-fingering routes and black holing someone else's network. (ie. level2peer(mom&pop ISP)-to-level1peer(ie. AT&T) isn't trusted implicitly like level1peer-to-level1peer).
I would think that although major routers being hacked could stall the internet, the real threat STILL exists with computer viruses... at least the real threat economically...
:)
For one, a business can still operate if the network goes down.. that isnt THAT big an issue... ("Sorry fellows, we wont be sending you home just b/c are network is down"), but if the computers that are being operated/worked on could be sending out data and proprietary information... well..
Also, for home users... the kind who trust the benevolence of the economic cookie.. you know which ones: "Save my credit card information" on amazon/barnesandnobles checked, along with "Save login information in a cookie" always selected... all that has to be done is to buy up 5-6 items and send to dummy addresses (random ones) before the normal computer user REALLY cares about viruses.. which makes me ask--> why hasnt it happened before? Why hasnt a major virus (code red and nimda anyone?) made purchases after the computer has gone idle for K minutes using the cookies stored on there?
Anyways, I may be wrong..
dear rocket scientist..
Cisco Type 7 passwords are a very basic hash that anyone with some utilities off the internet can crack...
Type 5 passwords (or enable secret) - are encrypted with a much higher quality hash that I believe is resilant to everything but a brute force attack.
Before trying to diminish someone to make yourself look smart, it would help if you gave advice that didn't make everyone's router crackable.
----------
ah honey, we're all resplendent - Bill Mallonee
Haven't you heard of "security through obscurity"? If you have enough of them scattered all over the place it will take a while to hit a useful one.
Instead of posting whiney uneducated comments like "It's Cisco's fault because..." maybe you should actually try and research the problem. The cost for basic Smartnet maintenance is chicken scratch for what you get (hardware replacement, software upgrades, tons of info on CCO, and the ability to call the TAC which is worth it by itself, these guys are top notch) As always, you'll find that Cisco gives you the tools available within the ios to secure it, you just have to be an admin with half a brain.
1.) Yes, cisco routers DO have secure shell access available.
2.) Only idiots allow any computer telnet and http access to their routers. Actually only idiots have not shut down http access to their routers.
3.) Only idiots do not have ip subnet-broadcasts turned off on their routers. (Off by default nowadays)
4.) Only idiots do not have ingress/egress filtering on their routers to ip spoofing.
5.) No ip source-routing, nuff said.
the list goes on and on and on. The bottom line is the damn thing is a router, it needs to be flexible so that it can be configured for the individual network. You just need someone who knows what they are doing to install, configure and administer it for you. This is where we are lacking, Cisco is not to blame.
i hate to say it, but ive been in a few routers and this report is correct, 100% correct
how do you feel when a router for vpn.sabre.com doesnt even have a password? (yes its been fixed)
It's the other way around you knob.
Type 5 are weaker.
access-list 1 permit
line vty 0 4
access-class 1 in
ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.
How is this a troll? He's absolutely right. It's all politics.
Even better, add an access-list to the vtys (acts the same as a hosts.allow in unix)
line vty 0 4
access-class 99 in
password 7 xxxxx
login
access-list 99 permit 1.2.3.4 0.0.0.0
(that 0.0.0.0 is a wildcard mask, not a netmask for any non-cisco types that read this).
And of course an enable secret is a useful thing.
Hell if you want to make it even more secure and easier to change the password in bulk for multiple routers, set then up to authenticate to a radius or tacacs+ server and have no local accounts configured (you can still get to it on the aux or com serial ports if the link to the auth server dies).
What's with the moderators tonight? They seem worse than usual. The above comment is a legitimate question.
Can be found on page 14:
"Time-To-Exploit Is Shrinking
Exacerbating the sophistication of attacks and the abundance and susceptibility of targets is a shrinking time-to-exploit. The window of opportunity between vulnerability discovery and widespread exploitation, when security fixes or workarounds can be applied to protect systems, is narrowing. This is, in part, due to the large existing code-base of attack tools than can be used to develop new tools as exploits are written for newly discovered vulnerabilities. Another element causing this trend is a trend toward non-disclosure within intruder communities. Rival groups will often keep new exploits and attack tools private to gain some advantage over other rival groups. Tools that are exposed to outside groups often become obsolete through competitive analysis and are quickly modified, making the lifetime of many attack tools very short. Anti-forensics techniques are now commonly employed in the design of intruder tools in an attempt to increase the lifetime of the tools by limiting the ability of others to determine the function of and defense against an attack tool. Thus, when public awareness of an exploit method or attack tool does rise, the method or tool is often already in some degree of widespread use."
In other words, the bad guys love the practice of not sharing info on vulnerabilities.
A corollary of this is that closed source code is a gift to these guys.
"You can't get something for nothing." - my grandfather, on the stock market and Reaganomics.
What you do is use slashdot to your advantage. Instead of sending an email tell him to "go read this article" you should work it to you distinct advantage. In this case you should talk to your boss and say "You know, I was thinking that our router might not be secure. In my efforts to help the company, I have done a little research (carbon copy info from article here) and have some comments about it (carbon copy posted comments of Score:4 or higher). It won't be long before you are giving a bigger paycheck because you are the only one coming up with all this incredible information on a daily basis. Trust me...it works.
Cave, wreck, and deep diver.
If we had a alternative to IOS, maybe OpenIOS? I use a Linuxbox as a router, but most people don't. Maybe if Cisco wouln't charge you $1,000,000 for the next version of IOS just because they fsck up their own code, and expect you to pay for it?
Sangoma.com - nice T1 cards that add a DSU to your linux box so you don't need a cisco ;)
!
! Serial Config
!
interface Serial0/0
ip access 101 in
ip access 102 out
!
! Inbound list
!
no access 101
! Deny incoming with our netblock (a.b.c.d)
access 101 deny ip a.b.c.d 0.0.0.255 any
! Permit established connections (not necessary but just to be safe)
access 101 permit tcp any any established
! Deny incoming with 127. source address
access 101 deny ip 127.0.0.0 0.255.255.255 any
! Deny incoming with reserved address
access 101 deny ip 10.0.0.0 0.255.255.255 any
access 101 deny ip 172.16.0.0 0.15.255.255 any
access 101 deny ip 192.168.0.0 0.0.255.255 any
! Block "land" attack (source and dest same as interface port)
! Serial Interface
access 101 deny tcp host a.b.c.d host a.b.c.d
! Ethernet Interface
access 101 deny tcp host e.f.g.h host e.f.g.h
! Block all router access except from us (a.b.c.d)
access 101 permit TCP host a.b.c.d host e.f.g.h eq telnet
access 101 permit TCP host a.b.c.d host i.j.k.l eq telnet
access 101 deny TCP any host e.f.g.h eq telnet
access 101 deny TCP any host i.j.k.l eq telnet
access 101 permit ip any any
!
! Outbound list
!
no access 102
! filter outgoing packets without our source network address (a.b.c.d)
access 102 permit ip a.b.c.d 0.0.0.255 any
access 102 deny ip any any
Try at least putting a simple config to protect access to your router. This will work for a Cisco. For more advanced options, try blocking _all_ traffic to the router instead of just telnet access. This ruleset will block access to the router, and protect the network behind the router to some extent.
-sirket
first, we will assume that you have a cisco, IOS based. If you are using something else, there are other ways to secure your system. I place actual commands in "" quotes. Many of these commands are applicable for IOS based switches too.
t ml
m
Juniper, Unisphere, whatever, has similar precautions that you can take.
http://www.cisco.com/warp/public/707/
Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...
Secure the console;
Turn HTTP servicing OFF!!!
If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).
"no ip http server"
If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.
Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;
"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"
Same thing for telnet sessions;
"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"
Access list telnet access to special subnets! This is VERY VERY important;
Add "access-class 5 in" where you have the following access list on the router;
"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"
Do not forget the aux port;
"line aux 0"
"login local"
"transport output none"
Authentication;
Use enable secret, NOT enable password!;
enable secret blah-blah-blah-md5-encrypted
Make at least one local user;
username bob password goldfish
Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;
http://www.cisco.com/warp/public/480/tacplus.sh
Encrypt your passwords too;
service password-encryption
Log stuff, and know when stuff happens;
Turn on logging;
"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"
Hate log messages on the console?
"no logging console"
Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.
Synch to an NTP server so you know when stuff happens;
"ntp server 1.2.3.4 prefer"
Get NTP servers here;
http://www.eecis.udel.edu/~mills/ntp/servers.ht
Interfaces;
EVERY DAMN interface should have the following, unless you know better;
"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"
Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
Turn CDP off, if you can. There is little reason to use it;
Turn it off, on ALL interfaces;
"no cdp run"
Turn it off on an individual interface;
"no cdp enable"
Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.
I use Freesco (a free linux distro on a floppy) as my router/firewall. Anyone here ever used it, and know how crackable it is?
I have all external services off, but I'm still kinda worried as to how easy it would be for someone to mess with it and get on my internal net.
Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.
Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.
They tried to do it and failed. Granted it doesn't look like they were trying to make a core router, but I sure they were thinking of that as the next step. www.lantimes.com/97 (excerpt) "Microsoft Corp. has released the final version of its Windows NT Server remote-access software, known in beta as Steelhead, with the intention of turning NT into an all-purpose, low-end LAN/WAN router and Internet-connectivity center for small businesses and branch offices."
"So your computer + 6 NICs == 1 commercial router."
A low-performance commercial router; most commercial routers have special hardware to speed up the packet filtering/forwarding - the software configures the hardware & lets it fly.
I have developed a tool that will check IOS
o s-template.html
configs against the NSA rule set. If you're
interested in testing, drop me a note at
gmj AT users dot sourceforge dot net
Also, for reference, here are three good sources
of security configs for IOS:
# "NSA Router Security Configuration Guidelins", NSA, September, 2001
# http://nsa2.www.conxion.com/cisco/download.htm
#
# "Improving Security on Cisco Routers", Cisco, October 17, 2001
# http://www.cisco.com/warp/public/707/21.html
#
# "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
# http://www.cymru.com/~robt/Docs/Articles/secure-i
That's why we have lawyers. UUnet would be responsible for paying the 1.7e49 dollars, once you proved this in court.
This will be treated as flamebait on /. but there are good uses for the justice system.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
If you allow telnet into the router without using an ACL to lockdown the vty access to all except trusted stations inside your network...You should be hacked and then fired.
"Science is like sex: sometimes something useful comes out, but that is not the reason we are doing it" Richard Feynman
You would be suprised how readily you can find routers (important ones!!) that use default passwords... try writing a little perl script that will traceroute to slashdot, cut up the output, and goes through a database of default passwords (this site has one), or even just cisco/cisco or enable/cisco in a telnet connection (99% of the time to port 23). I would be willing to bet that if it takes 10 hops to get there, 4 of them will use default passwords. AND THIS IS ON THE BACKBONE!!! Just imagine the number of routers sitting on the edge of a corporate network as their principle gateway that use default passwords. Scary. Very scary.
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
...in various cisco IOS releases?
...and more to the point, have people started to reverse engineer and patch the IOS so that a rooted IOS image can be uploaded on the router (and how many router admins actually force periodic saves of running IOS and cross check them against known initial MD5 finger prints... none, I bet).
...next question: How many router/firewall admins have a network object group including all their core routing/switching infrastructure in their pretty little checkpoint network object databases?
Ok, on the the next level... how many folks have statically routed private IP address overlay for their routing infrastructure? How many folks overlay IPSec on top of that (SSH doesn't cut it any more).
My over all impression of most network admins who are responsible for organization/ASN IP routing is that they're extremely lazy fscks who haven't the first clue about how to do security right.
...and as SANS/NSA is pointing out, this impression is correct.
This was demonstrated some months ago when I was tracing a friend of mine's network and noticed they were using a router on their dsl line.
:-)
Apparently their (SLC, Utah) dsl provider was recommending/providing the same model of Cisco router to many of their clients, because by simply pinging down a list of nearby addresses, I was able to telnet into the routers -- with no login, as the access password was by default blank.
The scary part is two-fold in this situation:
1) the user's username and password were stored in plaintext on the router and
2) by telnetting to the provider's site, you could login and see the user's account information, such as address, etc.
This _seriously_ freaked out my friend!
If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell
How do I enable inbound port 80 for my crappy ToS @Home cable box?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
fucka open up and say GOATSEEEEEEEEEEEEEEEEE.cx
I worked for a company this past summer who had DSL through ALLTEL. I dont konw if ALLTEL set up the routers, but the default password to get into them was cisco. Unbelievable. I needed the information to open up ports to run a server, but anyone could turn an entire companys internet with like a handful of keystrokes.
Use comodity hardware with FreeBSD or Linux on it. Add the security utilities you want. The Linux Router Project is one possibility, and I am working on one with a little more flexibility and extensible security (yes, if you are interested, you can write me).
This sort of solution allows you to make your security solutions as extensible as you want, but then you do have to support it yourself, unless you can find a vendor...
LedgerSMB: Open source Accounting/ERP
There are alot of resources available on security... everyone knows that security begins with a decent policy. When it comes to securing Cisco routers the following links may be useful:
From Cisco:
http://www.cisco.com/warp/public/707/21.html
From the NSA:
http://nsa2.www.conxion.com/cisco/index.html
Its not a solution, but its a start
-- Kevin
Blah blah Cisco, blah blah blah Cisco. Blah Cisco! Blah blah!
:)
Blah, blah Cisco!
Blah blah blah blah monopoly on routers blah blah Cisco!
Cisco, blah blah.
Cisco switches can use ssh as of CatOS 6.1(look for images with k9 in the name). 12.x IOS also offers ssh and kerberized telnet. Also notice that Cisco is only sshv1 capable. This is pretty much standard throughout all vendors.(Foundry,Juniper,Cisco and I believe Nortel/Alteon)o ftware/ios120/120newft/120limit/120s/120s5/sshv1.h tm
y InTheMiddle-en.html#toc2
http://sysadmin.oreilly.com/news/silverman_1200.ht ml
http://www.cisco.com/univercd/cc/td/doc/product/s
Quoted from Cisco on the sshv1 vs sshv2: "Primarily, Cisco wishes to keep its engineering talent working on core features within devices rather than developing and maintaining other features that provide infrastructure security through encryption." On sshv1 vulnerability as demonstrated by Dug Song and response from Richard Silverman. http://www.groar.org/pres/MonkeyInTheMiddle/Monke
Hope that helps...
http://packetstormsecurity.org/cisco/ciscos.c that might be part of the problem
I think core to this particular issue is mindset. System Admins have been, for years, told to upgrade--stay current with security patches for your particular operating system.
..., downtime on a core switch is serious business. If it's working, there's a definite desire to not break it.
Router/Switch maintenence is different. How many Cisco users out there a familiar with the "fix on fail" SOP. I've found many a tier-1 support staffer reluctant to let you run off patching things that may not need it.
Routers/Switches are very commonly more important (read: requires less downtime) than any single machine on a network. In an environment like Exodus, Level 3, GlobalCenter,
I identify with this mind set (and if you don't you're probably not a very good admin---running apt-get update/apt-get upgrade every day on a production system is a BAD, no...REALLY BAD idea.) However, let me say clearly, that this is obviously a wrong way to think about things.
How do you tell what ROM/BIOSs to flash? What patches to install? You have to do your research. If you blindly install a new super duper patch, and it breaks NFS on your server, you probably should've read the ChangeLog or Release Notes--it probably mentioned that something changed, or theres a dependancy--or worse yet, that there are configurations with which the patch is incompatible. It happens.
There's no easy way, than to understand what you're doing. Read the docs. You have to be willing to dedicate the time to make sure you're doing the right thing, and your bases are covered.
If you don't--you deserve what you get. If you don't learn from the experience, that'll probably include being fired.
Not preaching here...just passing along uncomfortable experiences.
"Yeah, um...hi. Cisco support? I just installed this patch, and..." Ugh.
The volume of noise a router could generate
absolutely dwarfs what a computer could
do.
"alteran" is a bit misleading. The paper doesn't
actually say this. What is does say is that
router based DoS attacks are an extreme concern
because intruders can change that router's
configuration and also launch attacks on the
routing protocol for the Internet.
Aside from the obvious (like shutting down
ports, changing the routing, etc) which
has the effect of potentially generating
lots of traffic, how exactly does one
*generate* alteron's high "volume of noise"?
Even on a cisco router, as root,
sending out pings could cause some
headaches but many other computers
(or routers) tend to treat ICMP as low priority.
And unless you are able to run a program
*on* the router (unlikely, unless it is
DOS or *BSD based), how do you generate this
"amazing" amount of traffic?
...try to play up Cisco as some leader in security.
You make it sound like Cisco just woke up one day and said "hey, I bet it wouldn't be too hard to add ssh support, and think of all the good it would do." If only.
There have historically been few vendors who were less open to adding security features or fixing security mis-features than Cisco when presented with a rational explanation of the issues. Cisco has only been eclipsed by Microsoft in their general disregard for security. IMHO.
Thanks for taking the time to provide this level of detail. Moderators: consider modding up the parent.
I would say that this kind of advice would be (even) more useful if it could distinguish between protection against internal threats (e.g. aux port -- I can't think of any non-physical level threat there) versus legitimate external vulnerabilities (e.g. telnet access) and stupidity vulnerabilities (e.g. using default passwords or ip redirects). Or to put it another way: it might be more readable as a block-commented script, explaining why you do what you do, rather than this narrative of advice with quoted commands.
But basically, the take-away for novice admins is: know what the f@#$ you're doing, and, if you don't, please get some help. Much of this is not rocket science (speaking of which, check out this); decent security just takes a little spade work.
-- We all have enough strength to endure the misfortunes of other people. La Rochefoucauld
Why do I never have moderator points when I can be helpful? sigh.
also, note that this isn't a bad read either: Secure IOS Template
Actually, no. Most of the big backbone routers today do most of the work with special-purpose hardware devices, hardwired to do basic packet forwarding functions. Most packets never reach a general-purpose CPU going through a big router. There are general-purpose CPUs in there, but they're for control and exception handling. Without such hardware support, gigabit networking wouldn't be feasible.
Troll? How can the parent be modded "troll"?
------------------
You may like my a cappella music
10Gb/s is something which even the 12xxx series can't handle properly.
;)
I've seen a *controlled* *test* setup where around 3.5Gb/s was inserted into a 12000, then was router over DWDM-fiber (tested upto 90Gb/s by the supplier) and went through 4 12000's in total (infrastructure guaranteed at 80 Gb/s) and it came out at a mere 2.6Gb/s. The loss occurred at *every* 12000 series router. And that network is supposed to be at 80Gb/s backbone capacity in roughly two years.
If those Cisco's loose that much traffic at *sub*-10Gb/s speeds, I don't even want to know what happens at 80Gb/s.
Overall, I think the big difference between Cisco and for example Foundry is that Cisco is betting on the *software*, where as Foundry is doing all their stuff in specially designed ASIC's... But then again, our BigIron 8000 won't be capable of routing IPv6 at wirespeed, because we'd need a new backplane. Cisco's: just upgrade the IOS; but in the end a Cisco is just a very powerfull computer, with some help from ASIC's, but it all boils down to their CPU and bus-structure and interface-cards...
In the 12000 series a slot can hold 1 (one!) 10Gb/s card or a card with 3 (three) 1Gb/s interfaces... Anyone doning the math ?
Ahem... Now to do something productive
--
Ehm... I'm not very creative
would be particularly easy.
router>enable
router#conf t
router(config)#int tunnel 0
router(conf-if)#tunnel source
router(conf-if)#tunnel destination
router(conf-if)#^Z
router#conf t
router#ip route 0.0.0.0 0.0.0.0 tunnel0
Or thereabouts... This creates half of a tunnel to a peer, which would normally be a router configured to tunnel back... but in this case we just configure the router to send all it's traffic to the victim...
When my company had our leased line installed we had a Lucent Router installed (forget which model, not the current router we have) and beleive it or not, we couldnt alter the default admin password untill we had upgraded the firmware 4 times! Who is going to bother doing this if they have 5 or 6 routers they are deploying! its bad. very bad.
l33t scr1p7 k1dd135 have known this for ages. These are the kind of people with absolutely no technical background.
ALL these idiots can do is log in, enable superuser mode, and ping. I would be surprised if they can do much else.
Personally, my network has been DoSed by routers quite a few times. Every time it was by a script kiddie, trying to prove a point, no matter how wrong they were.
Back when this first happened, i emailed every netblock owner. In a year, ive got about 5 replies "thanking" me for alerting them to these problems. It is rare i send any emails regarding this. There is no point.
Quite often, the router is owned by a customer of a large ISP, with the external interface being in the domain of their ISP.
Sending emails to the ISP doesnt work, cos they either dont care, or are too dumb to forward the message.
The majority of these devices a ciscos, with the DEFAULT password of "cisco" still in place. I know people who have had access to routers on OC3 (155mbit ATM) and everything smaller. Some people have claimed to have access to routers on 2.5gigabit backbone networks!
Its scary. There sure are some LAME ass admins in the world, and not just Microsoft and Linux camps!
You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.
Read more about requirements + configuration of ssh on IOS routers here and for further ssh-related reading on Cisco platforms, go here.
Is it the kids on IRC? No, Some Adults.
Expanding a vast wasteland since 1996.
Guys routers can be secured about as well as any other type of device attached to a network. Understand that by router here I mean a specialized box designed to router packets on multiple ports. Like a Cisco router or a Nortel router. Since these two companies have the largest share of the business router market you will probably run across one of their devices. Here is a quick run down on some steps to take to secure said router.
-Read the network/router security best practices papers and do what they tell you to do. There is a reason they wrote those things.
-Use some sort of login authentication system such a token system. If you have to use fixed passwords then make them complex, randomly generated.
-Set the vty transport to ssh only and to accept ssh only from your admin machines (Create a vty ACL).
-Setup a syslog machine to collect your syslog info. Most importantly REVIEW YOUR LOGS!!!!!
-Setup some sort of monitoring system. OpenView, MRTG, NetSaint and the like. Again, review the results of these monitoring systems. If your routers cpu usage has jumped from an average %20 usage to %70 SOMETHING MIGHT BE GOING ON!!!!
-Setup Intrusion Detection Systems, they will warn against and block many common attacks, including DOS type attacks.
This is nothing more then applying standard system admin concepts to routers. Aint too hard. Any device left unsecured is ripe for being messed with. If you secure it it becomes vastly more difficult.
What do you consider to be the best OS in the world?
I guess the correct question would include: and for what application?
--Demonspawn
'Nuff said.
If that happened, it would be incredibly obvious to anyone who checked that the traffic did not originate on your network but rather came directly from the router. This is because there are 2 pertinent interfaces involved on the router in question:
1) Your company's interface going in
2) UUnet's interface going out.
When an attack orignates on you network the #1 interface will have large ammounts of incoming traffic (from you) and the #2 interface will have large ammounts of outbound traffic (going to the target). OTH, when the attack originates directly from the router, your interface will have mostly normal traffic but the outbound interface (#2) will have a relatively large increase in traffic.
Of course, I can't speak for everyone at UUNet, but even tier 1 tech support should be able to quickly recognize the difference.
---Dave
Does the router version of Tripwire do anything more than log changes (and alert thereof) to the router's config?
Doesn't look so from the website, which says to me that Tripwire for routers is not the same level of security tool that Tripwire for servers is.
Use GNU Zebra
Very cool! I was not aware of this.
Hey, it is forum. You learn stuff from other people.
What I don't understand is why, when people buy these Linksys 'routers', they think they have an actual ROUTER. 99% of these linksys owners just use it as a gateway. Not a router. How many home users need a router?? You only have one connection to your ISP. Once the packet reaches your ISP, you have no control over where it goes. I guess just having control over that first hop is enought to warrant buying a true router?