Slashdot Mirror
CERT Finds Routers Increasingly Being Cracked
alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."
from the article:
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.
OK, here's the dumb question: Who is working so hard? Kids on IRC???
The password for all of our routers is admin.
Not really, but it is on 75% of our client's machines.
We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.
Things you think are in the Constitution, but are not.
Home users are increasingly switching to broadband cable/DSL over slowmo phone co. lines. And home broadband routers like Linksys' are getting increasingly inexpensive; even wireless ones are approaching commodity pricing. What will be the fallout when there's a router in every home? Router Wars 2003?
Personally I don't understand why they're doing it. When you attack a server or a host you hurt the server or the host. When you go after a router you effect all the servers and host on the network it covers, or if the router is connected to other routers it will bring down the connection between them. Now the part I don't understand if why do this if it effects them too?
And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.
I'm just this guy, you know?
I would think that although major routers being hacked could stall the internet, the real threat STILL exists with computer viruses... at least the real threat economically...
:)
For one, a business can still operate if the network goes down.. that isnt THAT big an issue... ("Sorry fellows, we wont be sending you home just b/c are network is down"), but if the computers that are being operated/worked on could be sending out data and proprietary information... well..
Also, for home users... the kind who trust the benevolence of the economic cookie.. you know which ones: "Save my credit card information" on amazon/barnesandnobles checked, along with "Save login information in a cookie" always selected... all that has to be done is to buy up 5-6 items and send to dummy addresses (random ones) before the normal computer user REALLY cares about viruses.. which makes me ask--> why hasnt it happened before? Why hasnt a major virus (code red and nimda anyone?) made purchases after the computer has gone idle for K minutes using the cookies stored on there?
Anyways, I may be wrong..
This was demonstrated some months ago when I was tracing a friend of mine's network and noticed they were using a router on their dsl line.
:-)
Apparently their (SLC, Utah) dsl provider was recommending/providing the same model of Cisco router to many of their clients, because by simply pinging down a list of nearby addresses, I was able to telnet into the routers -- with no login, as the access password was by default blank.
The scary part is two-fold in this situation:
1) the user's username and password were stored in plaintext on the router and
2) by telnetting to the provider's site, you could login and see the user's account information, such as address, etc.
This _seriously_ freaked out my friend!
If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell
I think core to this particular issue is mindset. System Admins have been, for years, told to upgrade--stay current with security patches for your particular operating system.
..., downtime on a core switch is serious business. If it's working, there's a definite desire to not break it.
Router/Switch maintenence is different. How many Cisco users out there a familiar with the "fix on fail" SOP. I've found many a tier-1 support staffer reluctant to let you run off patching things that may not need it.
Routers/Switches are very commonly more important (read: requires less downtime) than any single machine on a network. In an environment like Exodus, Level 3, GlobalCenter,
I identify with this mind set (and if you don't you're probably not a very good admin---running apt-get update/apt-get upgrade every day on a production system is a BAD, no...REALLY BAD idea.) However, let me say clearly, that this is obviously a wrong way to think about things.
How do you tell what ROM/BIOSs to flash? What patches to install? You have to do your research. If you blindly install a new super duper patch, and it breaks NFS on your server, you probably should've read the ChangeLog or Release Notes--it probably mentioned that something changed, or theres a dependancy--or worse yet, that there are configurations with which the patch is incompatible. It happens.
There's no easy way, than to understand what you're doing. Read the docs. You have to be willing to dedicate the time to make sure you're doing the right thing, and your bases are covered.
If you don't--you deserve what you get. If you don't learn from the experience, that'll probably include being fired.
Not preaching here...just passing along uncomfortable experiences.
"Yeah, um...hi. Cisco support? I just installed this patch, and..." Ugh.
10Gb/s is something which even the 12xxx series can't handle properly.
;)
I've seen a *controlled* *test* setup where around 3.5Gb/s was inserted into a 12000, then was router over DWDM-fiber (tested upto 90Gb/s by the supplier) and went through 4 12000's in total (infrastructure guaranteed at 80 Gb/s) and it came out at a mere 2.6Gb/s. The loss occurred at *every* 12000 series router. And that network is supposed to be at 80Gb/s backbone capacity in roughly two years.
If those Cisco's loose that much traffic at *sub*-10Gb/s speeds, I don't even want to know what happens at 80Gb/s.
Overall, I think the big difference between Cisco and for example Foundry is that Cisco is betting on the *software*, where as Foundry is doing all their stuff in specially designed ASIC's... But then again, our BigIron 8000 won't be capable of routing IPv6 at wirespeed, because we'd need a new backplane. Cisco's: just upgrade the IOS; but in the end a Cisco is just a very powerfull computer, with some help from ASIC's, but it all boils down to their CPU and bus-structure and interface-cards...
In the 12000 series a slot can hold 1 (one!) 10Gb/s card or a card with 3 (three) 1Gb/s interfaces... Anyone doning the math ?
Ahem... Now to do something productive
--
Ehm... I'm not very creative