CERT Finds Routers Increasingly Being Cracked

alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."

Like one of those hypothetical Marvel comics..

[EraseEraseMe]

What if...

Microsoft Made Routers? ;)

Re:Like one of those hypothetical Marvel comics..

[!ramirez]

Uh. Right.

And I quote:

Equipped with Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and Network Address Translation (NAT) to maintain network security against hackers

Any manufacturer that considers NAT 'network security against hackers' is delusional. That's just how it is. Far too many companies nowadays are selling eth2eth NAT boxes and calling them firewalls.

Re:Like one of those hypothetical Marvel comics..

[grue23]

Read your /. manifesto. You aren't allowed to like anything that is:

* Packaged slickly
* Designed for ease of use by non-geeks

Re:Like one of those hypothetical Marvel comics..

[jonnythan]

How is NAT *not* a security solution for a home user not running a server?

-J

Re:Like one of those hypothetical Marvel comics..

[segfaultdot]

What would you recommend, perhaps a Linux box as a router/firewall? I'm serious... if our router here at work isn't going to suffice as a firewall, it's up to me to replace it with something better. I'm not very well versed in networking as such, there's no real network administrator here, just me. :/

We have a couple other people in our IT department, but i'm the most well versed in networking, which is perhaps a sad statement. ;P

Re:Like one of those hypothetical Marvel comics..

[segfaultdot]

Lol. Yeah, i hear you... but there's a big difference between home and work. At home, i have time to learn how to use the best. At work, it has to be up and running yesterday, and my boss isn't about to pay me to sit there and read the networking HOWTO trying to get a Linux box up and running as a router. Nothing against Linux... i use it 99.9% of the time at home and i have an older box set aside for tinkering and learning at work. But i'm not ready to use Linux in critical applications such as a router, yet. (I said I'm not ready... Linux is. :)

Re:Like one of those hypothetical Marvel comics..

[iseletsk]

Where did you saw a router that was easy to use?

Routers can be secured...

[!Squalus]

Tripwire makes Tripwire for Routers - Tripwire has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.

P.S. - I don't work for Tripwire, but I do like their products. 8-)

Re:Routers can be secured...

[afay]

Yeah, I thought their product was cool too... until I downloaded the free client and had to enter a bunch of personal details. That's not so bad I do it all the time to get trial software. However, the next day I get a call from a sales rep. at Tripwire. I listen to the shit he was spewing and politely told him I wasn't interested in deploying it at our company. Over the next two weeks, I get 4 more calls from various reps. from Tripwire. I also started getting junk mail at my work account which was brand new the day I downloaded Tripwire. I won't do business with a company that has a field day with your personal data.

Re:Routers can be secured...

[Florifundator]

Cmon, its YOUR fault if you offer real data for a free lunch, resp. e-contact e-shops that require real data for contact or do that from a personal e-mail address.
<BLOCKQUOTE>Who will buy WinXP tomorrow?</BLOCKQUOTE>

DOS

[moonboy]

Well, that's what they get for using DOS as the OS for their routers. Sheeeesh!! Some people will never learn!

Re:DOS

[Spazntwich]

I'm curious, do they actually use DOS for many routers' OS?

You'd think they'd use some highly specialized (i.e. fast/efficient) OS for it.

Re:DOS

[moonboy]

Does no one have a sense of humor?

You people kill me!!

Oh well, I've got Karma to burn!!! Moderate on!!
Wooo-hooo!!!

Re:DOS

[redcliffe]

I did a CCNA course, and IIRC they said that Cisco IOS is a highly optimised multitasking operating system built from the ground up for the routers. Maybe the original poster was confused between IOS and DOS.

Re:DOS

[e7]

Yup. It only takes one moderator who actually believes that Cisco is running embedded MS-DOS on their routers ...

Re:DOS

[silicon_synapse]

CERT has released a paper (PDF) analyzing changes in DOS attack methods.

Or maybe he was commenting on the widespread habit of confusing DOS (Disk Operating System) with DoS (Denial of Service). It really bugs ME too.

Re:DOS

[moonboy]

True dat!

Re:DOS

[moonboy]

Actually, that's what I was making fun of in my original post. The submitters mistake referring to DoS (Denial of Service) attacks as opposed to DOS (Disk Operating System). This was not meant to take another jab at Microsoft.

It's kind of funnier actually that I have to explain my comment, but I realize that not everyone who visits /. knows the difference and that's why I'm posting again to clear the air.

Re:DOS

[e7]

It really bugs ME too.

Are you referring to Windows ME? ... oh I suppose I'll get in trouble for saying that now ...

Re:DOS

[luke1911]

You obviously have no idea what your talking about. The Cisco IOS is the second best OS in the world. Just because you dont know how to secure a router doesnt mean that it cant be done. Michael L. Lucas CCSI CCNP

Re:DOS

[saridder]

Plain old DOS dosen't even know what TCP/IP is, never mind routing, or any other protocol. Unless you created specialized drivers, protocol stacks, routing protocols, etc on the router, DOS wouldn't be a good choice.

Re:DOS

[kaimiike1970]

It really bugs ME too.

And by saying 'ME' you mean Windows Millenium?

What to do

[Publicus]

I could send this story to the guy who's in charge of security where I work. But he's my boss, and he already thinks I'm Mr. Knowitall...

Damn... If only he read /., what a crime...

Happened alot at my local university

[josquint]

In the past few months we've had DOS attacks to our routers constantly for the past few months... Took the admins that long to figure out what the hell was happening to all the bandwidth.

and even longer to figure out who's doing it... lame admins heh.. :)

cisco updates

[Akatosh]

Cisco requires a service contract to upgrade your IOS. People like to use this as an excuse. What a lot of people don't know is that at the bottom of most Cisco security advisories there is a telephone number for you to call if you do not have a service contract. So stop using the 'I can't afford to pay for a service contract' excuse .

Re:cisco updates

[!ramirez]

You don't need a service contract, you just need to have your router registered with them, and have a Cisco Connection Login. I've got a CCO login tied to a 1604, and I've downloaded/torn apart the code for a 12000GXR. No restrictions, they just don't want everyone on the damned planet with access to their firmware.

Re:cisco updates

[gmack]

I have never run into that.. I just go to the "download firmware" page and download.

It's really not that hard and there are well documented instructions on how to do so.

If course if you wanted Cisco to do the work for you I could see the need for a service contract...

Re:cisco updates

[aka-ed]

1. Cisco does not charge for firmware updates.

2. Programming mistakes are not the only, or even the primary, reason for firmware updates. Mostly, it's new features

3. For someone who gripes about programming mistakes, you type quite carelessly.

who are these people

[oni]

from the article:
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.

OK, here's the dumb question: Who is working so hard? Kids on IRC???

Re:who are these people

[TheQuantumShift]

No, it's the losers who grew up on IRC.

It boils down to this

[LoRider]

Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.

Re:It boils down to this

[JWhitlock]

Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

OK, I'll assume you're the smart guy. Where do you find this basic info? It seems too concrete and vendor specific for a CS class. Having spent a summer interning with MIS students, all I can figure is they learn a little programming and a lot of beer drinking.

I have my own Linux router (not LRP, just a 586 with Debian and IP-Chains), and I've had a hell of a time finding any decent information. The HOW-TOs are useful, but always seem to have holes, or say "this section to be added later" for the things I actually need. There is no online documentation, and Google searches always find something close, but not what I'm looking for.

This isn't something I do for work, so I have no "mentor" to ask questions of. We're a small company, and our admin knows a bit more than I do. I'm having trouble finding a book (I have O'Reilly's Bulding Internet Firewalls on order). I've found no repository of sample IPCHAINS scripts, or even an "official" way to add them to a Debian system.

How do you go from clueless to "smart"? Why is it, when it comes to security, the Slashdot advice is always "Get a person with a clue as security admin" and never "Here's a clue, here's where to get a clue"?

Re:It boils down to this

[The+Narfstyler]

The problem is also that the staff doesn't notice that their network is not being run like it should. They only notice if it goes down, but if nobody messes with it, it won't go down. And therefore the incompetent network admin just keeps on doing his job.

Password

[crumbz]

The password for all of our routers is admin.
Not really, but it is on 75% of our client's machines.

Re:Password

[jeffy124]

i think that's the actual problem - leaving in the default password. Routers should require a new password when the admin performs intial setup. Or, different routers should have different default passwords at time of manufacture. But I think the former is more practical and feasible, as the latter may require printing the passwd on a piece of paper, which can lend itself to error.

Re:Password

[eudas]

my personal favourite is 'qpwoeiruty'.

eudas

Re:Password

[knick]

At least for Cisco routers, there isn't a 'default' password.

No telnet password is set by default, and the router will not let people telnet in till a password is set. Dumb passwords are becuase of dumb admins. (You have no idea how many routers I've seen using san-fran for enable...)

--knick

Re:Password

[Glytch]

Could be worse. There was no admin password on my old junior high school's Novell 3 network.

Didn't matter much anyway. That old server was little more than a glorified hub for the grand total of 18 386's we had sharing a 14.4 modem.

Re:Password

[jeffy124]

ok, i didnt know that. I'm used to LinkSys routers that use an http interface, which all come with a default of 'admin' or 'administrator' (cant remember which)

Re:Password

[darkonc]

...as the latter may require printing the passwd on a piece of paper, which can lend itself to error.

The boot time password could be put on a sticker and pasted to the machine -- it could even go next to the serial number.

Multiple random passwords would also serve as an incentive for admins to set the passwords to something more to their liking (but hopefully not weak).

Re:Password

[Shadowlion]

I'll have to add that to my dictionary file. ;)

Re:Password

[akula1]

I was working (security) for my former high school two years ago and their passwords for a
Cisco Router
7 or 8 Bay switches
Intel print server
a bunch of HP Jet Direct cards

... and best of all the AS/400 that kept payroll/confedential student records all had defualt passwords.

I told them this was a bad idea, then I demonstrated what a bad idea it was by printing some pr0n out on my bosses printer. The same day I also admin'd into the AS/400 and brought up his payroll info. (I was young and stupid)

The net result two years later:
They took the defualt login off the AS/400. Everything else is still wide open.

Some people just shouldnt be allowed to run networks.

Re:Password

[ncc74656]

i think that's the actual problem - leaving in the default password.

...or, even better, no password at all. The Cayman DSL router at work had no password. You would think our service provider would've locked it up, but they didn't. It even bitches at you when you bring up its (web-based) configuration page if it has no password, but they must not have caught the clue. Oh well...at least with no password, I was able to kill NAT (don't need it to do that since there's another machine behind it running Coyote Linux that serves that purpose).

Things could get interesting if they try to get into the router now, of course...:-)

Re:Password

[Zocalo]

The boot time password could be put on a sticker and pasted to the machine -- it could even go next to the serial number.

If you are going down that route, it might as well be the serial number. My laptop and desktop both can display their serial numbers in their BIOSes, so why not a router? It's an ugly enough number to make people change it who need remote access and also a secure default for people who only need console access, providing that the router is physically secure, which is probably overlooked more often that the password. You'd be surprised how many people leave routers in data centers with their console ports accessible, and you just know some won't have password protected console ports...

On the otherhand, I'd prefer the approach of no default password set at all, but you can't access the router until a password is set.

Re:Password

[budgenator]

Just tell them "Shit, wonder who hacked the router, No wonder the pipe was so slow. We want a partial refund for lost bandwith..."

Re:Password

[hrieke]

Admin.
Which is why I will never own their wireless router. Too easy to hack into.
But on the plus side, the amount of things that you can do with these routers is rather limited, and I'd be more worried about some company's routers being cracked than some home user's.

Re:Password

[ncc74656]

Just tell them "Shit, wonder who hacked the router, No wonder the pipe was so slow. We want a partial refund for lost bandwith..."

As often as the damn service goes down, we probably should get a break on our rates. (Word to the wise: if your ILEC is Sprint, don't buy DSL service. They have yet to figure out how to keep a DSLAM running.)

Re:Password

[Stephen+Samuel]

I agree that no default password is best (this is, apparently, what Cisco does).
Serial number as password seems rather problematic, since the serial number can often be guessed. It is still better than the same password for all boxes. At the very least, it would slow down remote script kiddies attacking random boxes.

What if we don't own the routers?

[Mr.+Sketch]

We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.

Re:What if we don't own the routers?

[phossie]

try "admin" (see above post )

;-)

Re:What if we don't own the routers?

[gavinmead]

We had the same experience with a router from PSINet (obviously a while ago).

Our solution was to go get a copy of the Cisco PalmCrack utility and get the en password for the router. Then we took care of our own security concerns.

PSINet never patched the IOS or took any active steps to ensure security. Perhaps UUNet is more responsible.

Re:What if we don't own the routers?

[gooberguy]

That is the same thing that is going on at my school. We have Bay Networks routers, which always have an account called User with admin privliges. I logged in, typed "disable ip route" and laughed heartiliy until I realized that I had just taken down the entire school's internet access. I had no ./ for 3 days!

D/\ Gooberguy

Re:What if we don't own the routers?

[Blrfl]

Mr. Sketch writes:

We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it.

Number one rule of good security: If you have no control over it, assume it's potentially hostile. Number two rule of good security: If you have control over it, assume it's potentially hostile. In short, add one of your own routers directly behind it.

So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.

Well, then, tell them to put it on one of their own IP blocks.

Besides, everybody at UUNET knows that because of budget WorldCom's budget cuts, the password on all routers has been changed to "Il0v3Bern1E." Saves money on all of those pesky, expensive databases. :-)

Re:What if we don't own the routers?

[saridder]

Not that putting a router behind a UUNet administered one isn't a good idea, but if someone manages to get into the UUNet one, you will still be down if that's what they want.

Re:What if we don't own the routers?

[sulli]

Correct! If your router is 0wned by UUNet, then 0wned by a badguy, then UUNet 0wns the responsibility to fix it!

Home broadband = major problem?

[Durindana]

Home users are increasingly switching to broadband cable/DSL over slowmo phone co. lines. And home broadband routers like Linksys' are getting increasingly inexpensive; even wireless ones are approaching commodity pricing. What will be the fallout when there's a router in every home? Router Wars 2003?

Re:Home broadband = major problem?

[andykuan]

The linksys routers can not be configured from outside the local network so the factory-installed-password-attack doesn't work. Plus NAT routers inherently shield the systems on the "inside" which will, overall, decrease the number of compromised systems on the net. I think the use of broadband routers should actually help matters in the short run.

Re:Home broadband = major problem?

[yesthatguy]

I don't know that having the broadband routers will actually help, per se. I suppose that it may be less crackable than an open computer, but it's really out of the scope of this particular type of attack. There's not much to gain from screwing up routing to/from one user/IP address, which is for the most part all you could do by getting into a broadband router. The targets are more high profile, high load routers like those that carry the load for large bandwidth providers, and people with large chunks of IP space.

Re:Home broadband = major problem?

[Noxxus]

The linksys routers can not be configured from outside the local network

Actually, they can be remotely admin'd via http, though this feature is not enabled by default.

Re:Home broadband = major problem?

[andykuan]

Right. I should've been clearer about that.

One would assume that if a user is capable enough to change that setting, they'd be sensible enough to change their password to something other than "admin."

Re:Home broadband = major problem?

[einhverfr]

Linksys seems somewhat secure, though I never trust them.... Of course, I am Paranoid when it comes to network security, but the best of us are ;)

Cable modems are real problems, though but I would think that, given their architecture, they would be better used by botnets (zombie IRC clents) than by router attacks in terms of ease of attack.

Speaking of "botnets," anyone else amused at the resemblence to the name .NET?

Re:Home broadband = major problem?

[linuxbert]

home DSL Routers are wonderfull (i have one, I know) but usually act more like gateways then their big brothers from cisco.

cisco kit is usually attached big band bandwith pipes, and also has more features then a linksys.

cisco stuff can send out bad rips like you wouldnt belive, while a linksys can do rip, its usually not used in a home setting.. in fact @home filters that port to subscribers

basicly there not capable of the same level of dammage, and not much of a threat..

Re:Home broadband = major problem?

[Wansu]

and unless I leave all the settings in their default mode, (which is idiotic)

Out of curiosity, which of the default settings do you change on your Linksys router?

Routing Nightmare

[Renraku]

Why not just remove remote access from critical routers to begin with, and just have physical access to them? Unless your router is located in some unlocked janitors closet, it should be pretty safe from hijacking if remote access is disabled. But, everyone has to be lazy and have their remote access..somethings I can see, in some situations..but this is just lame.

Re:Routing Nightmare

[Soko]

My group is has ultimate responsibility for our company's Canada wide WAN based on Cisco equipment. We need to be able to see what the hell is going on when Joe Backhoe digs up the fiberlink in DucksAss Manitoba and knocks out Calgary, Edmonton, Vancouver and Victoria. We need remote access to verify that the telco is indeed down. Since we are also responsible for this WAN, we require the ability to completely control the routers at all times. Without a remote login, we would spend an awful lot on plane tickets. As well, we sometimes need to be able to get to our core routers while we're on the road. That's why remote login exists on this type of equipment - so we can do our job no matter where we are. It's only convenient in very few circumstatnces.

Dial in only to a modem connected to the aux port, you say? That's just another telnet when it comes down to it - you use the same user/password combo across an untrusted network. Call-back from the router? Again, limits us to one or 2 spots - unworkable.

BTW, it's not only rsh, telnet or even ssh that can be a problem - IIRC, there was a Cisco exploit based on SNMP. Something about the RW community string set to public? Like CodeRed, traceable to less than knowlegeable admins, but another backdoor none the less. If any device is connected to an untrusted network at all, it is susceptible to attack - period.

We're contemplating RADIUS or other authentication for the router and switch gear, but that introduces other risks and complications ($). Physical access only would be more secure to be sure, but real world demands kinda toss it out the ethernet port. Sorry.

Soko

Re:Routing Nightmare

[knick]

You've obviously never administred routers.

- 2 routers that connect are rearly in the same room. Having to be physically at each one is rarely easy.

- Most of the routers I support aren't in the same building I'm in, let alone city or state (some are in different countries). I really don't feell like doing that much traveling.

--knick

Re:Routing Nightmare

[Mr+Slushy]

everyone running a cisco router should do this.

Restrict access to the cisco vty to a list of known hosts. You can use ssh to get from anywhere to one of the permitted hosts, from there you can telnet to the router. If you have the rackspace available, drop an old 486 running *bsd/linux physically right next to each of your routers.

Add an acl to restrict access to the virtual terminals as follows:


access-list 2 remark vty access list
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
....etc....
access-list 2 deny any

line vty 0 4
access-class 2 in



As with any cisco ACL, be careful that you dont "cut off the branch you are sitting on". If you dont understand what the above ACL does, try it out on a test router before you install it on a router 5 timezones away.

Re:Routing Nightmare

[Soko]

Thanks - ACLs are always good. Already done on all our gear.

However, if the IOS has a security flaw, or the password is weak, well, you know the rest.

Soko

Re:Routing Nightmare

[GC]

That's pretty open... you'd normally limit vty access to perhaps a single host on a network and you may want to apply anti-spoofing access lists to your interfaces.

Another tool to use is a TACACS+ server. Cisco produce both a Commercial Cisco server ($$$) and an open source TACACS+ server called tac_plus.

tac_plus allows you to implement AAA (Accounting, Authorisation & Authentication). Which basicly means this:

* Central User Access Authentication for all your Routers, Firewalls & Switches.
* Authorisation for each individual command entered (on a per user, per host basis)
* Accounting (read logging) of all configuration changes on networking equipment.

Tac_plus is open source and compiles on nearly all platforms. More information can be obtained here: at Cisco.com

router security

[grue23]

Without reading the article, I'll just say that after spending a while doing network design/admin work, I have often noticed that routers and switches tended to have far less security than servers. Here's three big reasons:

• As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.
• Many vendors have backdoor methods of accessing their equipment that can be learned if one is beligerent about pushing a mission critical. tech support call to a high tier. These are sometimes needed to get special diagnostic or debug information. I know one major ATM switch vendor in particular that has a high TCP port login on the management ethernet interface that has a vendor specific user/password that is used not only for diagnostics but also for modifying system parameters.
• It has been my experience that many network admins simply leave the default user/password on their network gear, or use the same password for every piece of equipment.

Re:router security

[GPB]

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

Cisco, Juniper, and Foundry all offer ssh access. Albeit Cisco's implementation of sshd seriously sucks, but it still works (kinda).

Those are just three examples. I'm sure other vendors offer ssh/ssl access as well. Now if people choose to not use ssh in favor of telnet, that's another story....

-B

Re:router security

[rcw-home]

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

You're not very aware. Cisco Foundry Juniper [fill in the blank here]

Re:router security

[brettbender]

Expand your awareness... A router running Cisco IOS v12+ includes SSH support, as do PIX firewalls and Catalyst 6000 switches. I routinely use Expect and SSH to automate (securely!) maintenance tasks (e.g. ACL updates on the PIX) on my company's infrastructure equipment.

And if the piece of equipment doesn't have SSH support, or if you want to take your admin traffic entirely out of band, how about connecting an old PC to the serial console line? Run an sshd on the PC, and bang -- secure access.

Re:router security

[Polo]

Extreme Networks supports ssh2 on all their switches.

(disclaimer: I work for them)

Re:router security

[kernkopje]

And to complete the list of vendors that deliver network hardware with SSH support: Riverstone OS (ROS) also supports a fine sshd implementation...

Re:router security

[jo2y]

I've recently found that cisco has ssh support in IOS. It doesn't support 3des unless you pay extra, so ssh will complain about using an insecure des to connect.

Re:router security

[RollingThunder]

For Cisco, at least, that's an awfully limited supported list.

7200, 7500, 12000. Yay. What about the 3662 I used to admin? :/

Best I was able to decide on was having it only accept connections from the internal LAN, having a switch between it and the management box, and SSHing into the management box.

Re:router security

[mosch]

Perhaps you've never heard of this little company called Cisco, who is a minor player in the network equipment field. I have a huge quantity of routers and switches which all are accessible via *gasp* ssh.

As far as backdoors go, this little company called Cisco also requires physical access to the hardware to reset forgotten passwords and such, because they didn't build in backdoors for such purposes.

You should check them out. They're not too well known yet, but they will be after they IPO. Check out www.cisco.com for more information!

Re:router security

[mrdogi]

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

Actually, Cisco's higher end equipment does allow ssh-encrypted logins. I know for a fact that the 6509 line allows this, as I use it almost daily. You may have to pay for the upgrade, but it IS possible

Re:router security

[rcw-home]

What about the 3662 I used to admin?

Perhaps that documentation is out of date. Support is a lot more pervasive than that now.

Cisco claims to have added support for ssh for the 3600's as of IOS 12.1.

Re:router security

[fwc]

The official supported platform list is actually the 1700, 2600, 3600, 7200, 7500, 12000 and ubr920 series routers. Although I wouldn't be surprised if it actually works on any Cisco router...

The real limitation is that you must have an IPSec capable image on your router. Not usually a big deal.

Re:router security

[SiliconSamurai]

SSH is supported on all routers capable of running the IP Plus IPSEC feature set. The IPSEC feature set is required simply because SSH requires crypto support.

Of course no one seems to have mentioned the fact that you can use access lists and other forms of security to limit telnet/ssh access to your devices. Not to mention the fact that if you are telnetting to a rotuer you are generally doing it over your network... which allows you means to control access and prevent password sniffing.

-- Kevin

-- Kevin

Re:router security

[stripes]

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

As others have already said Cisco (some products), Juniper (all), and others. However it was not always this way. Cisco was utterly uninterested in ssh or krb telnet for most of the '90s (I worked for UUNET during most of that time, we did get to request features...). The first router (as far as I know) that did it was Ascend's GFR, and mostly just because it ran a Unix (BSD/OS?) on one board to do the control functions. Juniper was next (similar reason, FreeBSD on the control board). To this day I'm not sure if Cisco added it because people asked, or because people said "They already have it -- we'll buy one of those if you don't give it to us"...

Re:router security

[Tet]

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

Cisco do. But given that we were quoted £12000 per router to add ssh support, we decided to stick with telnet, and roll over to Linux routers as time and circumstances permit (there are still some areas where Cisco kit wins out, but not as many as there used to be)

Re:router security

[hiimlars]

Actually, Juniper has supported SSH since at least release 4.2 (currently at 5.5) and Cisco has provided SSH since IOS version 12.0.5.S.

Re:router security

[Cato]

Cisco have offered SecurID hardware token support (actually by supporting TACACS+ and RADIUS, which support SecurID) for a long time, but not everyone uses it, particularly in service providers. Cisco, Juniper and Riverstone all support SSH (Cisco supports it only in some IOS versions).

Like Telnet and most HTTP, SNMPv1 and v2 have passwords (community strings) in the clear, but that's why most people don't allow read/write functions from SNMP, only read-only. SNMPv3 fixes this, but it's still not that widely used.

Backdoors are (IMO) less frequent in routers, since most of these are out on the Internet, where any such backdoors would inevitably be discovered quite rapidly. I've seen vendors claim that they have no such backdoors, which tends to support this. ATM switches may be another matter since telcos often manage them via an out-of-band network, which probvides some security by disabling management from other network links.

Anyone who leaves the passwords set to defaults deserves what they get, but it's true to say that quite a lot of networks don't change the passwords frequently (if at all). Those that use TACACS+ or RADIUS authentication servers are in much better shape, since they can change passwords from a single point, and particularly if they use SecurID, which prevents a re-usable password from being used. The best solution is to use SSH, with the caveat that this has been known to have its own security holes - so you must be prepared to update your router OS images quickly if necessary.

Multiple layers of defence are a good idea - e.g. choose strong passwords, proper password encryption, and enable SSH, and then put on ACLs so that SSH is only permitted from a limited set of addresses.

Re:router security

[Arjuna01]

I don't understand how Cisco will not let you upgrade to the newest IOS (12.X) and upgrade the hardware. We've got some bugs that affect our 3640 routers every once in a blue moon, but its devastating when it happens. So we called Cisco, and they said this specific 12.X version will fix that and other problems, but your going to need more memory (~64MB). We bought memory from a third party vendor that was on Cisco's approved vendor list, turns out it was the same Samsung memory in it from the factory. So $300 for 3rd party memory vs. $3000 from Cisco (with discount). However, just about two weeks ago we received word from Cisco that the approved vendors list for memory had been scrapped. You must now buy all memory from Cisco...ugh! So we won't be upgrading anytime soon.

I am just curious why Cisco has subjected you to this treatment. Perhaps I am naive, but I certainly don't want this situation to arise at my Cisco shop. Please, enlighten me!

Re:router security

[saridder]

That's what happens once you get a huge market share. Try trading in some equipment nowadays.

Re:Cisco IOS

[!ramirez]

enable
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem


Oh yeah, real hard. 5 lines of commands is super difficult.

Quality of Company Hires

[Greyfox]

A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.

Re:Posts from idiots..

[geomcbay]

I'm not usually one to defend Slashdot editors, but I think his statement is valid, though he didn't properly clarify it.

The majority of DDOS attacks to date have relied of hackers breaking into many computers beforehand, often these are home computers (PCs) running over cable or DSL lines. Compared to that type of a system, a commercial router (particularly one located close to a backbone) is capable of a hell of a lot more traffic generation.

Who is building these DDOS networks?

[nelsonen]

Every so often when DDOS is discussed, there is mention that "someone" is acquiring DDOS resources and then "hiding" them and/or just not using them (yet). With the recent hijackings and now Anthrax, both surprises, is a massive DDOS attack in the works?? None of the DDOS network building discussions have talked about "who". Is there reason to have big worries about the internet right now?

Re:Who is building these DDOS networks?

[budgenator]

No Real Info but my hunch is yes. If I was in charge of NSA/CIA/DoD you'd be able to bet your bottom dollar that I'd have a whole shit pile of zombies in 'puters all around the world, just sleeping like moles in the KGB waiting for the day when a "response in kind" was called for. And with what has been shown by the s'kiddies, it wouldn't be hard to do.

Remember back to Desert Storm, DoD planted a virus in some Iraqi printers. I don't think the USG forgot that one, and that's just what we know about. How hard would it be, especialy if SSSCA is passed to plant a back-door in everything conntected to the net?

Also I think the other guys are doing the same, and the worst is yet to come.If your a NSA agent and you guys aren't already doing this, get a clue and start As far as using my computer "I'd rather be pissed off than pissed on" at least you retain "plausable denialability" using mine. I can't even imagine how many vulnerable machines are in Asia because you don't want to go to Microsoft to get patches when you're running a bootleg copy of Windows.

I'd guess that someone in USG,Unites States Government, is realy pissed that so much DDoS's are going on, they're more interested in collecting information than blocking it right know. Haven't you found some spooky stuff in your server logs? I know the Islamic terrorist hate the internet, as well as TV and radio, it lets people see/hear other view points. Other view points are dangerous to them, errodes their brain-washing. An effective DDoS attack would serve them just find, and if they destroy Microsoft along the way some much the better in their point of veiw.

Of course maybe I'm just paranoid, but being parnoid doesn't mean that everyone isn't out to get you.

Re:Posts from idiots..

[Theolojin]

A router IS a computer, you fuckwit. Usually a specialized computer with embedded software allowing it route quickly and easily. But routers are also sometimes servers or desktops; the machine I am typing this on is a router/desktop/firewall.
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."

theo
--
Life is short; think quickly.

So what should the home user do?

[UberNex]

Well since I certanly don't want my little home router being a bane to everyone else out there (it's a cheapo linksys; fire-resistant gear dawned!) and all I want is it to keep slinging data around my home's abundant supply of computers and out the wall, what could someone with a simple home system do to help make usre that their system doesn't become part of routerwarz02.

foosh.

Re:Posts from idiots..

[sr105]

Usually a specialized computer with embedded software allowing it route quickly and easily.

Didn't you just re-enforce the original post? Maybe the original post could have been clarified by using "personal computer" instead of just "computer," but it was still an accurate statement.

R.

Re:Posts from idiots..

[VRisaMetaphor]

So your computer + 6 NICs == 1 commercial router.

What was your point again?

Article on SecurityFocus

[Dr.+A.+van+Code]

The volume of noise a router could generate absolutely dwarfs what a computer could do.

Of course, a router is a computer.

I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

A bigger threat

[ostiguy]

Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.

We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.

Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)

ostiguy
ostiguy

Re:A bigger threat

[tdye]

Slightly offtopic, but:

AFAIK, Time Warner doesn't give you a refund or a free month, no matter how often or how long you're without cable service. SWBell home DSL has no service level agreement, and DSL can be shut down for unspecified reasons for significant lengths of time with no recourse to the user. I routinely recommend that businesses avoid basic DSL for that exact reason: you can lose tons of productivity and you still have to pay for the crappy service.

In fact, several years ago the utility company dug through the T-1 line servicing Hoover's, Inc. in Austin, TX, and they had to threaten SWBell with legal action to get the 2 days of downtime taken from their bill.

Either Mediaone is very friendly, or you turned in a command performance on the phone with them. Either way, congrats!

Good router solutions

[justletmeinnow]

This is an awesome linux-based router solution that I've setup for clients in the past. Just like most OSS, whenever there's a vulnerability, they fix it fast, and you don't have to pay for a CCNE.

Astaro Security Linux

Cisco router security could be a lot worse.

[Nonesuch]

In my experience, Cisco is "the" router vendor in most large shops. Cisco does take an interest in security, and has primitive support for SSH on a number of their network product platforms.

Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.

Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.

When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.

Re:Cisco router security could be a lot worse.

[SiliconSamurai]

Security is in this context is more due to the administrator than the hardware... which is true in most cases.

Cisco does not ship with SNMP enabled.

-- Kevin

Re:Cisco's a good reason why..

[windex]

Patched version, not new version. Old versions contain old bugs. They only release 'patch' versions when an old bug is discovered.

Need more facts!

[genka]

This article is short on details about using routers for DDOS. I heard about only one hole in IOS which gives "root" access to the router- an exploit of the embedded http server. Nobody I know runs it on their boxes. There is a risk of admins as educated as people who have IIS running and don't know it, but I hope that most of them only have one low-end router on ISDN link. By the way, is there a way to use router for TCP or UDP based attacks? ICMP flood with root access should be easy.

Re:Need more facts!

[thrillbert]

You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.

Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.

So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.

Re:Need more facts!

[genka]

Yes, I agree. But we are back to the obvious now. Anybody who gives telnet access to the world and doesn't care about strong passwords and logging is asking for trouble. There is a ay to prevent it: require a license to operate a router! Just like you must have a license to operate a car, because you might kill other people, with cracked core router intruder may kill half of the Internet.

Re:FBI conTROLLed fake slashdot...

[isotope23]

Somwhere out in the matrix.......

"Subject Z-23 has just repsonded."
"Excellent, start the P0rn spam now."

The NSA and CERT agree -

[jgaynor]

The NSA has been saying this for a while now.

CERT has been saying this for a while now

Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.

Slashdot effect on routers...

[diverman]

So... how much do you think the number of attacks on routers went up because of this post on slashdot? heh. I think CERT might need to revise their numbers now.

Cheers,
-Alex

what about cable/dsl "routers"

[Kewjoe]

you don't have much effect over how secured a Cable/DSL router is.. i have a Netgear RT314 and the most i can do is a bit of configuration and some firmware updates..

or is this spefically bigger routers used by companies?

Re:what about cable/dsl "routers"

[Lemmy+Caution]

It depends on the ISP. The ISP for our home DSL connection works with us pretty well - we have root access to the router, have agreed on the root password with them (sometimes having them do config is handy when we don't have the time), but we had the option of actually locking them out, at the risk of being on our own should we not update a route or something in time; I've set up a TFTP server to store configs, firmware images etc. But we're paying for the small-business account, too, so YMMV.

Our ISP is Megapath, by the way.

We don't need this

[reconbot]

Personally I don't understand why they're doing it. When you attack a server or a host you hurt the server or the host. When you go after a router you effect all the servers and host on the network it covers, or if the router is connected to other routers it will bring down the connection between them. Now the part I don't understand if why do this if it effects them too?

And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.

Re:We don't need this

[darkonc]

Now the part I don't understand is why do this if it effects them too?

Given that it's just as easy for me to crack my ISPs router as it is to crack a router in (say) Hoboken, I might as well crack the Hoboken one (presuming that I was up to such things).

Some script kiddies might be stupid enough to break the router that gets them onto the internet -- to that I can only say, "karma blowback".

The last point is that people who actually take the time and think about those kinds of issues aren't generally the kind of people who'll do things like this.

don't forget...

tripwire provides you no added security to stop people from breaking into your system. All it will do is tell you if someone has broken in. And its useless if you install it on a system thats been live for any period of time, since you can't guaruntee that it wasn't cracked in the time that it was live.

Now tripwire is good to have on a system, but it shouldn't be the sole security policy. Its a supplement, at best. Would you feel secure with no locks on your house but with a spiffy gadget that could tell you if someone had been inside? I wouldn't...

Re:don't forget...

[KingBozo]

Pain in the arse moderators. This should be modded, that is exactly what tripwire does, there is no protection or cleaning of the system it just tells you something has changed, and what that was.

Re:Posts from idiots..

[bperkins]

I think this critisism is a bit harsh. Under certain circumstances the statement is necessarily true, depending on how you interpret it.

A fully compromised router should be able to at least match, and probably almost always exceed the capacity to cause problems for any machine upstream of it than any computer downstream of it, since any computer downstream of a router can't generate traffic any faster than that router can
This is true as long you make certain assumptions about how the router works, how computationally intensive the attack is, and the geometry of the network(*).

Also, the statement: "A router IS a computer, you fuckwit," is inflamatory and pedantic. For the purposes of what we are talking about a computer is something that traffic flows to and from, and a router is something traffic flows through. Everyone knows what he means, and the distinction is conceivably instructive; according to the article more DOS attacks are coming from things that are called routers. Lumping routers in with computers may be technically correct, but is not helpful. The aim of the article is to get out the message that the things commonly called routers are causing more DOS problems than things commonly called computers.

* E.g. assuming the router can do more than just copy traffic, that the attack doesn't require a lot CPU to generate the data for the attack, and there aren't many paths from the attacker and the attackee.

it's the password not the router

[andykuan]

The article seems to indicate the use of factory-installed passwords as the problem. There's nothing inherently more vulnerable about routers other than the fact that the people configuring them tend to think of them as peripherals (like a printer) rather than as computers.

That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.

Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?

Re:it's the password not the router

[ruebarb]

well...there's enable secret SECRET, PASSWORD, CISCO -

those are the three I've seen the most.

Re:How do I tell if my machine is cracked?

[Dr.+A.+van+Code]

Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...

An integrity checker such as Tripwire is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.

The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.

In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.

As I'm sure you know, such clueful sysadmins are in short supply.

Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.

For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.

HOWTO crack routers - Funny+Serious

[robvasquez]

1: Port scan a known network to have DSL routers, ISDN routers, switches or cable modems or what have you. Your own ISP works great.

2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.

3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.

It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc

Don't even get me started on HP JetDirects !

Re:HOWTO crack routers - Funny+Serious

[sulli]

So what's your IP?

Seriously, JetDirect lets you set up filters to limit printing to specific IPs/subnets. Which I did with mine.

Re:The Feds should have a back door...

Back door...Hoover would have liked that.

Re:Cisco's a good reason why..

[DeathBunny]

Untrue. You don't need a CCIE, just a CCO (Cisco Connection Online) login to cisco's web site. Buy a support contract for 1 of your routers and you can download any damned IOS you want!

ssh access to router

[Empty+Sands]

Allied Telsyn do for a lot of their routers.

whatever.

[No-op]

Cisco IOS updates easy to get. if you have a serial # on your router, you should be able to finagle yourself a CCO login from that. either that or find someone else who has one to use.

And even if you aren't LEGALLY supposed to use the update, it's not much of a big deal really... quite a few people I know just update them, and don't care much about the actual licensing part of it. it's abstract enough that few can find out about it anyway.

I'm not advocating theft, but to say that you don't have a CCIE around is a load of BS.

I'm not going to let the lack of a support contract stop me from securing a product that I spent a bunch of money for.

besides, when you have a WAN with say, 200 2600's or so, you only need a few registered routers. just switch around between good/bad ones for support calls :)

Routers, Microsoft, USA

[RazzleDazzle]

Why is it that we (meaning big companies like Cisco, US government, Microsoft, etc) have so much trouble? Just look at all the messes! Sep 11, nimda, code $color_of_choice, DMCA, etc! They are almost always in the business of fixing problems after they become problems!!! ARGH!!! That is one of the most beautiful things about Free and OS Software... a lot of problems get fixed before (out of proportion just like in any estimation done by any research/analysis study) $trillions in losses occur due to some major effing catastophe. Why?? pre-emptive code auditing. Free/OS software is expected to have flaws and faults that's why people are encouraged to look and examine the code! Find, fix, enhance!

Now, the US Gov, Microsoft etc. seem to not care (they don't seem to make outward attempts anyway) if what they are doing is stupid/wrong. Let's bomb Iraq 4-5 times a month then complain Saddam is a threat to freedom and is happy about Sep. 11! Hey, let's just act like we own the place then millions of people get pissed off at us and we call THEM terrorists because our way is about freedom and you must be against freedom if you are against us!

...(Back on topic now)
When a router is hacked (especially big ones) they have the capability to use a DOS attack on a mammoth amount of people. DOS = denial of service.... not just packet flooding. Imagine if you changed the DNS information or routing information and starting sending EVERYONE from the router to slashdot.org. I am sure Slashdot would drop like a rock. Plus all those people can not view any website and no one can view slashdot. That is a huge DOS. Why are routers easy targets? Monopoly.

I don't know any current stats but like in 1998 or 1999 something like 80% of the internet infrastructure was Cisco based. I am sure there are at least one common flaw amongst most Cisco routers. Some say it is that reason, others say it's incompetent admins. I say a little from column A, and a little from column B. Cisco needs to make IOS upgrades easier to obtain. Go buy a Cisco router off of ebay and try to upgrade the IOS. Aint going to happen unless you are a CCIE or have a service contract with them. Of course there are illegal ways as well. The point being, you probably are screwed. And to the admins... please... read documentation and understand what you are doing and do it with prior thought before you plug in and turn on. Don't use exec password:cisco and enable password:class (It has been a while since my Cisco training... do they still use that for the lab routers?)

Excuse me while I /usr/libexec/locate.updatedb

Slightly OT but...

[Lostman]

I would think that although major routers being hacked could stall the internet, the real threat STILL exists with computer viruses... at least the real threat economically...

For one, a business can still operate if the network goes down.. that isnt THAT big an issue... ("Sorry fellows, we wont be sending you home just b/c are network is down"), but if the computers that are being operated/worked on could be sending out data and proprietary information... well.. :)

Also, for home users... the kind who trust the benevolence of the economic cookie.. you know which ones: "Save my credit card information" on amazon/barnesandnobles checked, along with "Save login information in a cookie" always selected... all that has to be done is to buy up 5-6 items and send to dummy addresses (random ones) before the normal computer user REALLY cares about viruses.. which makes me ask--> why hasnt it happened before? Why hasnt a major virus (code red and nimda anyone?) made purchases after the computer has gone idle for K minutes using the cookies stored on there?

Anyways, I may be wrong..

You're the reason routers get broken into

[ruebarb]

dear rocket scientist..

Cisco Type 7 passwords are a very basic hash that anyone with some utilities off the internet can crack...

Type 5 passwords (or enable secret) - are encrypted with a much higher quality hash that I believe is resilant to everything but a brute force attack.

Before trying to diminish someone to make yourself look smart, it would help if you gave advice that didn't make everyone's router crackable.

Re:You're the reason routers get broken into

[Baz+Quux]

Doesn't one have to already be enabled to see the encrypted passwords in a running config, though?

Re:You're the reason routers get broken into

[Dom2]

I'm not sure which number it is (5 or 7), but the enable secret passwords are encrypted using the FreeBSD password algorithm, which is to say, MD5. It was implemented by Poul Henning-Kamp ( http://people.freebsd.org/~phk/ , look at the "beerware" bit). The algorithm is a lot stronger than the the old DES based unix scheme. And a lot harder to brute force.

-Dom

Re:You're the reason routers get broken into

[hiimlars]

If the configs are stored on a centralized ftp/tftp server (common practice for large networks) that has been (just imagine) comprimised, then no, you don't need to be enabled on a router to get the password.

This is why the passwords are stored encrypted anyway, though why Cisco keeps the type 7 as the default I have absolutely no idea.

ACL's on vty lines

[-audiowhore-]

access-list 1 permit
line vty 0 4
access-class 1 in

ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.

Re:ACL's on vty lines

[-audiowhore-]

whoa dropped some of the syntax :)

access-list 1 permit (management

Re:ACL's on vty lines

[Cato]

99% of Cisco routers don't support read/write SNMP, so this is not as big a hole as you suggest - you can't just upload a new config typically. Of course, admins should change the SNMP passwords, and set ACLs on SNMP so that only a few hosts can do SNMP queries in any case, and ideally use SNMPv3 authentication/encryption.

Moderators?

[silicon_synapse]

How is this a troll? He's absolutely right. It's all politics.

Re:Cisco IOS

Even better, add an access-list to the vtys (acts the same as a hosts.allow in unix)

line vty 0 4
access-class 99 in
password 7 xxxxx
login

access-list 99 permit 1.2.3.4 0.0.0.0

(that 0.0.0.0 is a wildcard mask, not a netmask for any non-cisco types that read this).

And of course an enable secret is a useful thing.

Hell if you want to make it even more secure and easier to change the password in bulk for multiple routers, set then up to authenticate to a radius or tacacs+ server and have no local accounts configured (you can still get to it on the aux or com serial ports if the link to the auth server dies).

Moderators!?

[silicon_synapse]

What's with the moderators tonight? They seem worse than usual. The above comment is a legitimate question.

Re:Moderators!?

[NightRain]

lol. Man, whoever mod'ed this up should of saved their little moderator point and modded up the post he was talking about. I mean really, if you agree with his point, how about fixing the problem :)

A shot at MS' keep-it-quiet strategy

[re-geeked]

Can be found on page 14:

"Time-To-Exploit Is Shrinking

Exacerbating the sophistication of attacks and the abundance and susceptibility of targets is a shrinking time-to-exploit. The window of opportunity between vulnerability discovery and widespread exploitation, when security fixes or workarounds can be applied to protect systems, is narrowing. This is, in part, due to the large existing code-base of attack tools than can be used to develop new tools as exploits are written for newly discovered vulnerabilities. Another element causing this trend is a trend toward non-disclosure within intruder communities. Rival groups will often keep new exploits and attack tools private to gain some advantage over other rival groups. Tools that are exposed to outside groups often become obsolete through competitive analysis and are quickly modified, making the lifetime of many attack tools very short. Anti-forensics techniques are now commonly employed in the design of intruder tools in an attempt to increase the lifetime of the tools by limiting the ability of others to determine the function of and defense against an attack tool. Thus, when public awareness of an exploit method or attack tool does rise, the method or tool is often already in some degree of widespread use."

In other words, the bad guys love the practice of not sharing info on vulnerabilities.

A corollary of this is that closed source code is a gift to these guys.

Re:A shot at MS' keep-it-quiet strategy

[Phork]

CLosed source is not necesarily a gift, sometimes there are more people auditing closed source code than open source code. It is not often a full code audit is done on a large open source project, it is a time consuming proccess(just ask the openBSD folks). And sometimes, the only people who do the auditing, are hte people who wont share the problems.

no, no, you have it all wrong

[DiveX]

What you do is use slashdot to your advantage. Instead of sending an email tell him to "go read this article" you should work it to you distinct advantage. In this case you should talk to your boss and say "You know, I was thinking that our router might not be secure. In my efforts to help the company, I have done a little research (carbon copy info from article here) and have some comments about it (carbon copy posted comments of Score:4 or higher). It won't be long before you are giving a bigger paycheck because you are the only one coming up with all this incredible information on a daily basis. Trust me...it works.

This is why my system is my router

[Jason+Straight]

Sangoma.com - nice T1 cards that add a DSU to your linux box so you don't need a cisco ;)

Simple starting config

[sirket]

!
! Serial Config
!
interface Serial0/0
ip access 101 in
ip access 102 out

!
! Inbound list
!
no access 101
! Deny incoming with our netblock (a.b.c.d)
access 101 deny ip a.b.c.d 0.0.0.255 any
! Permit established connections (not necessary but just to be safe)
access 101 permit tcp any any established
! Deny incoming with 127. source address
access 101 deny ip 127.0.0.0 0.255.255.255 any
! Deny incoming with reserved address
access 101 deny ip 10.0.0.0 0.255.255.255 any
access 101 deny ip 172.16.0.0 0.15.255.255 any
access 101 deny ip 192.168.0.0 0.0.255.255 any
! Block "land" attack (source and dest same as interface port)
! Serial Interface
access 101 deny tcp host a.b.c.d host a.b.c.d
! Ethernet Interface
access 101 deny tcp host e.f.g.h host e.f.g.h
! Block all router access except from us (a.b.c.d)
access 101 permit TCP host a.b.c.d host e.f.g.h eq telnet
access 101 permit TCP host a.b.c.d host i.j.k.l eq telnet
access 101 deny TCP any host e.f.g.h eq telnet
access 101 deny TCP any host i.j.k.l eq telnet
access 101 permit ip any any
!
! Outbound list
!
no access 102
! filter outgoing packets without our source network address (a.b.c.d)
access 102 permit ip a.b.c.d 0.0.0.255 any
access 102 deny ip any any

Try at least putting a simple config to protect access to your router. This will work for a Cisco. For more advanced options, try blocking _all_ traffic to the router instead of just telnet access. This ruleset will block access to the router, and protect the network behind the router to some extent.

-sirket

Re:Simple starting config

[sirket]

When blocking access to the router, make sure that you block access to all of the interfaces (e.f.g.h _AND_ i.j.k.l) i.e. all serial and ethernet interfaces.

-sirket

How to secure your cisco router

[lanner]

first, we will assume that you have a cisco, IOS based. If you are using something else, there are other ways to secure your system. I place actual commands in "" quotes. Many of these commands are applicable for IOS based switches too.

Juniper, Unisphere, whatever, has similar precautions that you can take.

http://www.cisco.com/warp/public/707/

Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...

Secure the console;

Turn HTTP servicing OFF!!!

If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).

"no ip http server"

If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.

Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;

"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"

Same thing for telnet sessions;

"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"

Access list telnet access to special subnets! This is VERY VERY important;

Add "access-class 5 in" where you have the following access list on the router;

"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"

Do not forget the aux port;

"line aux 0"
"login local"
"transport output none"

Authentication;

Use enable secret, NOT enable password!;

enable secret blah-blah-blah-md5-encrypted

Make at least one local user;

username bob password goldfish

Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;

http://www.cisco.com/warp/public/480/tacplus.sht ml

Encrypt your passwords too;

service password-encryption

Log stuff, and know when stuff happens;

Turn on logging;

"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"

Hate log messages on the console?

"no logging console"

Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.

Synch to an NTP server so you know when stuff happens;

"ntp server 1.2.3.4 prefer"

Get NTP servers here;

http://www.eecis.udel.edu/~mills/ntp/servers.htm

Interfaces;

EVERY DAMN interface should have the following, unless you know better;

"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"

Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;

ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0

Turn CDP off, if you can. There is little reason to use it;

Turn it off, on ALL interfaces;

"no cdp run"

Turn it off on an individual interface;

"no cdp enable"

Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.

Re:How to secure your cisco router

[lanner]

The "access-class" command goes under the "line vty 0 4" subsection.

"term mon" and "term no mon" are enable command line options, not configuration command options.

I missed a lot of quotes in various places. Oh well.

Re:How to secure your cisco router

[Zocalo]

One other thing:

Do NOT leave router configs lying around, especially not Cisco ones as the passwords are as they are so trivially encrypted it's untrue. The following from l0pht should illustrate:

#!/usr/local/bin/perl

@constant = split //, " tfd;kfoA,.iyewrkldJKD";
$length = 22;
$i = 0;
$passwd = $ARGV[0];
$zlength = length($passwd);
$plength = length($passwd) / 2;

while ($i < $zlength)
{
$temp = substr ($passwd, $i, 2);
push (@new, $temp);
$i = $i + 2;
}

$start = $new[0];
$count = 1;

print "\nThe decrypted password -> ";

while ( $count < $plength)
{
print $constant[$start] ^ pack(c, hex($new[$count]));
$start++;
$count++;
if ( $start == $length )
{
$start = 0;
}
}
print "\n\n";

Re:How to secure your cisco router

[bfree]

Can anyone else say DMCA violation! Now if the above is not Free Speech I do not know what is! I can see at a glance (because I understand the language) that the password is stored in the file incredibly trivially (i.e. it is not encrypted, it is simply obfuscated to avoid the password being recognisable at a passing glance). It seems in fact to be deliberatly easy to decrypt just so that people can recover passwords from it in their heads (if they know ascii tables). This is an informative critique of the cisco system and an appropraite part of a discussion on their administration. Now if Cisco threaten action under the DMCA would this be a perfect test case for what we really want to protect, or would the potential cracking link mean we would all rather the Felten case or .....
I am not an American btw and my interest is in seeing this law quashed. I'm with AC that we should do all in our power to protect ourselves from it at the expense of the US until the cost (what else would the US administration understand other than money) is so great they repeal the law. I hope the original poster is not American or planing on going there before the law is quashed cause if he is we all know what could happen!

What about Freesco?

[Beowulf_Boy]

I use Freesco (a free linux distro on a floppy) as my router/firewall. Anyone here ever used it, and know how crackable it is?
I have all external services off, but I'm still kinda worried as to how easy it would be for someone to mess with it and get on my internal net.

One-time passwords

[cvanhorn]

Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.

Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.

IOS rules;config checking tool

[eludom]

I have developed a tool that will check IOS
configs against the NSA rule set. If you're
interested in testing, drop me a note at

gmj AT users dot sourceforge dot net

Also, for reference, here are three good sources
of security configs for IOS:

# "NSA Router Security Configuration Guidelins", NSA, September, 2001
# http://nsa2.www.conxion.com/cisco/download.htm
#
# "Improving Security on Cisco Routers", Cisco, October 17, 2001
# http://www.cisco.com/warp/public/707/21.html
#
# "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
# http://www.cymru.com/~robt/Docs/Articles/secure-io s-template.html

Well, in that case...

[devphil]

So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.

That's why we have lawyers. UUnet would be responsible for paying the 1.7e49 dollars, once you proved this in court.

This will be treated as flamebait on /. but there are good uses for the justice system.

ACLS DUH?

[slappy_guru]

If you allow telnet into the router without using an ACL to lockdown the vty access to all except trusted stations inside your network...You should be hacked and then fired.

You'd be suprised...

[gmplague]

You would be suprised how readily you can find routers (important ones!!) that use default passwords... try writing a little perl script that will traceroute to slashdot, cut up the output, and goes through a database of default passwords (this site has one), or even just cisco/cisco or enable/cisco in a telnet connection (99% of the time to port 23). I would be willing to bet that if it takes 10 hops to get there, 4 of them will use default passwords. AND THIS IS ON THE BACKBONE!!! Just imagine the number of routers sitting on the edge of a corporate network as their principle gateway that use default passwords. Scary. Very scary.

(some) cisco routers have insecure default

[TufelKinder]

This was demonstrated some months ago when I was tracing a friend of mine's network and noticed they were using a router on their dsl line.

Apparently their (SLC, Utah) dsl provider was recommending/providing the same model of Cisco router to many of their clients, because by simply pinging down a list of nearby addresses, I was able to telnet into the routers -- with no login, as the access password was by default blank.

The scary part is two-fold in this situation:
1) the user's username and password were stored in plaintext on the router and
2) by telnetting to the provider's site, you could login and see the user's account information, such as address, etc.

This _seriously_ freaked out my friend! :-)

research question

[Erris]

How do I enable inbound port 80 for my crappy ToS @Home cable box?

bad passwords on cisco routers

[idg101]

I worked for a company this past summer who had DSL through ALLTEL. I dont konw if ALLTEL set up the routers, but the default password to get into them was cisco. Unbelievable. I needed the information to open up ports to run a server, but anyone could turn an entire companys internet with like a handful of keystrokes.

One solution and tradeoff

[einhverfr]

Use comodity hardware with FreeBSD or Linux on it. Add the security utilities you want. The Linux Router Project is one possibility, and I am working on one with a little more flexibility and extensible security (yes, if you are interested, you can write me).

This sort of solution allows you to make your security solutions as extensible as you want, but then you do have to support it yourself, unless you can find a vendor...

Re:One solution and tradeoff

[PurpleFloyd]

This sort of thing is really not applicable here. Why?

Commodity hardware is designed from the ground up to be a general-purpose machine: it can word process, serve files, or act as a router. This kind of hardware really shines in the home/small biz market -- it's CHEAP! Still, that lack of focus means something else: lack of speed. Someone using a Cisco 12000-series router (takes up an entire friggin' rack, weighs ~175 lbs IIRC) simply couldn't use a 486 running *nix. The big-iron routers are built from the ground level (hardware design) up to do only one thing: route packets. Put a PC with a heavy-traffic gigabit fiber LAN backbone link on one end and an OC-3 on the other, watch it burst into flames. A big-iron router could handle that without breaking a sweat. The router OSes, too, are built to handle high-speed links and nothing else. When you need to handle 10Gb/sec across a 'net backbone, a *nix box just won't cut it.

Securing Cisco Routers

[SiliconSamurai]

There are alot of resources available on security... everyone knows that security begins with a decent policy. When it comes to securing Cisco routers the following links may be useful:

From Cisco:
http://www.cisco.com/warp/public/707/21.html

From the NSA:
http://nsa2.www.conxion.com/cisco/index.html

Its not a solution, but its a start

-- Kevin

Some more info on the issue...

[quan2m]

Cisco switches can use ssh as of CatOS 6.1(look for images with k9 in the name). 12.x IOS also offers ssh and kerberized telnet. Also notice that Cisco is only sshv1 capable. This is pretty much standard throughout all vendors.(Foundry,Juniper,Cisco and I believe Nortel/Alteon)
http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios120/120newft/120limit/120s/120s5/sshv1.h tm
Quoted from Cisco on the sshv1 vs sshv2: "Primarily, Cisco wishes to keep its engineering talent working on core features within devices rather than developing and maintaining other features that provide infrastructure security through encryption." On sshv1 vulnerability as demonstrated by Dug Song and response from Richard Silverman. http://www.groar.org/pres/MonkeyInTheMiddle/Monkey InTheMiddle-en.html#toc2 http://sysadmin.oreilly.com/news/silverman_1200.ht ml
Hope that helps...

The Router/Switch Mindset Problem

[buffy]

I think core to this particular issue is mindset. System Admins have been, for years, told to upgrade--stay current with security patches for your particular operating system.

Router/Switch maintenence is different. How many Cisco users out there a familiar with the "fix on fail" SOP. I've found many a tier-1 support staffer reluctant to let you run off patching things that may not need it.

Routers/Switches are very commonly more important (read: requires less downtime) than any single machine on a network. In an environment like Exodus, Level 3, GlobalCenter, ..., downtime on a core switch is serious business. If it's working, there's a definite desire to not break it.

I identify with this mind set (and if you don't you're probably not a very good admin---running apt-get update/apt-get upgrade every day on a production system is a BAD, no...REALLY BAD idea.) However, let me say clearly, that this is obviously a wrong way to think about things.

How do you tell what ROM/BIOSs to flash? What patches to install? You have to do your research. If you blindly install a new super duper patch, and it breaks NFS on your server, you probably should've read the ChangeLog or Release Notes--it probably mentioned that something changed, or theres a dependancy--or worse yet, that there are configurations with which the patch is incompatible. It happens.

There's no easy way, than to understand what you're doing. Read the docs. You have to be willing to dedicate the time to make sure you're doing the right thing, and your bases are covered.

If you don't--you deserve what you get. If you don't learn from the experience, that'll probably include being fired.

Not preaching here...just passing along uncomfortable experiences.

"Yeah, um...hi. Cisco support? I just installed this patch, and..." Ugh.

Thanks for the suggestions

[Spinality]

Thanks for taking the time to provide this level of detail. Moderators: consider modding up the parent.

I would say that this kind of advice would be (even) more useful if it could distinguish between protection against internal threats (e.g. aux port -- I can't think of any non-physical level threat there) versus legitimate external vulnerabilities (e.g. telnet access) and stupidity vulnerabilities (e.g. using default passwords or ip redirects). Or to put it another way: it might be more readable as a block-commented script, explaining why you do what you do, rather than this narrative of advice with quoted commands.

But basically, the take-away for novice admins is: know what the f@#$ you're doing, and, if you don't, please get some help. Much of this is not rocket science (speaking of which, check out this); decent security just takes a little spade work.

Re:Posts from idiots..

[Animats]

"A router IS a computer, you fuckwit,"

Actually, no. Most of the big backbone routers today do most of the work with special-purpose hardware devices, hardwired to do basic packet forwarding functions. Most packets never reach a general-purpose CPU going through a big router. There are general-purpose CPUs in there, but they're for control and exception handling. Without such hardware support, gigabit networking wouldn't be feasible.

Re:How do I tell if my machine is cracked?

[Hanno]

Troll? How can the parent be modded "troll"?

10Gb/s ? [was: Re:One solution and tradeoff]

[defender]

10Gb/s is something which even the 12xxx series can't handle properly.
I've seen a *controlled* *test* setup where around 3.5Gb/s was inserted into a 12000, then was router over DWDM-fiber (tested upto 90Gb/s by the supplier) and went through 4 12000's in total (infrastructure guaranteed at 80 Gb/s) and it came out at a mere 2.6Gb/s. The loss occurred at *every* 12000 series router. And that network is supposed to be at 80Gb/s backbone capacity in roughly two years.

If those Cisco's loose that much traffic at *sub*-10Gb/s speeds, I don't even want to know what happens at 80Gb/s.

Overall, I think the big difference between Cisco and for example Foundry is that Cisco is betting on the *software*, where as Foundry is doing all their stuff in specially designed ASIC's... But then again, our BigIron 8000 won't be capable of routing IPv6 at wirespeed, because we'd need a new backplane. Cisco's: just upgrade the IOS; but in the end a Cisco is just a very powerfull computer, with some help from ASIC's, but it all boils down to their CPU and bus-structure and interface-cards...

In the 12000 series a slot can hold 1 (one!) 10Gb/s card or a card with 3 (three) 1Gb/s interfaces... Anyone doning the math ?

Ahem... Now to do something productive ;)

Configuring a Cisco router to Dos a Website...

[GC]

would be particularly easy.

router>enable
router#conf t
router(config)#int tunnel 0
router(conf-if)#tunnel source
router(conf-if)#tunnel destination
router(conf-if)#^Z
router#conf t
router#ip route 0.0.0.0 0.0.0.0 tunnel0

Or thereabouts... This creates half of a tunnel to a peer, which would normally be a router configured to tunnel back... but in this case we just configure the router to send all it's traffic to the victim...

Re:Configuring a Cisco router to Dos a Website...

[Orion2]

Hmmm - usually you can't route traffic into an interface that's not "up/up", since a route does not appear in the routing table for a "down" interface, right? And without a partner to accept the tunnel, the interface tunnel0 shouldn't come up.

Or am I missing something?

Lucent Routers

[Richard_at_work]

When my company had our leased line installed we had a Lucent Router installed (forget which model, not the current router we have) and beleive it or not, we couldnt alter the default admin password untill we had upgraded the firmware 4 times! Who is going to bother doing this if they have 5 or 6 routers they are deploying! its bad. very bad.

ssh is available on ALL IOS w/ encryption feature

[forged]

If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers.

You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.

Read more about requirements + configuration of ssh on IOS routers here and for further ssh-related reading on Cisco platforms, go here.

Re:Cicso blah blah!

[Arjuna01]

What do you use then? How does one stay compatible with the rest of the world if they don't use Cisco who IMHO seems to pioneer the standards for routing/switching.

The company I work for now made bad decisions by buying overpriced 10mbit/half duplex Synoptics equipment back in the day. Synoptics was sold to Bay Networks, Bay Networks was sold to Nortel. However, the problem was when they sold to Bay Networks they all but scrapped any parts or support we could get. We had to beg for Y2K upgrades. At least with Cisco we know what we are getting excellent support even for EOL devices, and if needed we can always buy spare parts of eBay.

It's not the kids on IRC

[MadAhab]

Is it the kids on IRC? No, Some Adults.

Curious

[Demonspawn]

What do you consider to be the best OS in the world?

I guess the correct question would include: and for what application?

--Demonspawn

Re:How do I tell if my machine is cracked?

[hiimlars]

Does the router version of Tripwire do anything more than log changes (and alert thereof) to the router's config?

Doesn't look so from the website, which says to me that Tripwire for routers is not the same level of security tool that Tripwire for servers is.

Get GNU Zebra

[surflorida]

Use GNU Zebra

Re:ssh is available on ALL IOS w/ encryption featu

[lanner]

Very cool! I was not aware of this.

Hey, it is forum. You learn stuff from other people.

Linksys Router???

[-NK-VoiD]

What I don't understand is why, when people buy these Linksys 'routers', they think they have an actual ROUTER. 99% of these linksys owners just use it as a gateway. Not a router. How many home users need a router?? You only have one connection to your ISP. Once the packet reaches your ISP, you have no control over where it goes. I guess just having control over that first hop is enought to warrant buying a true router?