Slashdot Mirror
CERT Finds Routers Increasingly Being Cracked
alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."
Tripwire makes Tripwire for Routers - Tripwire has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.
P.S. - I don't work for Tripwire, but I do like their products. 8-)
All Ad hominem replies happily ignored as the sender shall be deemed to lack the faculties to comprehend the equation.
Well, that's what they get for using DOS as the OS for their routers. Sheeeesh!! Some people will never learn!
Co-founder and designer at Music Nearby: http://musicnearby.com
from the article:
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.
OK, here's the dumb question: Who is working so hard? Kids on IRC???
Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.
Most companies and people that run them don't understand what it takes to properly setup and maintain a network.
I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.
LoRider
The password for all of our routers is admin.
Not really, but it is on 75% of our client's machines.
You don't need a service contract, you just need to have your router registered with them, and have a Cisco Connection Login. I've got a CCO login tied to a 1604, and I've downloaded/torn apart the code for a 12000GXR. No restrictions, they just don't want everyone on the damned planet with access to their firmware.
We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.
Things you think are in the Constitution, but are not.
enable
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem
Oh yeah, real hard. 5 lines of commands is super difficult.
A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'm not usually one to defend Slashdot editors, but I think his statement is valid, though he didn't properly clarify it.
The majority of DDOS attacks to date have relied of hackers breaking into many computers beforehand, often these are home computers (PCs) running over cable or DSL lines. Compared to that type of a system, a commercial router (particularly one located close to a backbone) is capable of a hell of a lot more traffic generation.
A router IS a computer, you fuckwit. Usually a specialized computer with embedded software allowing it route quickly and easily. But routers are also sometimes servers or desktops; the machine I am typing this on is a router/desktop/firewall.
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."
theo
--
Life is short; think quickly.
Life is short; think quickly.
Read your /. manifesto. You aren't allowed to like anything that is:
* Packaged slickly
* Designed for ease of use by non-geeks
The volume of noise a router could generate absolutely dwarfs what a computer could do.
Of course, a router is a computer.
I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.
SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:
Good mfences make good neighbors.
Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.
We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.
Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)
ostiguy
ostiguy
Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.
Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.
When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.
I do not deploy Linux. Ever.
How is NAT *not* a security solution for a home user not running a server?
-J
The NSA has been saying this for a while now.
CERT has been saying this for a while now
Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.
Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.
So... how much do you think the number of attacks on routers went up because of this post on slashdot? heh. I think CERT might need to revise their numbers now.
Cheers,
-Alex
Lol. Yeah, i hear you... but there's a big difference between home and work. At home, i have time to learn how to use the best. At work, it has to be up and running yesterday, and my boss isn't about to pay me to sit there and read the networking HOWTO trying to get a Linux box up and running as a router. Nothing against Linux... i use it 99.9% of the time at home and i have an older box set aside for tinkering and learning at work. But i'm not ready to use Linux in critical applications such as a router, yet. (I said I'm not ready... Linux is. :)
You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.
Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.
So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.
Personally I don't understand why they're doing it. When you attack a server or a host you hurt the server or the host. When you go after a router you effect all the servers and host on the network it covers, or if the router is connected to other routers it will bring down the connection between them. Now the part I don't understand if why do this if it effects them too?
And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.
I'm just this guy, you know?
I think this critisism is a bit harsh. Under certain circumstances the statement is necessarily true, depending on how you interpret it.
A fully compromised router should be able to at least match, and probably almost always exceed the capacity to cause problems for any machine upstream of it than any computer downstream of it, since any computer downstream of a router can't generate traffic any faster than that router can
This is true as long you make certain assumptions about how the router works, how computationally intensive the attack is, and the geometry of the network(*).
Also, the statement: "A router IS a computer, you fuckwit," is inflamatory and pedantic. For the purposes of what we are talking about a computer is something that traffic flows to and from, and a router is something traffic flows through. Everyone knows what he means, and the distinction is conceivably instructive; according to the article more DOS attacks are coming from things that are called routers. Lumping routers in with computers may be technically correct, but is not helpful. The aim of the article is to get out the message that the things commonly called routers are causing more DOS problems than things commonly called computers.
* E.g. assuming the router can do more than just copy traffic, that the attack doesn't require a lot CPU to generate the data for the attack, and there aren't many paths from the attacker and the attackee.
The article seems to indicate the use of factory-installed passwords as the problem. There's nothing inherently more vulnerable about routers other than the fact that the people configuring them tend to think of them as peripherals (like a printer) rather than as computers.
That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.
Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?
Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...
An integrity checker such as Tripwire is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.
The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.
In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.
As I'm sure you know, such clueful sysadmins are in short supply.
Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.
For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.
Good mfences make good neighbors.
1: Port scan a known network to have DSL routers, ISDN routers, switches or cable modems or what have you. Your own ISP works great.
2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.
3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.
It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc
Don't even get me started on HP JetDirects !
My group is has ultimate responsibility for our company's Canada wide WAN based on Cisco equipment. We need to be able to see what the hell is going on when Joe Backhoe digs up the fiberlink in DucksAss Manitoba and knocks out Calgary, Edmonton, Vancouver and Victoria. We need remote access to verify that the telco is indeed down. Since we are also responsible for this WAN, we require the ability to completely control the routers at all times. Without a remote login, we would spend an awful lot on plane tickets. As well, we sometimes need to be able to get to our core routers while we're on the road. That's why remote login exists on this type of equipment - so we can do our job no matter where we are. It's only convenient in very few circumstatnces.
Dial in only to a modem connected to the aux port, you say? That's just another telnet when it comes down to it - you use the same user/password combo across an untrusted network. Call-back from the router? Again, limits us to one or 2 spots - unworkable.
BTW, it's not only rsh, telnet or even ssh that can be a problem - IIRC, there was a Cisco exploit based on SNMP. Something about the RW community string set to public? Like CodeRed, traceable to less than knowlegeable admins, but another backdoor none the less. If any device is connected to an untrusted network at all, it is susceptible to attack - period.
We're contemplating RADIUS or other authentication for the router and switch gear, but that introduces other risks and complications ($). Physical access only would be more secure to be sure, but real world demands kinda toss it out the ethernet port. Sorry.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
Untrue. You don't need a CCIE, just a CCO (Cisco Connection Online) login to cisco's web site. Buy a support contract for 1 of your routers and you can download any damned IOS you want!
Cisco IOS updates easy to get. if you have a serial # on your router, you should be able to finagle yourself a CCO login from that. either that or find someone else who has one to use.
:)
And even if you aren't LEGALLY supposed to use the update, it's not much of a big deal really... quite a few people I know just update them, and don't care much about the actual licensing part of it. it's abstract enough that few can find out about it anyway.
I'm not advocating theft, but to say that you don't have a CCIE around is a load of BS.
I'm not going to let the lack of a support contract stop me from securing a product that I spent a bunch of money for.
besides, when you have a WAN with say, 200 2600's or so, you only need a few registered routers. just switch around between good/bad ones for support calls
EOM
Why is it that we (meaning big companies like Cisco, US government, Microsoft, etc) have so much trouble? Just look at all the messes! Sep 11, nimda, code $color_of_choice, DMCA, etc! They are almost always in the business of fixing problems after they become problems!!! ARGH!!! That is one of the most beautiful things about Free and OS Software... a lot of problems get fixed before (out of proportion just like in any estimation done by any research/analysis study) $trillions in losses occur due to some major effing catastophe. Why?? pre-emptive code auditing. Free/OS software is expected to have flaws and faults that's why people are encouraged to look and examine the code! Find, fix, enhance!
/usr/libexec/locate.updatedb
Now, the US Gov, Microsoft etc. seem to not care (they don't seem to make outward attempts anyway) if what they are doing is stupid/wrong. Let's bomb Iraq 4-5 times a month then complain Saddam is a threat to freedom and is happy about Sep. 11! Hey, let's just act like we own the place then millions of people get pissed off at us and we call THEM terrorists because our way is about freedom and you must be against freedom if you are against us!
...(Back on topic now)
When a router is hacked (especially big ones) they have the capability to use a DOS attack on a mammoth amount of people. DOS = denial of service.... not just packet flooding. Imagine if you changed the DNS information or routing information and starting sending EVERYONE from the router to slashdot.org. I am sure Slashdot would drop like a rock. Plus all those people can not view any website and no one can view slashdot. That is a huge DOS. Why are routers easy targets? Monopoly.
I don't know any current stats but like in 1998 or 1999 something like 80% of the internet infrastructure was Cisco based. I am sure there are at least one common flaw amongst most Cisco routers. Some say it is that reason, others say it's incompetent admins. I say a little from column A, and a little from column B. Cisco needs to make IOS upgrades easier to obtain. Go buy a Cisco router off of ebay and try to upgrade the IOS. Aint going to happen unless you are a CCIE or have a service contract with them. Of course there are illegal ways as well. The point being, you probably are screwed. And to the admins... please... read documentation and understand what you are doing and do it with prior thought before you plug in and turn on. Don't use exec password:cisco and enable password:class (It has been a while since my Cisco training... do they still use that for the lab routers?)
Excuse me while I
ZERO ZERO ONE ZERO ONE ZERO ONE ONE! Just brushing up for my next big invention: Ethernet over Voice (EoV)
I would think that although major routers being hacked could stall the internet, the real threat STILL exists with computer viruses... at least the real threat economically...
:)
For one, a business can still operate if the network goes down.. that isnt THAT big an issue... ("Sorry fellows, we wont be sending you home just b/c are network is down"), but if the computers that are being operated/worked on could be sending out data and proprietary information... well..
Also, for home users... the kind who trust the benevolence of the economic cookie.. you know which ones: "Save my credit card information" on amazon/barnesandnobles checked, along with "Save login information in a cookie" always selected... all that has to be done is to buy up 5-6 items and send to dummy addresses (random ones) before the normal computer user REALLY cares about viruses.. which makes me ask--> why hasnt it happened before? Why hasnt a major virus (code red and nimda anyone?) made purchases after the computer has gone idle for K minutes using the cookies stored on there?
Anyways, I may be wrong..
dear rocket scientist..
Cisco Type 7 passwords are a very basic hash that anyone with some utilities off the internet can crack...
Type 5 passwords (or enable secret) - are encrypted with a much higher quality hash that I believe is resilant to everything but a brute force attack.
Before trying to diminish someone to make yourself look smart, it would help if you gave advice that didn't make everyone's router crackable.
----------
ah honey, we're all resplendent - Bill Mallonee
Our ISP is Megapath, by the way.
access-list 1 permit
line vty 0 4
access-class 1 in
ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.
everyone running a cisco router should do this.
Restrict access to the cisco vty to a list of known hosts. You can use ssh to get from anywhere to one of the permitted hosts, from there you can telnet to the router. If you have the rackspace available, drop an old 486 running *bsd/linux physically right next to each of your routers.
Add an acl to restrict access to the virtual terminals as follows:
access-list 2 remark vty access list
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
....etc....
access-list 2 deny any
line vty 0 4
access-class 2 in
As with any cisco ACL, be careful that you dont "cut off the branch you are sitting on". If you dont understand what the above ACL does, try it out on a test router before you install it on a router 5 timezones away.
S.E.S.S.D.E.N.E.E.NW from west end of hall of mists
How is this a troll? He's absolutely right. It's all politics.
What's with the moderators tonight? They seem worse than usual. The above comment is a legitimate question.
Can be found on page 14:
"Time-To-Exploit Is Shrinking
Exacerbating the sophistication of attacks and the abundance and susceptibility of targets is a shrinking time-to-exploit. The window of opportunity between vulnerability discovery and widespread exploitation, when security fixes or workarounds can be applied to protect systems, is narrowing. This is, in part, due to the large existing code-base of attack tools than can be used to develop new tools as exploits are written for newly discovered vulnerabilities. Another element causing this trend is a trend toward non-disclosure within intruder communities. Rival groups will often keep new exploits and attack tools private to gain some advantage over other rival groups. Tools that are exposed to outside groups often become obsolete through competitive analysis and are quickly modified, making the lifetime of many attack tools very short. Anti-forensics techniques are now commonly employed in the design of intruder tools in an attempt to increase the lifetime of the tools by limiting the ability of others to determine the function of and defense against an attack tool. Thus, when public awareness of an exploit method or attack tool does rise, the method or tool is often already in some degree of widespread use."
In other words, the bad guys love the practice of not sharing info on vulnerabilities.
A corollary of this is that closed source code is a gift to these guys.
"You can't get something for nothing." - my grandfather, on the stock market and Reaganomics.
first, we will assume that you have a cisco, IOS based. If you are using something else, there are other ways to secure your system. I place actual commands in "" quotes. Many of these commands are applicable for IOS based switches too.
t ml
m
Juniper, Unisphere, whatever, has similar precautions that you can take.
http://www.cisco.com/warp/public/707/
Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...
Secure the console;
Turn HTTP servicing OFF!!!
If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).
"no ip http server"
If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.
Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;
"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"
Same thing for telnet sessions;
"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"
Access list telnet access to special subnets! This is VERY VERY important;
Add "access-class 5 in" where you have the following access list on the router;
"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"
Do not forget the aux port;
"line aux 0"
"login local"
"transport output none"
Authentication;
Use enable secret, NOT enable password!;
enable secret blah-blah-blah-md5-encrypted
Make at least one local user;
username bob password goldfish
Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;
http://www.cisco.com/warp/public/480/tacplus.sh
Encrypt your passwords too;
service password-encryption
Log stuff, and know when stuff happens;
Turn on logging;
"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"
Hate log messages on the console?
"no logging console"
Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.
Synch to an NTP server so you know when stuff happens;
"ntp server 1.2.3.4 prefer"
Get NTP servers here;
http://www.eecis.udel.edu/~mills/ntp/servers.ht
Interfaces;
EVERY DAMN interface should have the following, unless you know better;
"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"
Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
Turn CDP off, if you can. There is little reason to use it;
Turn it off, on ALL interfaces;
"no cdp run"
Turn it off on an individual interface;
"no cdp enable"
Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.
Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.
Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.
Thanks - ACLs are always good. Already done on all our gear.
However, if the IOS has a security flaw, or the password is weak, well, you know the rest.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
I have developed a tool that will check IOS
o s-template.html
configs against the NSA rule set. If you're
interested in testing, drop me a note at
gmj AT users dot sourceforge dot net
Also, for reference, here are three good sources
of security configs for IOS:
# "NSA Router Security Configuration Guidelins", NSA, September, 2001
# http://nsa2.www.conxion.com/cisco/download.htm
#
# "Improving Security on Cisco Routers", Cisco, October 17, 2001
# http://www.cisco.com/warp/public/707/21.html
#
# "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
# http://www.cymru.com/~robt/Docs/Articles/secure-i
That's why we have lawyers. UUnet would be responsible for paying the 1.7e49 dollars, once you proved this in court.
This will be treated as flamebait on /. but there are good uses for the justice system.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
The linksys routers can not be configured from outside the local network
Actually, they can be remotely admin'd via http, though this feature is not enabled by default.
You would be suprised how readily you can find routers (important ones!!) that use default passwords... try writing a little perl script that will traceroute to slashdot, cut up the output, and goes through a database of default passwords (this site has one), or even just cisco/cisco or enable/cisco in a telnet connection (99% of the time to port 23). I would be willing to bet that if it takes 10 hops to get there, 4 of them will use default passwords. AND THIS IS ON THE BACKBONE!!! Just imagine the number of routers sitting on the edge of a corporate network as their principle gateway that use default passwords. Scary. Very scary.
__________________________________________
Take comfort in your ignorance.
Grandmaster Plague
This was demonstrated some months ago when I was tracing a friend of mine's network and noticed they were using a router on their dsl line.
:-)
Apparently their (SLC, Utah) dsl provider was recommending/providing the same model of Cisco router to many of their clients, because by simply pinging down a list of nearby addresses, I was able to telnet into the routers -- with no login, as the access password was by default blank.
The scary part is two-fold in this situation:
1) the user's username and password were stored in plaintext on the router and
2) by telnetting to the provider's site, you could login and see the user's account information, such as address, etc.
This _seriously_ freaked out my friend!
If liberty means anything at all, it means the right to tell people what they do not want to hear. -- George Orwell
Linksys seems somewhat secure, though I never trust them.... Of course, I am Paranoid when it comes to network security, but the best of us are ;)
.NET?
Cable modems are real problems, though but I would think that, given their architecture, they would be better used by botnets (zombie IRC clents) than by router attacks in terms of ease of attack.
Speaking of "botnets," anyone else amused at the resemblence to the name
LedgerSMB: Open source Accounting/ERP
Use comodity hardware with FreeBSD or Linux on it. Add the security utilities you want. The Linux Router Project is one possibility, and I am working on one with a little more flexibility and extensible security (yes, if you are interested, you can write me).
This sort of solution allows you to make your security solutions as extensible as you want, but then you do have to support it yourself, unless you can find a vendor...
LedgerSMB: Open source Accounting/ERP
There are alot of resources available on security... everyone knows that security begins with a decent policy. When it comes to securing Cisco routers the following links may be useful:
From Cisco:
http://www.cisco.com/warp/public/707/21.html
From the NSA:
http://nsa2.www.conxion.com/cisco/index.html
Its not a solution, but its a start
-- Kevin
I think core to this particular issue is mindset. System Admins have been, for years, told to upgrade--stay current with security patches for your particular operating system.
..., downtime on a core switch is serious business. If it's working, there's a definite desire to not break it.
Router/Switch maintenence is different. How many Cisco users out there a familiar with the "fix on fail" SOP. I've found many a tier-1 support staffer reluctant to let you run off patching things that may not need it.
Routers/Switches are very commonly more important (read: requires less downtime) than any single machine on a network. In an environment like Exodus, Level 3, GlobalCenter,
I identify with this mind set (and if you don't you're probably not a very good admin---running apt-get update/apt-get upgrade every day on a production system is a BAD, no...REALLY BAD idea.) However, let me say clearly, that this is obviously a wrong way to think about things.
How do you tell what ROM/BIOSs to flash? What patches to install? You have to do your research. If you blindly install a new super duper patch, and it breaks NFS on your server, you probably should've read the ChangeLog or Release Notes--it probably mentioned that something changed, or theres a dependancy--or worse yet, that there are configurations with which the patch is incompatible. It happens.
There's no easy way, than to understand what you're doing. Read the docs. You have to be willing to dedicate the time to make sure you're doing the right thing, and your bases are covered.
If you don't--you deserve what you get. If you don't learn from the experience, that'll probably include being fired.
Not preaching here...just passing along uncomfortable experiences.
"Yeah, um...hi. Cisco support? I just installed this patch, and..." Ugh.
Actually, no. Most of the big backbone routers today do most of the work with special-purpose hardware devices, hardwired to do basic packet forwarding functions. Most packets never reach a general-purpose CPU going through a big router. There are general-purpose CPUs in there, but they're for control and exception handling. Without such hardware support, gigabit networking wouldn't be feasible.
10Gb/s is something which even the 12xxx series can't handle properly.
;)
I've seen a *controlled* *test* setup where around 3.5Gb/s was inserted into a 12000, then was router over DWDM-fiber (tested upto 90Gb/s by the supplier) and went through 4 12000's in total (infrastructure guaranteed at 80 Gb/s) and it came out at a mere 2.6Gb/s. The loss occurred at *every* 12000 series router. And that network is supposed to be at 80Gb/s backbone capacity in roughly two years.
If those Cisco's loose that much traffic at *sub*-10Gb/s speeds, I don't even want to know what happens at 80Gb/s.
Overall, I think the big difference between Cisco and for example Foundry is that Cisco is betting on the *software*, where as Foundry is doing all their stuff in specially designed ASIC's... But then again, our BigIron 8000 won't be capable of routing IPv6 at wirespeed, because we'd need a new backplane. Cisco's: just upgrade the IOS; but in the end a Cisco is just a very powerfull computer, with some help from ASIC's, but it all boils down to their CPU and bus-structure and interface-cards...
In the 12000 series a slot can hold 1 (one!) 10Gb/s card or a card with 3 (three) 1Gb/s interfaces... Anyone doning the math ?
Ahem... Now to do something productive
--
Ehm... I'm not very creative
would be particularly easy.
router>enable
router#conf t
router(config)#int tunnel 0
router(conf-if)#tunnel source
router(conf-if)#tunnel destination
router(conf-if)#^Z
router#conf t
router#ip route 0.0.0.0 0.0.0.0 tunnel0
Or thereabouts... This creates half of a tunnel to a peer, which would normally be a router configured to tunnel back... but in this case we just configure the router to send all it's traffic to the victim...
That's pretty open... you'd normally limit vty access to perhaps a single host on a network and you may want to apply anti-spoofing access lists to your interfaces.
Another tool to use is a TACACS+ server. Cisco produce both a Commercial Cisco server ($$$) and an open source TACACS+ server called tac_plus.
tac_plus allows you to implement AAA (Accounting, Authorisation & Authentication). Which basicly means this:
* Central User Access Authentication for all your Routers, Firewalls & Switches.
* Authorisation for each individual command entered (on a per user, per host basis)
* Accounting (read logging) of all configuration changes on networking equipment.
Tac_plus is open source and compiles on nearly all platforms. More information can be obtained here: at Cisco.com
You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.
Read more about requirements + configuration of ssh on IOS routers here and for further ssh-related reading on Cisco platforms, go here.
No Real Info but my hunch is yes. If I was in charge of NSA/CIA/DoD you'd be able to bet your bottom dollar that I'd have a whole shit pile of zombies in 'puters all around the world, just sleeping like moles in the KGB waiting for the day when a "response in kind" was called for. And with what has been shown by the s'kiddies, it wouldn't be hard to do.
Remember back to Desert Storm, DoD planted a virus in some Iraqi printers. I don't think the USG forgot that one, and that's just what we know about. How hard would it be, especialy if SSSCA is passed to plant a back-door in everything conntected to the net?
Also I think the other guys are doing the same, and the worst is yet to come.If your a NSA agent and you guys aren't already doing this, get a clue and start As far as using my computer "I'd rather be pissed off than pissed on" at least you retain "plausable denialability" using mine. I can't even imagine how many vulnerable machines are in Asia because you don't want to go to Microsoft to get patches when you're running a bootleg copy of Windows.
I'd guess that someone in USG,Unites States Government, is realy pissed that so much DDoS's are going on, they're more interested in collecting information than blocking it right know. Haven't you found some spooky stuff in your server logs? I know the Islamic terrorist hate the internet, as well as TV and radio, it lets people see/hear other view points. Other view points are dangerous to them, errodes their brain-washing. An effective DDoS attack would serve them just find, and if they destroy Microsoft along the way some much the better in their point of veiw.
Of course maybe I'm just paranoid, but being parnoid doesn't mean that everyone isn't out to get you.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Is it the kids on IRC? No, Some Adults.
Expanding a vast wasteland since 1996.
and unless I leave all the settings in their default mode, (which is idiotic)
Out of curiosity, which of the default settings do you change on your Linksys router?
Wansu, th' chinese sailor