CERT Finds Routers Increasingly Being Cracked

alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."

Routers can be secured...

[!Squalus]

Tripwire makes Tripwire for Routers - Tripwire has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.

P.S. - I don't work for Tripwire, but I do like their products. 8-)

who are these people

[oni]

from the article:
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.

OK, here's the dumb question: Who is working so hard? Kids on IRC???

It boils down to this

[LoRider]

Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.

What if we don't own the routers?

[Mr.+Sketch]

We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.

router security

[grue23]

Without reading the article, I'll just say that after spending a while doing network design/admin work, I have often noticed that routers and switches tended to have far less security than servers. Here's three big reasons:

• As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.
• Many vendors have backdoor methods of accessing their equipment that can be learned if one is beligerent about pushing a mission critical. tech support call to a high tier. These are sometimes needed to get special diagnostic or debug information. I know one major ATM switch vendor in particular that has a high TCP port login on the management ethernet interface that has a vendor specific user/password that is used not only for diagnostics but also for modifying system parameters.
• It has been my experience that many network admins simply leave the default user/password on their network gear, or use the same password for every piece of equipment.

Re:router security

[mosch]

Perhaps you've never heard of this little company called Cisco, who is a minor player in the network equipment field. I have a huge quantity of routers and switches which all are accessible via *gasp* ssh.

As far as backdoors go, this little company called Cisco also requires physical access to the hardware to reset forgotten passwords and such, because they didn't build in backdoors for such purposes.

You should check them out. They're not too well known yet, but they will be after they IPO. Check out www.cisco.com for more information!

Quality of Company Hires

[Greyfox]

A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.

Re:Like one of those hypothetical Marvel comics..

[grue23]

Read your /. manifesto. You aren't allowed to like anything that is:

* Packaged slickly
* Designed for ease of use by non-geeks

Article on SecurityFocus

[Dr.+A.+van+Code]

The volume of noise a router could generate absolutely dwarfs what a computer could do.

Of course, a router is a computer.

I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

SecurityFocus.com has an article by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

A bigger threat

[ostiguy]

Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.

We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.

Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)

ostiguy
ostiguy

The NSA and CERT agree -

[jgaynor]

The NSA has been saying this for a while now.

CERT has been saying this for a while now

Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.

How to secure your cisco router

[lanner]

first, we will assume that you have a cisco, IOS based. If you are using something else, there are other ways to secure your system. I place actual commands in "" quotes. Many of these commands are applicable for IOS based switches too.

Juniper, Unisphere, whatever, has similar precautions that you can take.

http://www.cisco.com/warp/public/707/

Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...

Secure the console;

Turn HTTP servicing OFF!!!

If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).

"no ip http server"

If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.

Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;

"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"

Same thing for telnet sessions;

"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"

Access list telnet access to special subnets! This is VERY VERY important;

Add "access-class 5 in" where you have the following access list on the router;

"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"

Do not forget the aux port;

"line aux 0"
"login local"
"transport output none"

Authentication;

Use enable secret, NOT enable password!;

enable secret blah-blah-blah-md5-encrypted

Make at least one local user;

username bob password goldfish

Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;

http://www.cisco.com/warp/public/480/tacplus.sht ml

Encrypt your passwords too;

service password-encryption

Log stuff, and know when stuff happens;

Turn on logging;

"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"

Hate log messages on the console?

"no logging console"

Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.

Synch to an NTP server so you know when stuff happens;

"ntp server 1.2.3.4 prefer"

Get NTP servers here;

http://www.eecis.udel.edu/~mills/ntp/servers.htm

Interfaces;

EVERY DAMN interface should have the following, unless you know better;

"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"

Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;

ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0

Turn CDP off, if you can. There is little reason to use it;

Turn it off, on ALL interfaces;

"no cdp run"

Turn it off on an individual interface;

"no cdp enable"

Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.