nanog mailing list archives
Is my router owned? How would I know?
From: Rob Thomas <robt () cymru com>
Date: Thu, 12 Jan 2006 12:19:26 -0600 (CST)
Hi, NANOGers. You all know how I love a good segue... ;) How can you tell if your router has been owned? In general the configuration will be modified. This is why we advocate using rancid (or something akin to it) as both a configuration backup tool AND an early warning tool. If you have a router running BGP, it also pays to peer with it externally. You can use a private ASN and rackspace with a buddy. You can use this peering to detect announcements you don't expect or necessarily condone. How else can you tell? Here are some tips: If there is a new user account, or if the enable and access passwords have changed, look out! The miscreants love to scan and find routers with "cisco" as the access and enable passwords. They know that other miscreants are doing the same thing. In fact this is even more widespread thanks to a module found in rBot and rxBot. Yes, even bots are scanning for routers now. If there are new or changed ACLs, look out! The miscreants love to use routers as IRC bounces. To avoid detection by IRC server proxy monitors, the miscreants will block access to the router (generally all access, sometimes just TCP 23) from those proxy monitors using ACLs. If there are new or changed SNMP RW community strings, look out! One of the tricks they employ is to leave a SNMP RW community backdoor. Is this to avoid the actions of we good folk? No, it's usually employed in the case where a compromised router is stolen from one miscreant by another. If the banner has changed, look out! As with the ACLs, this is a method by which the miscreants attempt to fool any proxy monitors. The most common banner we see identifies the router as a FreeBSD box. If tunnels suddenly appear on the router, look out! Chaining together lots of routers is also common now. This provides obfuscation and sometimes encryption. Most of the changes are based on templates. Consider this bundled clue, where the prowess of the template user isn't at all a factor. Use the flows. :) Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Current thread:
- Cisco, haven't we learned anything? (technician reset) Gadi Evron (Jan 12)
- Re: Cisco, haven't we learned anything? (technician reset) Hank Nussbacher (Jan 12)
- Re: Cisco, haven't we learned anything? (technician reset) Rob Thomas (Jan 12)
- Message not available
- Re: Cisco, haven't we learned anything? (technician reset) Rob Thomas (Jan 12)
- Re: Cisco, haven't we learned anything? (technician reset) Jared Mauch (Jan 12)
- RE: Cisco, haven't we learned anything? (technician reset) Scott Morris (Jan 12)
- Re: Cisco, haven't we learned anything? (technician reset) Martin Hannigan (Jan 12)
- Is my router owned? How would I know? Rob Thomas (Jan 12)
- Re: Is my router owned? How would I know? goemon (Jan 12)
- Re: Is my router owned? How would I know? Florian Weimer (Jan 12)
- Re: Is my router owned? How would I know? Martin Hannigan (Jan 12)
- Re: Is my router owned? How would I know? Christopher L. Morrow (Jan 12)
- Re: Is my router owned? How would I know? Joseph S D Yao (Jan 13)
- Message not available
- Re: Is my router owned? How would I know? Mikael Abrahamsson (Jan 12)
- Re: Is my router owned? How would I know? Alexei Roudnev (Jan 14)
- Re: Is my router owned? How would I know? Mikael Abrahamsson (Jan 14)
- Re: Is my router owned? How would I know? Alexei Roudnev (Jan 14)
- Re: Cisco, haven't we learned anything? (technician reset) Brett Frankenberger (Jan 12)