Forgot your password?
typodupeerror
Security

CERT Finds Routers Increasingly Being Cracked 294

Posted by CmdrTaco
from the look-at-the-fancy-new-security-icon dept.
alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."
This discussion has been archived. No new comments can be posted.

CERT Finds Routers Increasingly Being Cracked

Comments Filter:
  • What if...

    Microsoft Made Routers? ;)
  • by !Squalus (258239) on Tuesday October 23, 2001 @06:52PM (#2469246) Homepage

    Tripwire makes Tripwire for Routers - Tripwire [tripwire.com] has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.


    P.S. - I don't work for Tripwire, but I do like their products. 8-)

  • DOS (Score:2, Funny)

    by moonboy (2512)


    Well, that's what they get for using DOS as the OS for their routers. Sheeeesh!! Some people will never learn!

    • I'm curious, do they actually use DOS for many routers' OS?

      You'd think they'd use some highly specialized (i.e. fast/efficient) OS for it.
    • by moonboy (2512)


      Does no one have a sense of humor?

      You people kill me!!

      Oh well, I've got Karma to burn!!! Moderate on!!
      Wooo-hooo!!!

  • I could send this story to the guy who's in charge of security where I work. But he's my boss, and he already thinks I'm Mr. Knowitall...

    Damn... If only he read /., what a crime...

  • In the past few months we've had DOS attacks to our routers constantly for the past few months... Took the admins that long to figure out what the hell was happening to all the bandwidth.

    and even longer to figure out who's doing it... lame admins heh.. :)

  • Cisco requires a service contract to upgrade your IOS. People like to use this as an excuse. What a lot of people don't know is that at the bottom of most Cisco security advisories there is a telephone number for you to call if you do not have a service contract. So stop using the 'I can't afford to pay for a service contract' excuse .
    • Re:cisco updates (Score:3, Informative)

      by !ramirez (106823)
      You don't need a service contract, you just need to have your router registered with them, and have a Cisco Connection Login. I've got a CCO login tied to a 1604, and I've downloaded/torn apart the code for a 12000GXR. No restrictions, they just don't want everyone on the damned planet with access to their firmware.
  • who are these people (Score:4, Interesting)

    by oni (41625) on Tuesday October 23, 2001 @07:00PM (#2469283) Homepage
    from the article:
    Intruders had to work hard to deploy large DDoS attacks networks; much
    work was done
    to avoid detection and compromise of deployed attack
    networks and to provide for easier maintenance.


    OK, here's the dumb question: Who is working so hard? Kids on IRC???
  • by LoRider (16327) on Tuesday October 23, 2001 @07:01PM (#2469286) Homepage Journal
    Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

    Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

    I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.

    • Moderators? (Score:2, Insightful)

      How is this a troll? He's absolutely right. It's all politics.
    • Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

      Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

      OK, I'll assume you're the smart guy. Where do you find this basic info? It seems too concrete and vendor specific for a CS class. Having spent a summer interning with MIS students, all I can figure is they learn a little programming and a lot of beer drinking.

      I have my own Linux router (not LRP, just a 586 with Debian and IP-Chains), and I've had a hell of a time finding any decent information. The HOW-TOs are useful, but always seem to have holes, or say "this section to be added later" for the things I actually need. There is no online documentation, and Google searches always find something close, but not what I'm looking for.

      This isn't something I do for work, so I have no "mentor" to ask questions of. We're a small company, and our admin knows a bit more than I do. I'm having trouble finding a book (I have O'Reilly's Bulding Internet Firewalls on order). I've found no repository of sample IPCHAINS scripts, or even an "official" way to add them to a Debian system.

      How do you go from clueless to "smart"? Why is it, when it comes to security, the Slashdot advice is always "Get a person with a clue as security admin" and never "Here's a clue, here's where to get a clue"?

  • Password (Score:2, Interesting)

    by crumbz (41803)
    The password for all of our routers is admin.
    Not really, but it is on 75% of our client's machines.
  • by Mr. Sketch (111112) <mister@sketch.gmail@com> on Tuesday October 23, 2001 @07:02PM (#2469295)
    We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.
    • So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.

      That's why we have lawyers. UUnet would be responsible for paying the 1.7e49 dollars, once you proved this in court.

      This will be treated as flamebait on /. but there are good uses for the justice system.

    • Correct! If your router is 0wned by UUNet, then 0wned by a badguy, then UUNet 0wns the responsibility to fix it!

  • Home users are increasingly switching to broadband cable/DSL over slowmo phone co. lines. And home broadband routers like Linksys' are getting increasingly inexpensive; even wireless ones are approaching commodity pricing. What will be the fallout when there's a router in every home? Router Wars 2003?
    • Moderators!? (Score:2, Insightful)

      What's with the moderators tonight? They seem worse than usual. The above comment is a legitimate question.
    • Linksys seems somewhat secure, though I never trust them.... Of course, I am Paranoid when it comes to network security, but the best of us are ;)

      Cable modems are real problems, though but I would think that, given their architecture, they would be better used by botnets (zombie IRC clents) than by router attacks in terms of ease of attack.

      Speaking of "botnets," anyone else amused at the resemblence to the name .NET?
  • Why not just remove remote access from critical routers to begin with, and just have physical access to them? Unless your router is located in some unlocked janitors closet, it should be pretty safe from hijacking if remote access is disabled. But, everyone has to be lazy and have their remote access..somethings I can see, in some situations..but this is just lame.
    • My group is has ultimate responsibility for our company's Canada wide WAN based on Cisco equipment. We need to be able to see what the hell is going on when Joe Backhoe digs up the fiberlink in DucksAss Manitoba and knocks out Calgary, Edmonton, Vancouver and Victoria. We need remote access to verify that the telco is indeed down. Since we are also responsible for this WAN, we require the ability to completely control the routers at all times. Without a remote login, we would spend an awful lot on plane tickets. As well, we sometimes need to be able to get to our core routers while we're on the road. That's why remote login exists on this type of equipment - so we can do our job no matter where we are. It's only convenient in very few circumstatnces.

      Dial in only to a modem connected to the aux port, you say? That's just another telnet when it comes down to it - you use the same user/password combo across an untrusted network. Call-back from the router? Again, limits us to one or 2 spots - unworkable.

      BTW, it's not only rsh, telnet or even ssh that can be a problem - IIRC, there was a Cisco exploit based on SNMP. Something about the RW community string set to public? Like CodeRed, traceable to less than knowlegeable admins, but another backdoor none the less. If any device is connected to an untrusted network at all, it is susceptible to attack - period.

      We're contemplating RADIUS or other authentication for the router and switch gear, but that introduces other risks and complications ($). Physical access only would be more secure to be sure, but real world demands kinda toss it out the ethernet port. Sorry.

      Soko
      • Re:Routing Nightmare (Score:3, Informative)

        by Mr Slushy (220285)
        everyone running a cisco router should do this.

        Restrict access to the cisco vty to a list of known hosts. You can use ssh to get from anywhere to one of the permitted hosts, from there you can telnet to the router. If you have the rackspace available, drop an old 486 running *bsd/linux physically right next to each of your routers.

        Add an acl to restrict access to the virtual terminals as follows:


        access-list 2 remark vty access list
        access-list 2 permit 192.168.0.0 0.0.0.255
        access-list 2 permit 192.168.200.0 0.0.0.255
        ....etc....
        access-list 2 deny any

        line vty 0 4
        access-class 2 in



        As with any cisco ACL, be careful that you dont "cut off the branch you are sitting on". If you dont understand what the above ACL does, try it out on a test router before you install it on a router 5 timezones away.

        • Thanks - ACLs are always good. Already done on all our gear.

          However, if the IOS has a security flaw, or the password is weak, well, you know the rest.

          Soko
        • That's pretty open... you'd normally limit vty access to perhaps a single host on a network and you may want to apply anti-spoofing access lists to your interfaces.

          Another tool to use is a TACACS+ server. Cisco produce both a Commercial Cisco server ($$$) and an open source TACACS+ server called tac_plus.

          tac_plus allows you to implement AAA (Accounting, Authorisation & Authentication). Which basicly means this:

          * Central User Access Authentication for all your Routers, Firewalls & Switches.
          * Authorisation for each individual command entered (on a per user, per host basis)
          * Accounting (read logging) of all configuration changes on networking equipment.

          Tac_plus is open source and compiles on nearly all platforms. More information can be obtained here: at Cisco.com [cisco.com]
  • router security (Score:4, Informative)

    by grue23 (158136) on Tuesday October 23, 2001 @07:07PM (#2469327)
    Without reading the article, I'll just say that after spending a while doing network design/admin work, I have often noticed that routers and switches tended to have far less security than servers. Here's three big reasons:
    • As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.
    • Many vendors have backdoor methods of accessing their equipment that can be learned if one is beligerent about pushing a mission critical. tech support call to a high tier. These are sometimes needed to get special diagnostic or debug information. I know one major ATM switch vendor in particular that has a high TCP port login on the management ethernet interface that has a vendor specific user/password that is used not only for diagnostics but also for modifying system parameters.
    • It has been my experience that many network admins simply leave the default user/password on their network gear, or use the same password for every piece of equipment.
    • In my experience, Cisco is "the" router vendor in most large shops. Cisco does take an interest in security, and has primitive support for SSH on a number of their network product platforms.

      Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.

      Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.

      When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.

    • As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

      Cisco, Juniper, and Foundry all offer ssh access. Albeit Cisco's implementation of sshd seriously sucks, but it still works (kinda).

      Those are just three examples. I'm sure other vendors offer ssh/ssl access as well. Now if people choose to not use ssh in favor of telnet, that's another story....

      -B
    • As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

      You're not very aware. Cisco [cisco.com] Foundry [foundrynet.com] Juniper [juniper.net] [fill in the blank here]

      • For Cisco, at least, that's an awfully limited supported list.

        7200, 7500, 12000. Yay. What about the 3662 I used to admin? :/

        Best I was able to decide on was having it only accept connections from the internal LAN, having a switch between it and the management box, and SSHing into the management box.
        • What about the 3662 I used to admin?

          Perhaps that documentation is out of date. Support is a lot more pervasive than that now.

          Cisco claims to have added support for ssh for the 3600's as of IOS 12.1 [cisco.com].

        • The official supported platform list is actually the 1700, 2600, 3600, 7200, 7500, 12000 and ubr920 series routers. Although I wouldn't be surprised if it actually works on any Cisco router...


          The real limitation is that you must have an IPSec capable image on your router. Not usually a big deal.

    • Extreme Networks supports ssh2 on all their switches.

      (disclaimer: I work for them)

    • by mosch (204) on Tuesday October 23, 2001 @08:55PM (#2469803) Homepage
      Perhaps you've never heard of this little company called Cisco, who is a minor player in the network equipment field. I have a huge quantity of routers and switches which all are accessible via *gasp* ssh.

      As far as backdoors go, this little company called Cisco also requires physical access to the hardware to reset forgotten passwords and such, because they didn't build in backdoors for such purposes.

      You should check them out. They're not too well known yet, but they will be after they IPO. Check out www.cisco.com for more information!

    • Use comodity hardware with FreeBSD or Linux on it. Add the security utilities you want. The Linux Router Project is one possibility, and I am working on one with a little more flexibility and extensible security (yes, if you are interested, you can write me).

      This sort of solution allows you to make your security solutions as extensible as you want, but then you do have to support it yourself, unless you can find a vendor...
    • As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

      As others have already said Cisco (some products), Juniper (all), and others. However it was not always this way. Cisco was utterly uninterested in ssh or krb telnet for most of the '90s (I worked for UUNET during most of that time, we did get to request features...). The first router (as far as I know) that did it was Ascend's GFR, and mostly just because it ran a Unix (BSD/OS?) on one board to do the control functions. Juniper was next (similar reason, FreeBSD on the control board). To this day I'm not sure if Cisco added it because people asked, or because people said "They already have it -- we'll buy one of those if you don't give it to us"...

    • As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.


      Cisco do. But given that we were quoted £12000 per router to add ssh support, we decided to stick with telnet, and roll over to Linux routers as time and circumstances permit (there are still some areas where Cisco kit wins out, but not as many as there used to be)

    • Cisco have offered SecurID hardware token support (actually by supporting TACACS+ and RADIUS, which support SecurID) for a long time, but not everyone uses it, particularly in service providers. Cisco, Juniper and Riverstone all support SSH (Cisco supports it only in some IOS versions).

      Like Telnet and most HTTP, SNMPv1 and v2 have passwords (community strings) in the clear, but that's why most people don't allow read/write functions from SNMP, only read-only. SNMPv3 fixes this, but it's still not that widely used.

      Backdoors are (IMO) less frequent in routers, since most of these are out on the Internet, where any such backdoors would inevitably be discovered quite rapidly. I've seen vendors claim that they have no such backdoors, which tends to support this. ATM switches may be another matter since telcos often manage them via an out-of-band network, which probvides some security by disabling management from other network links.

      Anyone who leaves the passwords set to defaults deserves what they get, but it's true to say that quite a lot of networks don't change the passwords frequently (if at all). Those that use TACACS+ or RADIUS authentication servers are in much better shape, since they can change passwords from a single point, and particularly if they use SecurID, which prevents a re-usable password from being used. The best solution is to use SSH, with the caveat that this has been known to have its own security holes - so you must be prepared to update your router OS images quickly if necessary.

      Multiple layers of defence are a good idea - e.g. choose strong passwords, proper password encryption, and enable SSH, and then put on ACLs so that SSH is only permitted from a limited set of addresses.
  • by Greyfox (87712) on Tuesday October 23, 2001 @07:09PM (#2469335) Homepage Journal
    A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.
  • Every so often when DDOS is discussed, there is mention that "someone" is acquiring DDOS resources and then "hiding" them and/or just not using them (yet). With the recent hijackings and now Anthrax, both surprises, is a massive DDOS attack in the works?? None of the DDOS network building discussions have talked about "who". Is there reason to have big worries about the internet right now?
    • No Real Info but my hunch is yes. If I was in charge of NSA/CIA/DoD you'd be able to bet your bottom dollar that I'd have a whole shit pile of zombies in 'puters all around the world, just sleeping like moles in the KGB waiting for the day when a "response in kind" was called for. And with what has been shown by the s'kiddies, it wouldn't be hard to do.

      Remember back to Desert Storm, DoD planted a virus in some Iraqi printers. I don't think the USG forgot that one, and that's just what we know about. How hard would it be, especialy if SSSCA is passed to plant a back-door in everything conntected to the net?

      Also I think the other guys are doing the same, and the worst is yet to come.If your a NSA agent and you guys aren't already doing this, get a clue and start As far as using my computer "I'd rather be pissed off than pissed on" at least you retain "plausable denialability" using mine. I can't even imagine how many vulnerable machines are in Asia because you don't want to go to Microsoft to get patches when you're running a bootleg copy of Windows.

      I'd guess that someone in USG,Unites States Government, is realy pissed that so much DDoS's are going on, they're more interested in collecting information than blocking it right know. Haven't you found some spooky stuff in your server logs? I know the Islamic terrorist hate the internet, as well as TV and radio, it lets people see/hear other view points. Other view points are dangerous to them, errodes their brain-washing. An effective DDoS attack would serve them just find, and if they destroy Microsoft along the way some much the better in their point of veiw.

      Of course maybe I'm just paranoid, but being parnoid doesn't mean that everyone isn't out to get you.
  • Well since I certanly don't want my little home router being a bane to everyone else out there (it's a cheapo linksys; fire-resistant gear dawned!) and all I want is it to keep slinging data around my home's abundant supply of computers and out the wall, what could someone with a simple home system do to help make usre that their system doesn't become part of routerwarz02.

    foosh.
  • by Dr. A. van Code (143149) <d_r_conrad@@@yahoo...com> on Tuesday October 23, 2001 @07:19PM (#2469387) Homepage

    The volume of noise a router could generate absolutely dwarfs what a computer could do.

    Of course, a router is a computer.

    I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

    SecurityFocus.com [securityfocus.com] has an article [securityfocus.com] by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

    "What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

    "If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

  • A bigger threat (Score:5, Insightful)

    by ostiguy (63618) on Tuesday October 23, 2001 @07:19PM (#2469388)
    Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.

    We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.

    Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)

    ostiguy
    ostiguy
    • Slightly offtopic, but:

      AFAIK, Time Warner doesn't give you a refund or a free month, no matter how often or how long you're without cable service. SWBell home DSL has no service level agreement, and DSL can be shut down for unspecified reasons for significant lengths of time with no recourse to the user. I routinely recommend that businesses avoid basic DSL for that exact reason: you can lose tons of productivity and you still have to pay for the crappy service.

      In fact, several years ago the utility company dug through the T-1 line servicing Hoover's, Inc. in Austin, TX, and they had to threaten SWBell with legal action to get the 2 days of downtime taken from their bill.

      Either Mediaone is very friendly, or you turned in a command performance on the phone with them. Either way, congrats!
  • This is an awesome linux-based router solution that I've setup for clients in the past. Just like most OSS, whenever there's a vulnerability, they fix it fast, and you don't have to pay for a CCNE.

    Astaro Security Linux [astaro.com]

  • This article is short on details about using routers for DDOS. I heard about only one hole in IOS which gives "root" access to the router- an exploit of the embedded http server. Nobody I know runs it on their boxes. There is a risk of admins as educated as people who have IIS running and don't know it, but I hope that most of them only have one low-end router on ISDN link. By the way, is there a way to use router for TCP or UDP based attacks? ICMP flood with root access should be easy.
    • Re:Need more facts! (Score:3, Informative)

      by thrillbert (146343)
      You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.

      Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.

      So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.
  • by jgaynor (205453) <jon@gayn o r . org> on Tuesday October 23, 2001 @07:30PM (#2469439) Homepage
    The NSA has been saying this for a while now. [conxion.com]

    CERT has been saying this for a while now [sans.org]

    Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

    Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.
  • by diverman (55324) on Tuesday October 23, 2001 @07:33PM (#2469455)
    So... how much do you think the number of attacks on routers went up because of this post on slashdot? heh. I think CERT might need to revise their numbers now.

    Cheers,
    -Alex
  • We don't need this (Score:2, Interesting)

    by reconbot (456259)
    Personally I don't understand why they're doing it. When you attack a server or a host you hurt the server or the host. When you go after a router you effect all the servers and host on the network it covers, or if the router is connected to other routers it will bring down the connection between them. Now the part I don't understand if why do this if it effects them too?

    And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.
    • Now the part I don't understand is why do this if it effects them too?

      Given that it's just as easy for me to crack my ISPs router as it is to crack a router in (say) Hoboken, I might as well crack the Hoboken one (presuming that I was up to such things).

      Some script kiddies might be stupid enough to break the router that gets them onto the internet -- to that I can only say, "karma blowback".

      The last point is that people who actually take the time and think about those kinds of issues aren't generally the kind of people who'll do things like this.

  • by andykuan (522434) on Tuesday October 23, 2001 @07:40PM (#2469484) Homepage
    The article seems to indicate the use of factory-installed passwords as the problem. There's nothing inherently more vulnerable about routers other than the fact that the people configuring them tend to think of them as peripherals (like a printer) rather than as computers.

    That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.

    Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?
  • 1: Port scan a known network to have DSL routers, ISDN routers, switches or cable modems or what have you. Your own ISP works great.

    2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.

    3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.

    It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc

    Don't even get me started on HP JetDirects !
  • Why is it that we (meaning big companies like Cisco, US government, Microsoft, etc) have so much trouble? Just look at all the messes! Sep 11, nimda, code $color_of_choice, DMCA, etc! They are almost always in the business of fixing problems after they become problems!!! ARGH!!! That is one of the most beautiful things about Free and OS Software... a lot of problems get fixed before (out of proportion just like in any estimation done by any research/analysis study) $trillions in losses occur due to some major effing catastophe. Why?? pre-emptive code auditing. Free/OS software is expected to have flaws and faults that's why people are encouraged to look and examine the code! Find, fix, enhance!

    Now, the US Gov, Microsoft etc. seem to not care (they don't seem to make outward attempts anyway) if what they are doing is stupid/wrong. Let's bomb Iraq 4-5 times a month then complain Saddam is a threat to freedom and is happy about Sep. 11! Hey, let's just act like we own the place then millions of people get pissed off at us and we call THEM terrorists because our way is about freedom and you must be against freedom if you are against us!

    ...(Back on topic now)
    When a router is hacked (especially big ones) they have the capability to use a DOS attack on a mammoth amount of people. DOS = denial of service.... not just packet flooding. Imagine if you changed the DNS information or routing information and starting sending EVERYONE from the router to slashdot.org. I am sure Slashdot would drop like a rock. Plus all those people can not view any website and no one can view slashdot. That is a huge DOS. Why are routers easy targets? Monopoly.

    I don't know any current stats but like in 1998 or 1999 something like 80% of the internet infrastructure was Cisco based. I am sure there are at least one common flaw amongst most Cisco routers. Some say it is that reason, others say it's incompetent admins. I say a little from column A, and a little from column B. Cisco needs to make IOS upgrades easier to obtain. Go buy a Cisco router off of ebay and try to upgrade the IOS. Aint going to happen unless you are a CCIE or have a service contract with them. Of course there are illegal ways as well. The point being, you probably are screwed. And to the admins... please... read documentation and understand what you are doing and do it with prior thought before you plug in and turn on. Don't use exec password:cisco and enable password:class (It has been a while since my Cisco training... do they still use that for the lab routers?)

    Excuse me while I /usr/libexec/locate.updatedb
  • Slightly OT but... (Score:3, Interesting)

    by Lostman (172654) on Tuesday October 23, 2001 @08:02PM (#2469578)
    I would think that although major routers being hacked could stall the internet, the real threat STILL exists with computer viruses... at least the real threat economically...

    For one, a business can still operate if the network goes down.. that isnt THAT big an issue... ("Sorry fellows, we wont be sending you home just b/c are network is down"), but if the computers that are being operated/worked on could be sending out data and proprietary information... well.. :)

    Also, for home users... the kind who trust the benevolence of the economic cookie.. you know which ones: "Save my credit card information" on amazon/barnesandnobles checked, along with "Save login information in a cookie" always selected... all that has to be done is to buy up 5-6 items and send to dummy addresses (random ones) before the normal computer user REALLY cares about viruses.. which makes me ask--> why hasnt it happened before? Why hasnt a major virus (code red and nimda anyone?) made purchases after the computer has gone idle for K minutes using the cookies stored on there?

    Anyways, I may be wrong..
  • ACL's on vty lines (Score:2, Informative)

    by -audiowhore- (153163)
    access-list 1 permit
    line vty 0 4
    access-class 1 in

    ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.

  • Can be found on page 14:

    "Time-To-Exploit Is Shrinking

    Exacerbating the sophistication of attacks and the abundance and susceptibility of targets is a shrinking time-to-exploit. The window of opportunity between vulnerability discovery and widespread exploitation, when security fixes or workarounds can be applied to protect systems, is narrowing. This is, in part, due to the large existing code-base of attack tools than can be used to develop new tools as exploits are written for newly discovered vulnerabilities. Another element causing this trend is a trend toward non-disclosure within intruder communities. Rival groups will often keep new exploits and attack tools private to gain some advantage over other rival groups. Tools that are exposed to outside groups often become obsolete through competitive analysis and are quickly modified, making the lifetime of many attack tools very short. Anti-forensics techniques are now commonly employed in the design of intruder tools in an attempt to increase the lifetime of the tools by limiting the ability of others to determine the function of and defense against an attack tool. Thus, when public awareness of an exploit method or attack tool does rise, the method or tool is often already in some degree of widespread use."

    In other words, the bad guys love the practice of not sharing info on vulnerabilities.

    A corollary of this is that closed source code is a gift to these guys.

  • by lanner (107308) on Tuesday October 23, 2001 @08:46PM (#2469779)
    first, we will assume that you have a cisco, IOS based. If you are using something else, there are other ways to secure your system. I place actual commands in "" quotes. Many of these commands are applicable for IOS based switches too.

    Juniper, Unisphere, whatever, has similar precautions that you can take.

    http://www.cisco.com/warp/public/707/

    Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...

    Secure the console;

    Turn HTTP servicing OFF!!!

    If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).

    "no ip http server"

    If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.

    Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;

    "line con 0"
    "exec-timeout 15 0"
    "logging synchronous"
    "login local"
    "transport input none"

    Same thing for telnet sessions;

    "line vty 0 4"
    "exec-timeout 15 0"
    "logging synchronous"
    "login local"
    "transport preferred none"
    "transport input telnet"

    Access list telnet access to special subnets! This is VERY VERY important;

    Add "access-class 5 in" where you have the following access list on the router;

    "access-list 5 remark VTY.ACCESS.CONTROL"
    "access-list 5 remark 10.3.4.1/32"
    "access-list 5 permit 10.3.4.1"
    "access-list 5 remark 10.22.33.136/29"
    "access-list 5 deny 10.22.33.128 0.0.0.7"
    "access-list 5 permit 10.22.33.128 0.0.0.15"

    Do not forget the aux port;

    "line aux 0"
    "login local"
    "transport output none"

    Authentication;

    Use enable secret, NOT enable password!;

    enable secret blah-blah-blah-md5-encrypted

    Make at least one local user;

    username bob password goldfish

    Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;

    http://www.cisco.com/warp/public/480/tacplus.sht ml

    Encrypt your passwords too;

    service password-encryption

    Log stuff, and know when stuff happens;

    Turn on logging;

    "service timestamps debug datetime msec localtime show-timezone"
    "service timestamps log datetime msec localtime show-timezone"
    "logging buffered 32000 debugging"

    Hate log messages on the console?

    "no logging console"

    Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.

    Synch to an NTP server so you know when stuff happens;

    "ntp server 1.2.3.4 prefer"

    Get NTP servers here;

    http://www.eecis.udel.edu/~mills/ntp/servers.htm

    Interfaces;

    EVERY DAMN interface should have the following, unless you know better;

    "no ip redirects"
    "no ip directed-broadcast"
    "no ip proxy-arp"
    "no cdp enable"

    Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;

    ip route 10.0.0.0 255.0.0.0 Null0
    ip route 172.16.0.0 255.240.0.0 Null0
    ip route 192.168.0.0 255.255.0.0 Null0

    Turn CDP off, if you can. There is little reason to use it;

    Turn it off, on ALL interfaces;

    "no cdp run"

    Turn it off on an individual interface;

    "no cdp enable"

    Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.

    • If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers.

      You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.

      Read more about requirements + configuration of ssh on IOS routers here [cisco.com] and for further ssh-related reading on Cisco platforms, go here [cisco.com].

  • One-time passwords (Score:2, Informative)

    by cvanhorn (220298)

    Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.


    Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.
  • I have developed a tool that will check IOS
    configs against the NSA rule set. If you're
    interested in testing, drop me a note at

    gmj AT users dot sourceforge dot net

    Also, for reference, here are three good sources
    of security configs for IOS:

    # "NSA Router Security Configuration Guidelins", NSA, September, 2001
    # http://nsa2.www.conxion.com/cisco/download.htm
    #
    # "Improving Security on Cisco Routers", Cisco, October 17, 2001
    # http://www.cisco.com/warp/public/707/21.html
    #
    # "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
    # http://www.cymru.com/~robt/Docs/Articles/secure-io s-template.html

  • You'd be suprised... (Score:2, Informative)

    by gmplague (412185)
    You would be suprised how readily you can find routers (important ones!!) that use default passwords... try writing a little perl script that will traceroute to slashdot, cut up the output, and goes through a database of default passwords (this site has one [securityparadigm.com]), or even just cisco/cisco or enable/cisco in a telnet connection (99% of the time to port 23). I would be willing to bet that if it takes 10 hops to get there, 4 of them will use default passwords. AND THIS IS ON THE BACKBONE!!! Just imagine the number of routers sitting on the edge of a corporate network as their principle gateway that use default passwords. Scary. Very scary.

  • This was demonstrated some months ago when I was tracing a friend of mine's network and noticed they were using a router on their dsl line.

    Apparently their (SLC, Utah) dsl provider was recommending/providing the same model of Cisco router to many of their clients, because by simply pinging down a list of nearby addresses, I was able to telnet into the routers -- with no login, as the access password was by default blank.

    The scary part is two-fold in this situation:
    1) the user's username and password were stored in plaintext on the router and
    2) by telnetting to the provider's site, you could login and see the user's account information, such as address, etc.

    This _seriously_ freaked out my friend! :-)
  • There are alot of resources available on security... everyone knows that security begins with a decent policy. When it comes to securing Cisco routers the following links may be useful:

    From Cisco:
    http://www.cisco.com/warp/public/707/21.html

    From the NSA:
    http://nsa2.www.conxion.com/cisco/index.html

    Its not a solution, but its a start

    -- Kevin
  • I think core to this particular issue is mindset. System Admins have been, for years, told to upgrade--stay current with security patches for your particular operating system.

    Router/Switch maintenence is different. How many Cisco users out there a familiar with the "fix on fail" SOP. I've found many a tier-1 support staffer reluctant to let you run off patching things that may not need it.

    Routers/Switches are very commonly more important (read: requires less downtime) than any single machine on a network. In an environment like Exodus, Level 3, GlobalCenter, ..., downtime on a core switch is serious business. If it's working, there's a definite desire to not break it.

    I identify with this mind set (and if you don't you're probably not a very good admin---running apt-get update/apt-get upgrade every day on a production system is a BAD, no...REALLY BAD idea.) However, let me say clearly, that this is obviously a wrong way to think about things.

    How do you tell what ROM/BIOSs to flash? What patches to install? You have to do your research. If you blindly install a new super duper patch, and it breaks NFS on your server, you probably should've read the ChangeLog or Release Notes--it probably mentioned that something changed, or theres a dependancy--or worse yet, that there are configurations with which the patch is incompatible. It happens.

    There's no easy way, than to understand what you're doing. Read the docs. You have to be willing to dedicate the time to make sure you're doing the right thing, and your bases are covered.

    If you don't--you deserve what you get. If you don't learn from the experience, that'll probably include being fired.

    Not preaching here...just passing along uncomfortable experiences.

    "Yeah, um...hi. Cisco support? I just installed this patch, and..." Ugh.

  • would be particularly easy.

    router>enable
    router#conf t
    router(config)#int tunnel 0
    router(conf-if)#tunnel source
    router(conf-if)#tunnel destination
    router(conf-if)#^Z
    router#conf t
    router#ip route 0.0.0.0 0.0.0.0 tunnel0

    Or thereabouts... This creates half of a tunnel to a peer, which would normally be a router configured to tunnel back... but in this case we just configure the router to send all it's traffic to the victim...

Genius is ten percent inspiration and fifty percent capital gains.

Working...