CERT Finds Routers Increasingly Being Cracked

alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."

Routers can be secured...

[!Squalus]

Tripwire makes Tripwire for Routers - Tripwire [tripwire.com] has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.

P.S. - I don't work for Tripwire, but I do like their products. 8-)

It boils down to this

[LoRider]

Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.

Re:cisco updates

[!ramirez]

You don't need a service contract, you just need to have your router registered with them, and have a Cisco Connection Login. I've got a CCO login tied to a 1604, and I've downloaded/torn apart the code for a 12000GXR. No restrictions, they just don't want everyone on the damned planet with access to their firmware.

router security

[grue23]

Without reading the article, I'll just say that after spending a while doing network design/admin work, I have often noticed that routers and switches tended to have far less security than servers. Here's three big reasons:

• As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.
• Many vendors have backdoor methods of accessing their equipment that can be learned if one is beligerent about pushing a mission critical. tech support call to a high tier. These are sometimes needed to get special diagnostic or debug information. I know one major ATM switch vendor in particular that has a high TCP port login on the management ethernet interface that has a vendor specific user/password that is used not only for diagnostics but also for modifying system parameters.
• It has been my experience that many network admins simply leave the default user/password on their network gear, or use the same password for every piece of equipment.

Re:Cisco IOS

[!ramirez]

enable
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem


Oh yeah, real hard. 5 lines of commands is super difficult.

Quality of Company Hires

[Greyfox]

A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.

Re:Posts from idiots..

[Theolojin]

A router IS a computer, you fuckwit. Usually a specialized computer with embedded software allowing it route quickly and easily. But routers are also sometimes servers or desktops; the machine I am typing this on is a router/desktop/firewall.
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."

theo
--
Life is short; think quickly.

Article on SecurityFocus

[Dr. A. van Code]

The volume of noise a router could generate absolutely dwarfs what a computer could do.

Of course, a router is a computer.

I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

SecurityFocus.com [securityfocus.com] has an article [securityfocus.com] by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

Cisco router security could be a lot worse.

[Nonesuch]

In my experience, Cisco is "the" router vendor in most large shops. Cisco does take an interest in security, and has primitive support for SSH on a number of their network product platforms.

Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.

Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.

When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.

The NSA and CERT agree -

[jgaynor]

The NSA has been saying this for a while now. [conxion.com]

CERT has been saying this for a while now [sans.org]

Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.

Re:Need more facts!

[thrillbert]

You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.

Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.

So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.

HOWTO crack routers - Funny+Serious

[robvasquez]

1: Port scan a known network to have DSL routers, ISDN routers, switches or cable modems or what have you. Your own ISP works great.

2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.

3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.

It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc

Don't even get me started on HP JetDirects !

ACL's on vty lines

[-audiowhore-]

access-list 1 permit
line vty 0 4
access-class 1 in

ummm.....not too dificult and unless the version of IOS running is vulnerable, this will restrict access to the vty lines ala tcp wrappers.

Re:Routing Nightmare

[Mr Slushy]

everyone running a cisco router should do this.

Restrict access to the cisco vty to a list of known hosts. You can use ssh to get from anywhere to one of the permitted hosts, from there you can telnet to the router. If you have the rackspace available, drop an old 486 running *bsd/linux physically right next to each of your routers.

Add an acl to restrict access to the virtual terminals as follows:


access-list 2 remark vty access list
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.200.0 0.0.0.255
....etc....
access-list 2 deny any

line vty 0 4
access-class 2 in



As with any cisco ACL, be careful that you dont "cut off the branch you are sitting on". If you dont understand what the above ACL does, try it out on a test router before you install it on a router 5 timezones away.

Re:Cisco IOS

[Anonymous Coward]

Even better, add an access-list to the vtys (acts the same as a hosts.allow in unix)

line vty 0 4
access-class 99 in
password 7 xxxxx
login

access-list 99 permit 1.2.3.4 0.0.0.0

(that 0.0.0.0 is a wildcard mask, not a netmask for any non-cisco types that read this).

And of course an enable secret is a useful thing.

Hell if you want to make it even more secure and easier to change the password in bulk for multiple routers, set then up to authenticate to a radius or tacacs+ server and have no local accounts configured (you can still get to it on the aux or com serial ports if the link to the auth server dies).

How to secure your cisco router

[lanner]

first, we will assume that you have a cisco, IOS based. If you are using something else, there are other ways to secure your system. I place actual commands in "" quotes. Many of these commands are applicable for IOS based switches too.

Juniper, Unisphere, whatever, has similar precautions that you can take.

http://www.cisco.com/warp/public/707/

Common sense should apply. If you are an idiot, then there is no helping you, and please read no further. Just take your router offline so that you do not harm my network when the time comes for you...

Secure the console;

Turn HTTP servicing OFF!!!

If you use the internal web server to configure your router, you are probably not qualified to work on the thing period. There have been a string of exploits to the http server function, and if someone get's your browser history, you are screwed. Use telnet. Same thing for any cisco CBOS based router (DSL, cable, ISDN).

"no ip http server"

If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers. (if you have a PIX firewall, ssh is available from version 5+ or something similar). You can always use IPsec if you have the IOS for it.

Require local authentication to the console, add a 15 minute idle timeout, and other good stuff;

"line con 0"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport input none"

Same thing for telnet sessions;

"line vty 0 4"
"exec-timeout 15 0"
"logging synchronous"
"login local"
"transport preferred none"
"transport input telnet"

Access list telnet access to special subnets! This is VERY VERY important;

Add "access-class 5 in" where you have the following access list on the router;

"access-list 5 remark VTY.ACCESS.CONTROL"
"access-list 5 remark 10.3.4.1/32"
"access-list 5 permit 10.3.4.1"
"access-list 5 remark 10.22.33.136/29"
"access-list 5 deny 10.22.33.128 0.0.0.7"
"access-list 5 permit 10.22.33.128 0.0.0.15"

Do not forget the aux port;

"line aux 0"
"login local"
"transport output none"

Authentication;

Use enable secret, NOT enable password!;

enable secret blah-blah-blah-md5-encrypted

Make at least one local user;

username bob password goldfish

Use TACACS+ if you can, and if you have multiple routers. Otherwise, just use a local login. Cisco lets you download TACACS+ if you know where to look;

http://www.cisco.com/warp/public/480/tacplus.sht ml

Encrypt your passwords too;

service password-encryption

Log stuff, and know when stuff happens;

Turn on logging;

"service timestamps debug datetime msec localtime show-timezone"
"service timestamps log datetime msec localtime show-timezone"
"logging buffered 32000 debugging"

Hate log messages on the console?

"no logging console"

Use "term mon" when telnetting to get live logging messages. Use "term no mon" to turn it off.

Synch to an NTP server so you know when stuff happens;

"ntp server 1.2.3.4 prefer"

Get NTP servers here;

http://www.eecis.udel.edu/~mills/ntp/servers.htm

Interfaces;

EVERY DAMN interface should have the following, unless you know better;

"no ip redirects"
"no ip directed-broadcast"
"no ip proxy-arp"
"no cdp enable"

Route RFC1918 traffic to null0. RFC1918 specifies that this traffic should not be routed. I do not know what NANOG's position on it is;

ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0

Turn CDP off, if you can. There is little reason to use it;

Turn it off, on ALL interfaces;

"no cdp run"

Turn it off on an individual interface;

"no cdp enable"

Damn, now wasn't that easy? No? Of course not! People who do networking get paid some serious cash, because it is serious business. Put a fool on the console and your business is going to take it in the ass! Way too many businesses let fools take care of their networking, or better yet have nobody do it at all.

One-time passwords

[cvanhorn]

Where I work we use one-time passwords. We have special cards that you punch in a personal code and it gives you a one-time use password that expires after use or after 30 seconds. The routers authenticate using TACACS to a server that is synchronized with the cards. Makes it nearly impossible to break into them remotely.

Another thing router admins need to be aware of is the way they set up SNMP. SNMP can be used to modify just about ANY part of a router. All the attacked needs to know is the read/write string (basically a static passsword). And because SNMP uses UDP, it has the potential of being spoofed if access lists are used to determine which machines may send SNMP commands. The only way to guard against this is edged filters everywhere and keeping the location of the password server and SNMP allowed hosts in a secure segment/area.

IOS rules;config checking tool

[eludom]

I have developed a tool that will check IOS
configs against the NSA rule set. If you're
interested in testing, drop me a note at

gmj AT users dot sourceforge dot net

Also, for reference, here are three good sources
of security configs for IOS:

# "NSA Router Security Configuration Guidelins", NSA, September, 2001
# http://nsa2.www.conxion.com/cisco/download.htm
#
# "Improving Security on Cisco Routers", Cisco, October 17, 2001
# http://www.cisco.com/warp/public/707/21.html
#
# "Secure IOS Template Version 2.3", Rob Thomas, October, 2001
# http://www.cymru.com/~robt/Docs/Articles/secure-io s-template.html

You'd be suprised...

[gmplague]

You would be suprised how readily you can find routers (important ones!!) that use default passwords... try writing a little perl script that will traceroute to slashdot, cut up the output, and goes through a database of default passwords (this site has one [securityparadigm.com]), or even just cisco/cisco or enable/cisco in a telnet connection (99% of the time to port 23). I would be willing to bet that if it takes 10 hops to get there, 4 of them will use default passwords. AND THIS IS ON THE BACKBONE!!! Just imagine the number of routers sitting on the edge of a corporate network as their principle gateway that use default passwords. Scary. Very scary.

Securing Cisco Routers

[SiliconSamurai]

There are alot of resources available on security... everyone knows that security begins with a decent policy. When it comes to securing Cisco routers the following links may be useful:

From Cisco:
http://www.cisco.com/warp/public/707/21.html

From the NSA:
http://nsa2.www.conxion.com/cisco/index.html

Its not a solution, but its a start

-- Kevin