CERT Finds Routers Increasingly Being Cracked

alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."

A bigger threat

[ostiguy]

Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.

We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.

Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)

ostiguy
ostiguy

don't forget...

[Anonymous Coward]

tripwire provides you no added security to stop people from breaking into your system. All it will do is tell you if someone has broken in. And its useless if you install it on a system thats been live for any period of time, since you can't guaruntee that it wasn't cracked in the time that it was live.

Now tripwire is good to have on a system, but it shouldn't be the sole security policy. Its a supplement, at best. Would you feel secure with no locks on your house but with a spiffy gadget that could tell you if someone had been inside? I wouldn't...

it's the password not the router

[andykuan]

The article seems to indicate the use of factory-installed passwords as the problem. There's nothing inherently more vulnerable about routers other than the fact that the people configuring them tend to think of them as peripherals (like a printer) rather than as computers.

That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.

Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?

Re:How do I tell if my machine is cracked?

[Dr. A. van Code]

Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...

An integrity checker such as Tripwire [tripwire.com] is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.

The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.

In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.

As I'm sure you know, such clueful sysadmins are in short supply.

Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.

For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.

Routers, Microsoft, USA

[RazzleDazzle]

Why is it that we (meaning big companies like Cisco, US government, Microsoft, etc) have so much trouble? Just look at all the messes! Sep 11, nimda, code $color_of_choice, DMCA, etc! They are almost always in the business of fixing problems after they become problems!!! ARGH!!! That is one of the most beautiful things about Free and OS Software... a lot of problems get fixed before (out of proportion just like in any estimation done by any research/analysis study) $trillions in losses occur due to some major effing catastophe. Why?? pre-emptive code auditing. Free/OS software is expected to have flaws and faults that's why people are encouraged to look and examine the code! Find, fix, enhance!

Now, the US Gov, Microsoft etc. seem to not care (they don't seem to make outward attempts anyway) if what they are doing is stupid/wrong. Let's bomb Iraq 4-5 times a month then complain Saddam is a threat to freedom and is happy about Sep. 11! Hey, let's just act like we own the place then millions of people get pissed off at us and we call THEM terrorists because our way is about freedom and you must be against freedom if you are against us!

...(Back on topic now)
When a router is hacked (especially big ones) they have the capability to use a DOS attack on a mammoth amount of people. DOS = denial of service.... not just packet flooding. Imagine if you changed the DNS information or routing information and starting sending EVERYONE from the router to slashdot.org. I am sure Slashdot would drop like a rock. Plus all those people can not view any website and no one can view slashdot. That is a huge DOS. Why are routers easy targets? Monopoly.

I don't know any current stats but like in 1998 or 1999 something like 80% of the internet infrastructure was Cisco based. I am sure there are at least one common flaw amongst most Cisco routers. Some say it is that reason, others say it's incompetent admins. I say a little from column A, and a little from column B. Cisco needs to make IOS upgrades easier to obtain. Go buy a Cisco router off of ebay and try to upgrade the IOS. Aint going to happen unless you are a CCIE or have a service contract with them. Of course there are illegal ways as well. The point being, you probably are screwed. And to the admins... please... read documentation and understand what you are doing and do it with prior thought before you plug in and turn on. Don't use exec password:cisco and enable password:class (It has been a while since my Cisco training... do they still use that for the lab routers?)

Excuse me while I /usr/libexec/locate.updatedb

Moderators?

[silicon_synapse]

How is this a troll? He's absolutely right. It's all politics.

Moderators!?

[silicon_synapse]

What's with the moderators tonight? They seem worse than usual. The above comment is a legitimate question.

ssh is available on ALL IOS w/ encryption feature

[forged]

If you have a 12000 or some of the higher end routers, you can ssh to it. Lesser routers, such as anything less than a 7500 can only use telnet. This sucks, but it is what cisco offers.

You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.

Read more about requirements + configuration of ssh on IOS routers here [cisco.com] and for further ssh-related reading on Cisco platforms, go here [cisco.com].