mailing list archives
Is my router owned? How would I know?
From: Rob Thomas <robt () cymru com>
Date: Thu, 12 Jan 2006 12:19:26 -0600 (CST)
You all know how I love a good segue... ;)
How can you tell if your router has been owned? In general the
configuration will be modified. This is why we advocate using rancid
(or something akin to it) as both a configuration backup tool AND an
early warning tool. If you have a router running BGP, it also pays
to peer with it externally. You can use a private ASN and rackspace
with a buddy. You can use this peering to detect announcements you
don't expect or necessarily condone.
How else can you tell? Here are some tips:
If there is a new user account, or if the enable and access passwords
have changed, look out! The miscreants love to scan and find routers
with "cisco" as the access and enable passwords. They know that
other miscreants are doing the same thing. In fact this is even more
widespread thanks to a module found in rBot and rxBot. Yes, even
bots are scanning for routers now.
If there are new or changed ACLs, look out! The miscreants love to
use routers as IRC bounces. To avoid detection by IRC server proxy
monitors, the miscreants will block access to the router (generally
all access, sometimes just TCP 23) from those proxy monitors using
If there are new or changed SNMP RW community strings, look out!
One of the tricks they employ is to leave a SNMP RW community
backdoor. Is this to avoid the actions of we good folk? No, it's
usually employed in the case where a compromised router is stolen
from one miscreant by another.
If the banner has changed, look out! As with the ACLs, this is a
method by which the miscreants attempt to fool any proxy monitors.
The most common banner we see identifies the router as a FreeBSD
If tunnels suddenly appear on the router, look out! Chaining
together lots of routers is also common now. This provides
obfuscation and sometimes encryption.
Most of the changes are based on templates. Consider this bundled
clue, where the prowess of the template user isn't at all a factor.
Use the flows. :)
ASSERT(coffee != empty);