Home page logo

nanog logo nanog mailing list archives

RE: Is my router owned? How would I know?
From: "Barry Greene (bgreene)" <bgreene () cisco com>
Date: Thu, 12 Jan 2006 11:21:06 -0800

Here are some other new things (Cisco IOS specific):

Login Security Enhancements. The Cisco IOS Login Enhancements feature
allows users to better secure their Cisco IOS devices when creating a
virtual connection, such as Telnet, secure shell (SSH), or HTTP. Thus,
users can help slow down dictionary attacks and help protect their
router from a possible denial-of-service (DoS) attack.


Configuration Change Notification and Logging. Releases of Cisco IOS
software prior to 12.3(4)T/12.2(25)S lack the ability to track the
origin of changes to the running configuration. The only way to
determine if a Cisco IOS software configuration has been changed is to
pull the running and startup configurations offline and do a
line-by-line comparison. This comparison will identify all the changes
that have occurred between the two configurations, but it will not
specify the sequence in which the changes occurred or the person
responsible for the changes.

The Configuration Change Notification and Logging (Configuration
Logging) feature allows the tracking of configuration changes entered on
a per-session and per-user basis by implementing a configuration log.
The configuration log will track each configuration command that is
applied, who applied the command, the parser return code for that
command, and the time that the command was applied. This feature also
adds a notification mechanism that sends asynchronous notifications to
registered applications whenever the configuration log changes. 


And then there is 'security passwords min-length'. If you set this to 6
more more, it would knock out 'cisco' as a possible password on the

-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
Behalf Of Rob Thomas
Sent: Thursday, January 12, 2006 10:19 AM
Subject: Is my router owned? How would I know?

Hi, NANOGers.

You all know how I love a good segue...  ;)

How can you tell if your router has been owned?  In general 
the configuration will be modified.  This is why we advocate 
using rancid (or something akin to it) as both a 
configuration backup tool AND an early warning tool.  If you 
have a router running BGP, it also pays to peer with it 
externally.  You can use a private ASN and rackspace with a 
buddy.  You can use this peering to detect announcements you 
don't expect or necessarily condone.

How else can you tell?  Here are some tips:

If there is a new user account, or if the enable and access 
passwords have changed, look out!  The miscreants love to 
scan and find routers with "cisco" as the access and enable 
passwords.  They know that other miscreants are doing the 
same thing.  In fact this is even more widespread thanks to a 
module found in rBot and rxBot.  Yes, even bots are scanning 
for routers now.

If there are new or changed ACLs, look out!  The miscreants 
love to use routers as IRC bounces.  To avoid detection by 
IRC server proxy monitors, the miscreants will block access 
to the router (generally all access, sometimes just TCP 23) 
from those proxy monitors using ACLs.

If there are new or changed SNMP RW community strings, look out!
One of the tricks they employ is to leave a SNMP RW community 
backdoor.  Is this to avoid the actions of we good folk?  No, 
it's usually employed in the case where a compromised router 
is stolen from one miscreant by another.

If the banner has changed, look out!  As with the ACLs, this 
is a method by which the miscreants attempt to fool any proxy 
The most common banner we see identifies the router as a FreeBSD box.

If tunnels suddenly appear on the router, look out!  Chaining 
together lots of routers is also common now.  This provides 
obfuscation and sometimes encryption.

Most of the changes are based on templates.  Consider this 
bundled clue, where the prowess of the template user isn't at 
all a factor.

Use the flows.  :)

Rob Thomas
Team Cymru
ASSERT(coffee != empty);

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]