North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Is my router owned? How would I know?
I use CCR (Cisco COnfiguration Repository, part of snmpstat project) and have change reports daily, + have syslog reports hourly. The same (osiris ) with hosts, btw. ----- Original Message ----- From: "Rob Thomas" <[email protected]> To: "NANOG" <[email protected]> Sent: Thursday, January 12, 2006 10:19 AM Subject: Is my router owned? How would I know? > > Hi, NANOGers. > > You all know how I love a good segue... ;) > > How can you tell if your router has been owned? In general the > configuration will be modified. This is why we advocate using rancid > (or something akin to it) as both a configuration backup tool AND an > early warning tool. If you have a router running BGP, it also pays > to peer with it externally. You can use a private ASN and rackspace > with a buddy. You can use this peering to detect announcements you > don't expect or necessarily condone. > > How else can you tell? Here are some tips: > > If there is a new user account, or if the enable and access passwords > have changed, look out! The miscreants love to scan and find routers > with "cisco" as the access and enable passwords. They know that > other miscreants are doing the same thing. In fact this is even more > widespread thanks to a module found in rBot and rxBot. Yes, even > bots are scanning for routers now. > > If there are new or changed ACLs, look out! The miscreants love to > use routers as IRC bounces. To avoid detection by IRC server proxy > monitors, the miscreants will block access to the router (generally > all access, sometimes just TCP 23) from those proxy monitors using > ACLs. > > If there are new or changed SNMP RW community strings, look out! > One of the tricks they employ is to leave a SNMP RW community > backdoor. Is this to avoid the actions of we good folk? No, it's > usually employed in the case where a compromised router is stolen > from one miscreant by another. > > If the banner has changed, look out! As with the ACLs, this is a > method by which the miscreants attempt to fool any proxy monitors. > The most common banner we see identifies the router as a FreeBSD > box. > > If tunnels suddenly appear on the router, look out! Chaining > together lots of routers is also common now. This provides > obfuscation and sometimes encryption. > > Most of the changes are based on templates. Consider this bundled > clue, where the prowess of the template user isn't at all a factor. > > Use the flows. :) > > Thanks, > Rob. > -- > Rob Thomas > Team Cymru > http://www.cymru.com/ > ASSERT(coffee != empty); >
|