[NANOG] IOS rootkits
Joel Jaeggli
joelja at bogus.com
Mon May 19 00:54:27 UTC 2008
Gadi Evron wrote:
> On Sun, 18 May 2008, Joel Jaeggli wrote:
>> Dragos Ruiu wrote:
>>
>>> First of all about prevention, I'm not at all sure about this being
>>> covered by existing router security planning / BCP.
>>> I don't believe most operators reflash their routers periodically, nor
>>> check existing images (particularly because the tools for this
>>> integrity verification don't even exist). If I'm wrong about this I
>>> would love to be corrected with pointers to the tools.
>>
>> I have 6 years worth of rancid logs for every time the reported number
>> of blocks in use on my flash changes, I imagine others do as well.
>> That's hardly the silver bullet however.
>>
>> We as I imagine others do expended a fair amount of cycles monitoring
>> who it is that our routers are talking to and protecting the integrity
>> of the communications channels that they use (bgp, ospf, ssh, tftp etc),
>> If a router has a tcp connection to someplace it shouldn't we'll
>> probably know about it. If it's announcing a prefix it shouldn't be,
>> we'll probably know about it, those are the easy ones though.
>
> I am very happy to hear you do these... very useful and will catch quite
> a bit.
>
>> There are some things one might consider adding in terms of auditing,
>> comparing the running image more closely to the one in flash for
>> example, peroidic checksum of the on onflash image, after downloading to
>> another host would be another. I'm not sure that I'd trust the later
>> given the rooted box can I suppose hand you an unmodified version of the
>> subverted image.
>
> The result from your check can easily be modified, first thing I would
> have changed is the checker.
That is a normal thing to do with rootkits (return bogus results). Which
is part of the reason I suggested that method I did. Short of pulling
the flash you're not going to get a fully unbiased view of what's it on
it thusly the audit process has some limitations.
A TCPA style boot process would be a better approach. It's certainly not
a quick fix since it in general can't be retrofited to existing products.
> Say you did this from a usb stick--I'd just
> hide the rootkit in memory.
>
>> In the end if you subvert a router, presumably you're doing it for a
>> purpose and given what the device does, that purpose is probably
>> detectable in a well instrumented network.
>
> Subversion may not be the goal. A router is perfect for faking outgoing
> traffic. This traffic can contain stolen sniffed or relayed data.
If my device is now taking marching orders from a third party then by
definition it is subverted, regardless of agency or activity.
sub verte - turn from under
More information about the NANOG
mailing list