[NANOG] IOS rootkits

Joel Jaeggli joelja at bogus.com
Sun May 18 19:54:27 CDT 2008


Gadi Evron wrote:
> On Sun, 18 May 2008, Joel Jaeggli wrote:
>> Dragos Ruiu wrote:
>>
>>> First of all about prevention, I'm not at all sure about this being
>>> covered by existing router security planning / BCP.
>>> I don't believe most operators reflash their routers periodically, nor
>>> check existing images (particularly because the tools for this
>>> integrity verification don't even exist). If I'm wrong about this I
>>> would love to be corrected with pointers to the tools.
>>
>> I have 6 years worth of rancid logs for every time the reported number
>> of blocks in use on my flash changes, I imagine others do as well.
>> That's hardly the silver bullet however.
>>
>> We as I imagine others do expended a fair amount of cycles monitoring
>> who it is that our routers are talking to and protecting the integrity
>> of the communications channels that they use (bgp, ospf, ssh, tftp etc),
>> If a router has a tcp connection to someplace it shouldn't we'll
>> probably know about it. If it's announcing a prefix it shouldn't be,
>> we'll probably know about it, those are the easy ones though.
> 
> I am very happy to hear you do these... very useful and will catch quite 
> a bit.
> 
>> There are some things one might consider adding in terms of auditing,
>> comparing the running image more closely to the one in flash for
>> example, peroidic checksum of the on onflash image, after downloading to
>> another host would be another. I'm not sure that I'd trust the later
>> given the rooted box can I suppose hand you an unmodified version of the
>> subverted image.
> 
> The result from your check can easily be modified, first thing I would 
> have changed is the checker.

That is a normal thing to do with rootkits (return bogus results). Which 
is part of the reason I suggested that method I did. Short of pulling 
the flash you're not going to get a fully unbiased view of what's it on 
it thusly the audit process has some limitations.

A TCPA style boot process would be a better approach. It's certainly not 
a quick fix since it in general can't be retrofited to existing products.

> Say you did this from a usb stick--I'd just 
> hide the rootkit in memory.
> 
>> In the end if you subvert a router, presumably you're doing it for a
>> purpose and given what the device does, that purpose is probably
>> detectable in a well instrumented network.
> 
> Subversion may not be the goal. A router is perfect for faking outgoing 
> traffic. This traffic can contain stolen sniffed or relayed  data.

If my device is now taking marching orders from a third party then by 
definition it is subverted, regardless of agency or activity.

sub verte - turn from under





More information about the NANOG mailing list