Synful Knock questions...
Roland Dobbins
rdobbins at arbor.net
Wed Sep 16 14:45:12 UTC 2015
On 16 Sep 2015, at 21:00, Michael Douglas wrote:
> It's unlikely the routers that got exploited were the initial entry
> point of the attack.
I understand all that, thanks.
> At this point when they start messing around with routers, you're
> going to
> see activity coming from the intended internal management range using
> legit
> credentials.
It would still be quite difficult, and readily detected if accomplished,
had BCPs such as AAA, per-command auth, per-command logging, and
monitoring of same been implemented. Plus, iACLs would prevent C&C
comms, and monitoring of all traffic to/from router interfaces would
potentially pick that up, as well.
-----------------------------------
Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG
mailing list