Synful Knock questions...

Roland Dobbins rdobbins at arbor.net
Wed Sep 16 14:45:12 UTC 2015


On 16 Sep 2015, at 21:00, Michael Douglas wrote:

> It's unlikely the routers that got exploited were the initial entry 
> point of the attack.

I understand all that, thanks.

> At this point when they start messing around with routers, you're 
> going to
> see activity coming from the intended internal management range using 
> legit
> credentials.

It would still be quite difficult, and readily detected if accomplished, 
had BCPs such as AAA, per-command auth, per-command logging, and 
monitoring of same been implemented.  Plus, iACLs would prevent C&C 
comms, and monitoring of all traffic to/from router interfaces would 
potentially pick that up, as well.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list