router worms and International Infrastructure [was: Re: IOS exploit]

• Previous message (by thread): IOS exploit
• Next message (by thread): router worms and International Infrastructure
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael.Dillon at btradianz.com wrote:
> Reading through the original Russian posting here
> http://www.securitylab.ru/news/240415.php&direction=re&template=General&cp1=
> It seems that someone has built an IOS worm that
> follows an EIGRP vector from router to router.

A while back I emailed the following text to a closed mailing list. I 
figure now that quite a few cats are out of the bag it is time to get 
more public attention to these issues, as the Bad Guys will very soon 
start doing just that.

Ciscogate by itself ALONE, and now even just a story about worms for 
Routers is enough for us to be CLEAR that worms will start coming out. 
We do learn from history.

So.. as much as people don't like to talk much on the issues involving 
the so-called "cooler" stuff that can be done with routers, now is the 
time to start.

Here is one possible and simple vector of attack that I see happening in 
the future. It goes down-hill from there.

I wrote this after the release of "the three vulnerabilities", a few 
months back. Now we know one wasn't even just a DDoS, and that changes 
the picture a bit.

Begin quoted text ----->>>

More on router worms - let's take down the Internet with three public
POCs and some open spybot source code.
--------------------------------------

People, I have given this some more thought.

Let's forget for a second the fact that these vulnerabilities are 
dangerous on their own (although it's a DoS), and consider what a worm, 
could cause.

If the worm used the vulnerability, it would shoot itself in the leg as 
when network is down, it can't spread.

Now, imagine if a VX-er will use an ancient trick and release the worm, 
waiting for it to propagate for 2 or 3 days. Then, after that seeding 
time when the say.. not very successful worm infected only about 30K 
machines around the world, each infected host will send out 3 "One 
Packet Killers" as I like to call them to the world.

Even if the packet won't pass one router, that one router, along with 
thousands of others, will die.

Further, the latest vulnerabilities are not just for Cisco, there is a 
"One Packer Killer" for Juniper as well.

So, say this isn't a 0-day. Tier-1 and tier-2 ISP's are patched (great 
mechanism to pass through as these won't filter the packed out if it is 
headed somewhere else), how many of the rest will be up to date?

Let's give the Internet a lot of credit and say.. 60% (yeah right).

That leaves us with 30% of the Internet dead, and that's really a bad 
scenario as someone I know would say.

Make each infected system send the one packet spoofed (potentially, not 
necessarily these vulnerabilities) and it's hell. Make them send it 
every day, once! And the net will keep dying every day for a while.

As a friend suggested, maybe even fragment the packet, and have it 
re-assembled at the destination, far-away routers (not sure if that will 
work).

These are all basic, actually very basic, techniques, and with the 
source to exploits and worms freely available....
We keep seeing network equipment vulnerabilities coming out, and it is a 
lot "cooler" to bring down an ISP with one packet rather than with 
1,000,000,000,000,000.

I am sure the guys at Cisco gave this some thought, but I don't believe 
this is getting enough attention generally, and especially not with 
AV-ers. It should.

This may seem like I am hyping the situation, which is well-known. Still 
well-known or not, secret or not, it's time we prepared better in a 
broader scale.

How?

     Gadi.

----->>> End quoted text.

I would really like to hear some thoughts from the NANOG community on 
threats such as the one described above. Let us not get into an argument 
about 0-days and consider how many routers are actually patched the 
first... day.. week, month? after a vulnerability is released.

Also, let us consider the ever decreasing vulnerability-2-exploit time 
of development.

I don't want the above to sound as FUD. My point is not to yell "death 
of the Internet" but rather to get some people moving on what I believe 
to be a threat, and considering it on a broader scale is LONG over-due.

The cat is out of the bag, as as much as I avoided using "potentially" 
and "possibly" above to pass my point.. this is just one possible 
scenario and I believe we need to start getting prepared to better 
defending the Internet as an International Infrastructure.

As I am sure that this will be an interesting discussion, I am also sure 
this will eventually derail to a pointless argument over an un-related 
matter, here on NANOG.
I'd appreciate if people who are interested would also email me off-list 
so that we can see how we can perhaps proceed with some activity.

Thanks,

	Gadi Evron.

-- 
Available for consulting:
+972-50-5428610 / ge at linuxbox.org.

• Previous message (by thread): IOS exploit
• Next message (by thread): router worms and International Infrastructure
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]