Is my router owned? How would I know?

• Previous message (by thread): Is my router owned? How would I know?
• Next message (by thread): Cisco, haven't we learned anything? (technician reset)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I use CCR (Cisco COnfiguration Repository, part of snmpstat project) and
have change reports daily, + have syslog reports hourly.
The same (osiris ) with hosts, btw.

----- Original Message ----- 
From: "Rob Thomas" <robt at cymru.com>
To: "NANOG" <nanog at merit.edu>
Sent: Thursday, January 12, 2006 10:19 AM
Subject: Is my router owned? How would I know?


>
> Hi, NANOGers.
>
> You all know how I love a good segue...  ;)
>
> How can you tell if your router has been owned?  In general the
> configuration will be modified.  This is why we advocate using rancid
> (or something akin to it) as both a configuration backup tool AND an
> early warning tool.  If you have a router running BGP, it also pays
> to peer with it externally.  You can use a private ASN and rackspace
> with a buddy.  You can use this peering to detect announcements you
> don't expect or necessarily condone.
>
> How else can you tell?  Here are some tips:
>
> If there is a new user account, or if the enable and access passwords
> have changed, look out!  The miscreants love to scan and find routers
> with "cisco" as the access and enable passwords.  They know that
> other miscreants are doing the same thing.  In fact this is even more
> widespread thanks to a module found in rBot and rxBot.  Yes, even
> bots are scanning for routers now.
>
> If there are new or changed ACLs, look out!  The miscreants love to
> use routers as IRC bounces.  To avoid detection by IRC server proxy
> monitors, the miscreants will block access to the router (generally
> all access, sometimes just TCP 23) from those proxy monitors using
> ACLs.
>
> If there are new or changed SNMP RW community strings, look out!
> One of the tricks they employ is to leave a SNMP RW community
> backdoor.  Is this to avoid the actions of we good folk?  No, it's
> usually employed in the case where a compromised router is stolen
> from one miscreant by another.
>
> If the banner has changed, look out!  As with the ACLs, this is a
> method by which the miscreants attempt to fool any proxy monitors.
> The most common banner we see identifies the router as a FreeBSD
> box.
>
> If tunnels suddenly appear on the router, look out!  Chaining
> together lots of routers is also common now.  This provides
> obfuscation and sometimes encryption.
>
> Most of the changes are based on templates.  Consider this bundled
> clue, where the prowess of the template user isn't at all a factor.
>
> Use the flows.  :)
>
> Thanks,
> Rob.
> -- 
> Rob Thomas
> Team Cymru
> http://www.cymru.com/
> ASSERT(coffee != empty);
>

• Previous message (by thread): Is my router owned? How would I know?
• Next message (by thread): Cisco, haven't we learned anything? (technician reset)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]