IOS Rookit: the sky isn't falling (yet)

Gadi Evron ge at
Wed May 28 23:20:48 CDT 2008

On Thu, 29 May 2008, Steven M. Bellovin wrote:
> On Wed, 28 May 2008 10:37:05 +0100
> <michael.dillon at> wrote:
>>> So let's see - if you had a billion CPUs in your botnet, and
>>> each one could go at a billion to the second, you still need
>>> 2**69 seconds or 449,235,776,528,695 years.  Not bad - only
>>> 10,000 times the amount of time this planet has been around,
>>> so yeah, that's the way they'll attack all right.
>> I didn't say that. I said that they are starting with an IOS image
>> in which there are some small number of bytes which they can possibly
>> change and still have a functional image. So it is likely that they
>> will brute force that by computing an MD5 hash on all variations of
>> those few bytes. It's like winning the lottery, you only *NEED* to
>> buy one ticket. No matter how slim the chances are of bad guys winning
>> that lottery, it is no excuse for ignoring the possibility that an
>> MD5 hash check may not be proof that you have an original image.
> Did you even look at Valdis' arithmetic?  It *won't work*.  It isn't
> "likely" that they'll try anything with that low a chance of success.
> As for "no matter how slim the chances" -- if you want to have even a
> vague chance of succeeding before Sol turns into a red giant, you're
> going to have to devote enormous resources to the project.  (Actually,
> I don't think you can succeed even then, not by brute force -- there
> aren't a "small number of bytes" that can be changed, you can introduce
> "random" "typographical" errors in error messages for the SNA stack or
> some such, and if you're doing a brute force pre-image attack on MD5 any
> bit is as good as any other.)  Let's put it purely in economic terms:
> which is a better way to invest your effort, building a machine (or
> botnet) with many billions of processors and still having no plausible
> chance of winning, or -- as you yourself suggest -- getting the HVAC
> contract for the data center.  Or putting back doors in the chips.  Or
> bribing or blackmailing coders.  Or breaking into the vault where Cisco
> keeps its master RSA key.  Or funding a vast research effort on
> cracking MD5 before it's replaced by SHA-512.  Or *something* even
> vaguely sane, because brute-forcing MD5 isn't physically possible.

I don't understand how this disucssion got to breaking MD5 to begin with? 
The whole point was that the results will be manipulated due to the 
rootkit messing with the test, no?


> 		--Steve Bellovin,

More information about the NANOG mailing list