Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CERT Finds Routers Increasingly Being Cracked

CmdrTaco posted more than 12 years ago | from the look-at-the-fancy-new-security-icon dept.

Security 294

alteran writes "CERT has released a paper (PDF) analyzing changes in DOS attack methods. The new twist-- crackers are increasing getting into routers rather then servers and home PCs. The volume of noise a router could generate absolutely dwarfs what a computer could do. And unlike compromised servers, compromised routers could actually screw up the infrastructure of the Internet, not just blast people with packets. Worst of all, router administators appear to be even sloppier than their server counterparts in securing their machines."

cancel ×

294 comments

Sorry! There are no comments related to the filter you selected.

definitely not first d00d (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2469234)

Screw formkeys or something.

Re:definitely not first d00d (0, Offtopic)

hime (5963) | more than 12 years ago | (#2469251)

Sorry, I've just always wated to do that. Impulses got the better of me. Feel free to mod it down.

Ooooops (-1)

l00ny_bstrd (218467) | more than 12 years ago | (#2469277)

You forgot to check "Post Anonymously"

The Feds should have a back door... (0)

Anonymous Coward | more than 12 years ago | (#2469236)

to all our routers. Then all our routers would belong to us!

Re:The Feds should have a back door... (1)

Anonymous Coward | more than 12 years ago | (#2469502)

Back door...Hoover would have liked that.

Like one of those hypothetical Marvel comics.. (1, Redundant)

EraseEraseMe (167638) | more than 12 years ago | (#2469237)

What if...

Microsoft Made Routers? ;)

Re:Like one of those hypothetical Marvel comics.. (0, Flamebait)

!ramirez (106823) | more than 12 years ago | (#2469276)

Microsoft does make routers, under the brand name Netgear. :)

(Yes, I know, it's Bay, but it's also complete and utter crapware)

Re:Like one of those hypothetical Marvel comics.. (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2469302)

RO318 [netgear.com] is pretty damn good for a home broadband router.

Re:Like one of those hypothetical Marvel comics.. (1)

!ramirez (106823) | more than 12 years ago | (#2469350)

Uh. Right.

And I quote:
Equipped with Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and Network Address Translation (NAT) to maintain network security against hackers


Any manufacturer that considers NAT 'network security against hackers' is delusional. That's just how it is. Far too many companies nowadays are selling eth2eth NAT boxes and calling them firewalls.

Re:Like one of those hypothetical Marvel comics.. (2)

jonnythan (79727) | more than 12 years ago | (#2469436)

How is NAT *not* a security solution for a home user not running a server?

-J

Re:Like one of those hypothetical Marvel comics.. (0, Offtopic)

segfaultdot (462810) | more than 12 years ago | (#2469322)

Why do you say that? We've had a lot of good experiences with netgear hardware, both nics and hubs and switches and internet routers.

Re:Like one of those hypothetical Marvel comics.. (0, Offtopic)

!ramirez (106823) | more than 12 years ago | (#2469373)

Netgear hubs & switches are just fine. Their routers, however, leave quite a bit to be desired in my opinion. While easy to configure and whatnot, they are painfully limited in what they can do, and the fact that Netgear markets NAT as a security solution doesn't help their position.

Re:Like one of those hypothetical Marvel comics.. (1)

segfaultdot (462810) | more than 12 years ago | (#2469442)

What would you recommend, perhaps a Linux box as a router/firewall? I'm serious... if our router here at work isn't going to suffice as a firewall, it's up to me to replace it with something better. I'm not very well versed in networking as such, there's no real network administrator here, just me. :/

We have a couple other people in our IT department, but i'm the most well versed in networking, which is perhaps a sad statement. ;P

Re:Like one of those hypothetical Marvel comics.. (4, Funny)

grue23 (158136) | more than 12 years ago | (#2469377)

Read your /. manifesto. You aren't allowed to like anything that is:

* Packaged slickly
* Designed for ease of use by non-geeks

Re:Like one of those hypothetical Marvel comics.. (2)

segfaultdot (462810) | more than 12 years ago | (#2469469)

Lol. Yeah, i hear you... but there's a big difference between home and work. At home, i have time to learn how to use the best. At work, it has to be up and running yesterday, and my boss isn't about to pay me to sit there and read the networking HOWTO trying to get a Linux box up and running as a router. Nothing against Linux... i use it 99.9% of the time at home and i have an older box set aside for tinkering and learning at work. But i'm not ready to use Linux in critical applications such as a router, yet. (I said I'm not ready... Linux is. :)

Re:Like one of those hypothetical Marvel comics.. (0, Offtopic)

GdoL (460833) | more than 12 years ago | (#2469395)

They would work like the Microsoft Car.:-)

ALERT! Constitution declared unconstitutional (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2469533)

SS Chief Herr Ashcroft declared the US Consitution unconstitutional today. Gestapo Commander Herr Ridge agreed. "It leaves too many loopholes for terrorists to impede government actions." (note - many suspect the term "government" means the executive branch only. After all, Herr Dubya stated a few weeks ago the "if members of Congress can't keep our secret stuff secret, they won't get any more classified documents from the government." Ashcroft also declared all copies of the US Constitution, Declaration of Independence, Bill of Rights, and other documents classified. Anyone caught with any of these in their possession would be prosecuted as a terrorist. "We wouldn't want these papers to fall into the wrong hands, would we? After all, the founding fathers would probably be arrested as terrorists today."

Routers can be secured... (5, Informative)

!Squalus (258239) | more than 12 years ago | (#2469246)

Tripwire makes Tripwire for Routers - Tripwire [tripwire.com] has been in the business of ensuring integrity for your systems for some time. Thet even make the Open-Source version of Tripwire for Servers, Web Pages (Apache) and have a Linux-capable Tripwire Manager (management system for reports) available as well. Definitely worthy of investigation.


P.S. - I don't work for Tripwire, but I do like their products. 8-)

don't forget... (1, Insightful)

Anonymous Coward | more than 12 years ago | (#2469474)

tripwire provides you no added security to stop people from breaking into your system. All it will do is tell you if someone has broken in. And its useless if you install it on a system thats been live for any period of time, since you can't guaruntee that it wasn't cracked in the time that it was live.

Now tripwire is good to have on a system, but it shouldn't be the sole security policy. Its a supplement, at best. Would you feel secure with no locks on your house but with a spiffy gadget that could tell you if someone had been inside? I wouldn't...

DOS (2, Funny)

moonboy (2512) | more than 12 years ago | (#2469250)



Well, that's what they get for using DOS as the OS for their routers. Sheeeesh!! Some people will never learn!

-2 Funny (-1)

l00ny_bstrd (218467) | more than 12 years ago | (#2469259)

Thus spake CmdrTaco

This is why Comedians should not get +2 bonus (0)

Anonymous Coward | more than 12 years ago | (#2469383)

subject says it all

Re:DOS (1)

Spazntwich (208070) | more than 12 years ago | (#2469391)

I'm curious, do they actually use DOS for many routers' OS?

You'd think they'd use some highly specialized (i.e. fast/efficient) OS for it.

Re:DOS (1)

redcliffe (466773) | more than 12 years ago | (#2469519)

I did a CCNA course, and IIRC they said that Cisco IOS is a highly optimised multitasking operating system built from the ground up for the routers. Maybe the original poster was confused between IOS and DOS.

Re:DOS (2)

moonboy (2512) | more than 12 years ago | (#2469429)



Does no one have a sense of humor?

You people kill me!!

Oh well, I've got Karma to burn!!! Moderate on!!
Wooo-hooo!!!

Re:DOS (1)

e7 (117450) | more than 12 years ago | (#2469521)

Yup. It only takes one moderator who actually believes that Cisco is running embedded MS-DOS on their routers ...

What to do (1)

Publicus (415536) | more than 12 years ago | (#2469256)

I could send this story to the guy who's in charge of security where I work. But he's my boss, and he already thinks I'm Mr. Knowitall...

Damn... If only he read /., what a crime...

bewoulf (0)

Anonymous Coward | more than 12 years ago | (#2469258)

Imagine bewoulf cluster of these!

How would Beowulf clustering help router security? (0)

Anonymous Coward | more than 12 years ago | (#2469261)

See subject.

Thanks in advance.

--Patrick Bateman, Esq.

Happened alot at my local university (1)

josquint (193951) | more than 12 years ago | (#2469262)

In the past few months we've had DOS attacks to our routers constantly for the past few months... Took the admins that long to figure out what the hell was happening to all the bandwidth.

and even longer to figure out who's doing it... lame admins heh.. :)

MS-DOS (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2469266)

They said they were using MS-DOS to hack the routers. I have MS-DOS on my 486, so how do you hack MS-DOS itself? I want to hack the Operating System Ms-DOS.

Okay, (0)

Anonymous Coward | more than 12 years ago | (#2469273)

and I'm supposed to care about this exactly why? Jesus, get a fucking life. Go out and get drunk or smoke marijuana, or drop acid or something. Huff paint thinner if you have to - but don't just sit there at your computer all day - go catch a buzz!

Re:Okay, (0)

r0ach (106945) | more than 12 years ago | (#2469403)

ah, someone after my own heart!

cisco updates (1)

Akatosh (80189) | more than 12 years ago | (#2469278)

Cisco requires a service contract to upgrade your IOS. People like to use this as an excuse. What a lot of people don't know is that at the bottom of most Cisco security advisories there is a telephone number for you to call if you do not have a service contract. So stop using the 'I can't afford to pay for a service contract' excuse .

Re:cisco updates (3, Informative)

!ramirez (106823) | more than 12 years ago | (#2469293)

You don't need a service contract, you just need to have your router registered with them, and have a Cisco Connection Login. I've got a CCO login tied to a 1604, and I've downloaded/torn apart the code for a 12000GXR. No restrictions, they just don't want everyone on the damned planet with access to their firmware.

who are these people (4, Interesting)

oni (41625) | more than 12 years ago | (#2469283)

from the article:
Intruders had to work hard to deploy large DDoS attacks networks; much
work was done
to avoid detection and compromise of deployed attack
networks and to provide for easier maintenance.


OK, here's the dumb question: Who is working so hard? Kids on IRC???

Re:who are these people (0)

Anonymous Coward | more than 12 years ago | (#2469339)

Yes. These DDoS's aren't being used to break into anything, and they aren't being used (presumably) to draw attention away from or cover up breakins.

So presumably it's kids out for a joyride...maybe with some idiot political agenda (US sucks!/China sucks!/Pakistan sucks!/Censorship sucks!)...

And maybe it's a lot of repetitive work...but it's also repetitive. They do it once...and then again, and again. Not much thought involved.

Re:who are these people (0)

Anonymous Coward | more than 12 years ago | (#2469485)

Perhaps it has no purpose. maybe it's like int he gold ol' days where you hack into somethign to prove you can...though i doubt it.

Re:who are these people (1)

TheQuantumShift (175338) | more than 12 years ago | (#2469512)

No, it's the losers who grew up on IRC.

It boils down to this (4, Informative)

LoRider (16327) | more than 12 years ago | (#2469286)

Companies don't hire enough smart people to admin their network. They think that the guy who knows how install Windows would be a good candidate for admining the network.

Most companies and people that run them don't understand what it takes to properly setup and maintain a network.

I think this will/is changing though. The company I work for now takes the network seriously after they narrowly avoided a catastrophic data loss about a month ago. Now that backup solution I was bitching that we needed, has been purchased.

Password (2, Interesting)

crumbz (41803) | more than 12 years ago | (#2469287)

The password for all of our routers is admin.
Not really, but it is on 75% of our client's machines.

Re:Password (1)

jeffy124 (453342) | more than 12 years ago | (#2469446)

i think that's the actual problem - leaving in the default password. Routers should require a new password when the admin performs intial setup. Or, different routers should have different default passwords at time of manufacture. But I think the former is more practical and feasible, as the latter may require printing the passwd on a piece of paper, which can lend itself to error.

Re:Password (1)

knick (19201) | more than 12 years ago | (#2469479)

At least for Cisco routers, there isn't a 'default' password.

No telnet password is set by default, and the router will not let people telnet in till a password is set. Dumb passwords are becuase of dumb admins. (You have no idea how many routers I've seen using san-fran for enable...)

--knick

Re:Password (2)

jeffy124 (453342) | more than 12 years ago | (#2469509)

ok, i didnt know that. I'm used to LinkSys routers that use an http interface, which all come with a default of 'admin' or 'administrator' (cant remember which)

Re:Password (1)

eudas (192703) | more than 12 years ago | (#2469451)

my personal favourite is 'qpwoeiruty'.

eudas

Re:Password (1)

Glytch (4881) | more than 12 years ago | (#2469503)

Could be worse. There was no admin password on my old junior high school's Novell 3 network.

Didn't matter much anyway. That old server was little more than a glorified hub for the grand total of 18 386's we had sharing a 14.4 modem.

Cisco IOS (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2469294)


<irony>And I'm absolutely positive that the "easy to use and configure" Cisco IOS has absolutely nothing to do with the fact that the routers aren't configured safely....right?</irony>

Re:Cisco IOS (3, Informative)

!ramirez (106823) | more than 12 years ago | (#2469330)

enable
password
config t
line vty 0 1
password 7 (insert password here}
^Z
wr mem


Oh yeah, real hard. 5 lines of commands is super difficult.

What if we don't own the routers? (4, Interesting)

Mr. Sketch (111112) | more than 12 years ago | (#2469295)

We don't actually administer our routers? Our company has some contract through UUnet and the router is actually property of UUnet we don't even have the password to get in and administer it. So if it's comprimised, the blame should be placed on UUnet even though the traffic will look like it's coming from our company.

Re:What if we don't own the routers? (1)

phossie (118421) | more than 12 years ago | (#2469430)

try "admin" (see above post ) [slashdot.org]

;-)

Re:What if we don't own the routers? (1)

gavinmead (112093) | more than 12 years ago | (#2469435)

We had the same experience with a router from PSINet (obviously a while ago).

Our solution was to go get a copy of the Cisco PalmCrack utility and get the en password for the router. Then we took care of our own security concerns.

PSINet never patched the IOS or took any active steps to ensure security. Perhaps UUNet is more responsible.

Re:What if we don't own the routers? (0)

Anonymous Coward | more than 12 years ago | (#2469514)

"Doctor, it hurts when I go like this..."
(perhaps reconsider providing space to routers that someone else owns...)
boyd425

Posts from idiots.. (-1, Troll)

supabeast! (84658) | more than 12 years ago | (#2469303)

Why does Slashdot accept posts from people so stupid?

"The volume of noise a router could generate absolutely dwarfs what a computer could do."

A router IS a computer, you fuckwit. Usually a specialized computer with embedded software allowing it route quickly and easily. But routers are also sometimes servers or desktops; the machine I am typing this on is a router/desktop/firewall. And guess what? If I cram six NICS into it and crank it up, this thing can generate just as much traffic as a lot of commercial routers. A Sun E450 could put a lot of large routers to shame (And in fact, some people use big Sun hardware as routers.).

Please Taco, stop putting idiotic crap like this on the front page.

Re:Posts from idiots.. (0)

Anonymous Coward | more than 12 years ago | (#2469343)

You're the fuckwit. Taco runs this site.

Kevin the coward

Re:Posts from idiots.. (2)

geomcbay (263540) | more than 12 years ago | (#2469348)

I'm not usually one to defend Slashdot editors, but I think his statement is valid, though he didn't properly clarify it.

The majority of DDOS attacks to date have relied of hackers breaking into many computers beforehand, often these are home computers (PCs) running over cable or DSL lines. Compared to that type of a system, a commercial router (particularly one located close to a backbone) is capable of a hell of a lot more traffic generation.

Re:Posts from idiots.. (2, Informative)

Theolojin (102108) | more than 12 years ago | (#2469355)

A router IS a computer, you fuckwit. Usually a specialized computer with embedded software allowing it route quickly and easily. But routers are also sometimes servers or desktops; the machine I am typing this on is a router/desktop/firewall.
br.
tsk tsk. the original poster was simply using common, ordinary terms instead of the more specific terms that you apparently require. perhaps he should have stated, "the volume of noise a specialized computer [read 'router'] could generate absolutely dwarfs what a general-purpose computer [read 'computer'] could do."

theo
--
Life is short; think quickly.

Re:Posts from idiots.. (0)

Anonymous Coward | more than 12 years ago | (#2469360)

Because, he's rather obviously referring with "computer" to "workstations and servers". Christ. Every time someone says "computer" and means "plus $300 piece of hardware", I don't say "but my calculator is a computer" just to be annoying.

I mean, we're all impressed that you know that by golly, a router "is a computer".

So the guy wasn't thinking. It doesn't in any way inhibit us from getting information from the post, taking context into mind. No reason for you to go postal.

Re:Posts from idiots.. (1)

sr105 (229540) | more than 12 years ago | (#2469371)

Usually a specialized computer with embedded software allowing it route quickly and easily.

Didn't you just re-enforce the original post? Maybe the original post could have been clarified by using "personal computer" instead of just "computer," but it was still an accurate statement.

R.

Re:Posts from idiots.. (1)

VRisaMetaphor (87720) | more than 12 years ago | (#2469378)

So your computer + 6 NICs == 1 commercial router.

What was your point again?

Re:Posts from idiots.. (2)

bperkins (12056) | more than 12 years ago | (#2469477)

I think this critisism is a bit harsh. Under certain circumstances the statement is necessarily true, depending on how you interpret it.

A fully compromised router should be able to at least match, and probably almost always exceed the capacity to cause problems for any machine upstream of it than any computer downstream of it, since any computer downstream of a router can't generate traffic any faster than that router can
This is true as long you make certain assumptions about how the router works, how computationally intensive the attack is, and the geometry of the network(*).

Also, the statement: "A router IS a computer, you fuckwit," is inflamatory and pedantic. For the purposes of what we are talking about a computer is something that traffic flows to and from, and a router is something traffic flows through. Everyone knows what he means, and the distinction is conceivably instructive; according to the article more DOS attacks are coming from things that are called routers. Lumping routers in with computers may be technically correct, but is not helpful. The aim of the article is to get out the message that the things commonly called routers are causing more DOS problems than things commonly called computers.

* E.g. assuming the router can do more than just copy traffic, that the attack doesn't require a lot CPU to generate the data for the attack, and there aren't many paths from the attacker and the attackee.

Re:Posts from idiots.. (0)

Anonymous Coward | more than 12 years ago | (#2469511)

He meant Personal Computer, you fuckwit.

Home broadband = major problem? (1, Interesting)

Durindana (442090) | more than 12 years ago | (#2469307)


Home users are increasingly switching to broadband cable/DSL over slowmo phone co. lines. And home broadband routers like Linksys' are getting increasingly inexpensive; even wireless ones are approaching commodity pricing. What will be the fallout when there's a router in every home? Router Wars 2003?

Re:Home broadband = major problem? (1)

andykuan (522434) | more than 12 years ago | (#2469427)

The linksys routers can not be configured from outside the local network so the factory-installed-password-attack doesn't work. Plus NAT routers inherently shield the systems on the "inside" which will, overall, decrease the number of compromised systems on the net. I think the use of broadband routers should actually help matters in the short run.

Re:Home broadband = major problem? (1)

yesthatguy (69509) | more than 12 years ago | (#2469508)

I don't know that having the broadband routers will actually help, per se. I suppose that it may be less crackable than an open computer, but it's really out of the scope of this particular type of attack. There's not much to gain from screwing up routing to/from one user/IP address, which is for the most part all you could do by getting into a broadband router. The targets are more high profile, high load routers like those that carry the load for large bandwidth providers, and people with large chunks of IP space.

Re:Home broadband = major problem? (0)

Anonymous Coward | more than 12 years ago | (#2469527)

I have yet to see a published exploit of a LinkSys router, despite their widespread use.

I've got one, which I use as a 2nd internal router/firewall, (not a gateway)...and unless I leave all the settings in their default mode, (which is idiotic) you're not getting in.

Cisco's a good reason why.. (0)

windex (92715) | more than 12 years ago | (#2469308)

Cisco charges for IOS updates, or requires than you have a CCIE on board to get them for you, and in some cases won't give you one at all without a support contract. This is why routers go unpatched, insecure, broken, whatever.. Someone needs to bitch at Cisco.. oh wait, several people have and they didn't care.. hmm.

I also forgot that lots of midrange routers that didn't sell well are now completly unsupported, so the companies who do have them are shit-out-of-luck, no IOS upgrades for you!

Re:Cisco's a good reason why.. (0)

Anonymous Coward | more than 12 years ago | (#2469363)

Last time I had to patch IOS on a Cisco router I didn't have to pay any money or go through a CCIE. I just emailed them the Bugtraq information and they sent me a patched version. Of course, I also communicated in complete sentences.

Re:Cisco's a good reason why.. (1)

windex (92715) | more than 12 years ago | (#2469399)

Patched version, not new version. Old versions contain old bugs. They only release 'patch' versions when an old bug is discovered.

Routing Nightmare (1)

Renraku (518261) | more than 12 years ago | (#2469314)

Why not just remove remote access from critical routers to begin with, and just have physical access to them? Unless your router is located in some unlocked janitors closet, it should be pretty safe from hijacking if remote access is disabled. But, everyone has to be lazy and have their remote access..somethings I can see, in some situations..but this is just lame.

Re:Routing Nightmare (0)

Anonymous Coward | more than 12 years ago | (#2469352)

Joke for you,

What do Janitors and Network Engineers have in common?

.
.
.
.
.
.
.
.

Absolutely nothing except the FUCKING CLOSET!!!

Re:Routing Nightmare (2)

Soko (17987) | more than 12 years ago | (#2469515)

My group is has ultimate responsibility for our company's Canada wide WAN based on Cisco equipment. We need to be able to see what the hell is going on when Joe Backhoe digs up the fiberlink in DucksAss Manitoba and knocks out Calgary, Edmonton, Vancouver and Victoria. We need remote access to verify that the telco is indeed down. Since we are also responsible for this WAN, we require the ability to completely control the routers at all times. Without a remote login, we would spend an awful lot on plane tickets. As well, we sometimes need to be able to get to our core routers while we're on the road. That's why remote login exists on this type of equipment - so we can do our job no matter where we are. It's only convenient in very few circumstatnces.

Dial in only to a modem connected to the aux port, you say? That's just another telnet when it comes down to it - you use the same user/password combo across an untrusted network. Call-back from the router? Again, limits us to one or 2 spots - unworkable.

BTW, it's not only rsh, telnet or even ssh that can be a problem - IIRC, there was a Cisco exploit based on SNMP. Something about the RW community string set to public? Like CodeRed, traceable to less than knowlegeable admins, but another backdoor none the less. If any device is connected to an untrusted network at all, it is susceptible to attack - period.

We're contemplating RADIUS or other authentication for the router and switch gear, but that introduces other risks and complications ($). Physical access only would be more secure to be sure, but real world demands kinda toss it out the ethernet port. Sorry.

Soko

Slashdot is dying (-1, Offtopic)

WeatherTroll (529760) | more than 12 years ago | (#2469326)

Slashdot is collapsing in complete disarray.

You don't need to be a Kreskin to predict slashdot's future. The hand writing is on the wall: Slashdot faces a bleak future. In fact there won't be any future at all for slashdot because slashdot is dying. Things are looking very bad for slashdot. As many of us are already aware, slashdot continues to lose market share. Red ink posts flow like a river of blood.

Let's keep to the facts and look at the numbers.

Adequacy.org leader elby states that there are 7000 users of adequacy. How many users of kuro5hin.org are there? Let's see. The number of adequacy versus kuro5hin posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 kuro5hin users. Poliglut posts on Usenet are about half of the volume of kuro5hin posts. Therefore there are about 700 users of poliglut. A recent article put slashdot at about 80 percent of the crappy weblog market. Therefore there are (7000+1400+700)*4 = 36400 slashdot users. This is consistent with the number of slashdot Usenet posts.

Due to the troubles of andover.net, abysmal sales and so on, slashdot declared bankruptcy and was bought out by goatse.cx in a hostile takeover who merged their own troubled crappy weblog with slashdot. (And a hostile takeover from goatse.cx would not go over well with anyone except Cmdr Taco, Hemos, and the rest. No one else but them would want to end up like the goatse.cx guy.) As a result slashdot was flooded with goatse.cx trolls causing slashdot to lose even more marketshare. Now goatse.cx is also dead, its corpse turned over to another charnel house. (Who else besides a charnel house like the now dead andover.net would want the corpse of the goatse.cx guy?)

All major surveys show that slashdot has steadily declined in market share. Slashdot is very sick and its long term survival prospects are very dim. If slashdot is to survive at all it will be among crappy weblog hobbyist dabblers. Slashdot continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, slashdot is dead.

router security (4, Informative)

grue23 (158136) | more than 12 years ago | (#2469327)

Without reading the article, I'll just say that after spending a while doing network design/admin work, I have often noticed that routers and switches tended to have far less security than servers. Here's three big reasons:
  • As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.
  • Many vendors have backdoor methods of accessing their equipment that can be learned if one is beligerent about pushing a mission critical. tech support call to a high tier. These are sometimes needed to get special diagnostic or debug information. I know one major ATM switch vendor in particular that has a high TCP port login on the management ethernet interface that has a vendor specific user/password that is used not only for diagnostics but also for modifying system parameters.
  • It has been my experience that many network admins simply leave the default user/password on their network gear, or use the same password for every piece of equipment.

Re:router security (0)

Anonymous Coward | more than 12 years ago | (#2469361)

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

But they do IPsec. Why does no one have a clue about IPsec? It's already here, it already works, and it is ready to make 99% of the world's problems go away ;)

Cisco router security could be a lot worse. (3, Informative)

Nonesuch (90847) | more than 12 years ago | (#2469397)

In my experience, Cisco is "the" router vendor in most large shops. Cisco does take an interest in security, and has primitive support for SSH on a number of their network product platforms.

Aside from the problem of default and backdoor passwords, there are huge numbers of devices deployed with SNMP enabled and configured with RO/RW community strings as public/private.

Any day now some crew will start distributing 'rootkit' firmware versions of IOS with zombie functionality in the binary.

When there is a critical security hole in IOS, Cisco has been very good about releasing IOS revisions with the fix even to customers without any Cisco service contract.

Re:router security (1)

GPB (12468) | more than 12 years ago | (#2469402)

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

Cisco, Juniper, and Foundry all offer ssh access. Albeit Cisco's implementation of sshd seriously sucks, but it still works (kinda).

Those are just three examples. I'm sure other vendors offer ssh/ssl access as well. Now if people choose to not use ssh in favor of telnet, that's another story....

-B

Re:router security (2)

rcw-home (122017) | more than 12 years ago | (#2469409)

As far as I am aware there are no vendors that offer an ssh-like encrypted login for network equipment.

You're not very aware. Cisco [cisco.com] Foundry [foundrynet.com] Juniper [juniper.net] [fill in the blank here]

Re:router security (1)

brettbender (87275) | more than 12 years ago | (#2469415)

Expand your awareness... A router running Cisco IOS v12+ includes SSH support, as do PIX firewalls and Catalyst 6000 switches. I routinely use Expect and SSH to automate (securely!) maintenance tasks (e.g. ACL updates on the PIX) on my company's infrastructure equipment.

And if the piece of equipment doesn't have SSH support, or if you want to take your admin traffic entirely out of band, how about connecting an old PC to the serial console line? Run an sshd on the PC, and bang -- secure access.

Re:router security (0)

Anonymous Coward | more than 12 years ago | (#2469450)

Better yet, you could use a 32 port serial nexus hooked up to that machine. Log into the machine, log into the nexus, log into one of the 32 routers.

Re:router security (2)

Polo (30659) | more than 12 years ago | (#2469417)

Extreme Networks supports ssh2 on all their switches.

(disclaimer: I work for them)

Re:router security (1)

kernkopje (414100) | more than 12 years ago | (#2469433)



And to complete the list of vendors that deliver network hardware with SSH support: Riverstone [riverstonenet.com] OS (ROS) also supports a fine sshd implementation...

FBI conTROLLed fake slashdot... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#2469328)

I am starting to believe that this is not the REAL Internet I'm seeing. I belive the FBI is routing all traffic to and from my computer into a large mainframe that has a virtual hosts comprising a virtual Internet. This is not really slashdot. I am reading the FBI's perverted slashdot. They just want me to think it's slashdot.

It's really clever... they set up "stories" on this "supposed" slashdot and the links lead recursively to virtual domains hosted within the big mainframe. They are trying to get me to respond. They are trying to get me to admit to something... BUT I WON'T!!! THEY CANNOT BREAK ME!!!

Re:FBI conTROLLed fake slashdot... (1)

isotope23 (210590) | more than 12 years ago | (#2469411)

Somwhere out in the matrix.......

"Subject Z-23 has just repsonded."
"Excellent, start the P0rn spam now."

Quality of Company Hires (4, Informative)

Greyfox (87712) | more than 12 years ago | (#2469335)

A large reason for all this security carelessness is that companies will hire the least expensive person "qualified" to do a job. Those qualifications generally being a buzzword or two on a resume. They will then load that person down with 5 to 10 times more work than he is even capable of, insuring that there is no chance that the slightest hint of security will find its way into the company. Again, the CIO will never catch any flack for this; his choices probably made the company's stock go up in the short term.

How do I tell if my machine is cracked? (-1, Troll)

Anonymous Coward | more than 12 years ago | (#2469342)

Seriously - how do I tell?

I run a local LAN based on a Linux router; I maintain several smallish web servers and one big server farm, based on Linux and Solaris. Our company has several Windows workstations. I add patches, get upgrades, read security alerts. My machines haven't been cracked so far. I guess.

I *know* that two years ago, one of my webservers was hacked and abused by IRC script kiddies. They did not clean up after them, it was easy to tell someone broke in and they were actually online when I detected their presence.

But with rootkits out there, how paranoid enough can I be? Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...

Now you may say that I should be an admin of above-mentioned servers if I don't know how to tell. Well, that's partly a reason why I post anonymously, so yeah, you could be right. But who out there isn't self-taught?

Re:How do I tell if my machine is cracked? (3, Insightful)

Dr. A. van Code (143149) | more than 12 years ago | (#2469487)

Are there tools to detect changes made by crackers? One of my nightmares is a rooted zombie server that looks perfectly normal to me, but had several backdoors inserted...

An integrity checker such as Tripwire [tripwire.com] is what you want, and !Squalus pointed out that there is a version of Tripwire for routers.

The idea is this: generate secure hashes of all critical files, using a secure, one-way hashing algorithm such as SHA-1 or MD5. If those files are changed, hacked, or even damaged by hardware failures, comparing the old hashes will reveal that the files have been altered.

In practice, it's a little more complicated. Many files will change, or be changed, in the normal course of operations of a system. Imagine, for example, a clueless sysadmin who ran an integrity checker against all files on a system, and then freaked out because the log files had changed. So it is necessary to have clueful admins who will be able to understand which files are critical and can distinguish between proper, permitted changes and hacker intrusions.

As I'm sure you know, such clueful sysadmins are in short supply.

Another issue in some cases, like virus detection, is that the operating system itself must be trusted while the hashing is taking place. There are stealth viruses that can intercept reads to infected files, and make them appear clean. Or at least, there were, back in the days of DOS. In theory, the same thing could be accomplished by hacking a unix kernel.

For more information on secure hash algorithms, the best reference is Applied Cryptography, 2nd ed. by Bruce Schneier. I'm sure Tripwire has plenty of info on their web site, and a search for "integrity shell" or "secure one-way hashing" would, no doubt, turn up scads of resources and references.

Who is building these DDOS networks? (1)

nelsonen (126144) | more than 12 years ago | (#2469354)

Every so often when DDOS is discussed, there is mention that "someone" is acquiring DDOS resources and then "hiding" them and/or just not using them (yet). With the recent hijackings and now Anthrax, both surprises, is a massive DDOS attack in the works?? None of the DDOS network building discussions have talked about "who". Is there reason to have big worries about the internet right now?

So what should the home user do? (1)

UberNex (525816) | more than 12 years ago | (#2469368)

Well since I certanly don't want my little home router being a bane to everyone else out there (it's a cheapo linksys; fire-resistant gear dawned!) and all I want is it to keep slinging data around my home's abundant supply of computers and out the wall, what could someone with a simple home system do to help make usre that their system doesn't become part of routerwarz02.

foosh.

Article on SecurityFocus (4, Informative)

Dr. A. van Code (143149) | more than 12 years ago | (#2469387)

The volume of noise a router could generate absolutely dwarfs what a computer could do.

Of course, a router is a computer.

I guess this isn't surprising, since they've been targetting DSL and cable Windows boxes as platforms from which to launch DDoS attacks -- moving up to the routers is, I suppose, the next logical step.

SecurityFocus.com [securityfocus.com] has an article [securityfocus.com] by Kevin Poulsen which addresses the issue. He talked to Kevin Houle of CERT. Here's an excerpt:

"What we see are routers with default and weak passwords being targeted," Houle said. After cracking a router, attackers can use it to launch straightforward denial of service attacks against an Internet site. Because routers can generate enough traffic to impede an end host, while standing up well to a similar counterattack, it's become a valued platform for cyber vandals engaged in online skirmishes in the mostly-juvenile computer underground.

"If I'm an intruder and I want to be well protected against people DoSing me, a router is somewhat better than an end host," said Houle.

A bigger threat (5, Insightful)

ostiguy (63618) | more than 12 years ago | (#2469388)

Is probably going to be piss poor devices for dsl/cable modem users. Cisco has had real trouble with some of their 6xx series dsl devices. Having 1 million poorly thought out (security wise) $100 devices on decent sized connections (cable/dsl) is probably just as dangerous as having 10000 poorly thought out 10k routers.

We have seen what code red and nimda did to cable modem segments. Cable is somewhat limited with a 2 megabit upstream limit per segment, so the real risk is just the segment blowing itself up, but enough devices on enough 2 megabit segments really starts to add up.

Cable companies need to realize: rushing out crappy cable boxes with insecurities (say to steal extra $$$ channels) is a threat only from smart hackers, and a potential loss of revenue (you don't know if they would buy those channels). Rushing out crappy cable/dsl modems can bring down segments, losing $40 a head across all those customers for that month (while my openbsd firewall was mildly annoyed, nimda brought down my mediaone segment for three full days+ = free month)

ostiguy
ostiguy

Good router solutions (1)

justletmeinnow (315504) | more than 12 years ago | (#2469393)

This is an awesome linux-based router solution that I've setup for clients in the past. Just like most OSS, whenever there's a vulnerability, they fix it fast, and you don't have to pay for a CCNE.

Astaro Security Linux [astaro.com]

Need more facts! (1)

genka (148122) | more than 12 years ago | (#2469401)

This article is short on details about using routers for DDOS. I heard about only one hole in IOS which gives "root" access to the router- an exploit of the embedded http server. Nobody I know runs it on their boxes. There is a risk of admins as educated as people who have IIS running and don't know it, but I hope that most of them only have one low-end router on ISDN link. By the way, is there a way to use router for TCP or UDP based attacks? ICMP flood with root access should be easy.

Re:Need more facts! (3, Informative)

thrillbert (146343) | more than 12 years ago | (#2469470)

You don't need to have a hole in a router for it to be taken over. 90% (guestimate) of the routers of the world do ZERO logging. Which means that an attacker could sit there for hours on end doing a brute force password attack and no one would ever know.

Out of the last 6 companies where I have worked at in the past few years, 2 of them logged connects/logins/attempts. And I know of countless more that have no idea how to enable logging, nor what a syslog is.

So it's not necessary to have a hole in order to get enabled on a router, it just takes patience and a good brute force cracker with telnet capabilities.

The NSA and CERT agree - (4, Informative)

jgaynor (205453) | more than 12 years ago | (#2469439)

The NSA has been saying this for a while now. [conxion.com]

CERT has been saying this for a while now [sans.org]

Most CCNA's know just enough to get RIP running - and security in cisco manuals doesnt go much beyond passwords and locking your telco closet. They do publish more extensive book son the subject - for a price of course.

Im all for this - hopefully itll force companies to pay more for qualified network engineers. As it stands right now theyre paid 35k their first year out - thats pathetic for the amount of training required to put together large secure networks.

Slashdot effect on routers... (3, Funny)

diverman (55324) | more than 12 years ago | (#2469455)

So... how much do you think the number of attacks on routers went up because of this post on slashdot? heh. I think CERT might need to revise their numbers now.

Cheers,
-Alex

what about cable/dsl "routers" (1)

Kewjoe (307612) | more than 12 years ago | (#2469463)

you don't have much effect over how secured a Cable/DSL router is.. i have a Netgear RT314 and the most i can do is a bit of configuration and some firmware updates..

or is this spefically bigger routers used by companies?

We don't need this (2, Interesting)

reconbot (456259) | more than 12 years ago | (#2469473)

Personally I don't understand why they're doing it. When you attack a server or a host you hurt the server or the host. When you go after a router you effect all the servers and host on the network it covers, or if the router is connected to other routers it will bring down the connection between them. Now the part I don't understand if why do this if it effects them too?

And frankly I've had enough of the normal server attacking DoS attacks. Since any "script kiddie" with a broadband connection or a few bots at his command can stage they're quite common and still a menace. In fact as I'm writing I'm getting attacked right now.

it's the password not the router (3, Insightful)

andykuan (522434) | more than 12 years ago | (#2469484)

The article seems to indicate the use of factory-installed passwords as the problem. There's nothing inherently more vulnerable about routers other than the fact that the people configuring them tend to think of them as peripherals (like a printer) rather than as computers.

That said, how often are Cisco routers vulnerable to this kind of attack? I've set up plenty of Cisco routers and if I'm not using a startup config borrowed from one of my other routers, I'm using the "setup" routine that prompts me for a password. Seems like most admins worthy of the title wouldn't use "password" as a password when prompted.

Though I guess they may be referring to the zillions of low-end Ciscos carelessly dropped into client-sites -- but those are supposed to be centrally managed, right?

HOWTO crack routers - Funny+Serious (2, Informative)

robvasquez (411139) | more than 12 years ago | (#2469496)

1: Port scan a known network to have DSL routers, ISDN routers, switches or cable modems or what have you. Your own ISP works great.

2: Take your list of open telnet ports, and corresponding IP's, and telnet into them.

3: Using the PDF files of the router docs, log in using the default passwords and wreak havoc. Remove routes, telnet into other boxes on their internal network.

It's really sad how many of these are setup and forgot about, leaving Joe Business Owner wide open. People don't think twice about changing passwords, disabling WAN access, etc etc

Don't even get me started on HP JetDirects !

Sarcasm? (0)

Anonymous Coward | more than 12 years ago | (#2469500)

Clearly this is Microsoft's fault.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>