[ISN] Latest Hacker Target: Routers

From: InfoSec News (isnat_private)
Date: Wed Dec 19 2001 - 00:13:10 PST

  • Next message: InfoSec News: "[ISN] FBI surveillance bonanza in BadTrans.B worm"

    By Rutrell Yasin
    December 17, 2001
    Bored with initiating traffic-flooding attacks that take down Web
    servers, hackers are focusing on router vulnerabilities that could let
    them divert large amounts of traffic to Internet wastelands, security
    experts warn.
    The vulnerability lies in the Border Gateway Protocol, which
    translates routing tables from different vendors' equipment. BGP has
    been used in commercial routers since 1994, and the security problems
    have been known for at least two years, but experts say they're seeing
    more router break-in kits being shared on Internet Relay Chat networks
    frequented by hackers.
    Similar kits have helped hackers temporarily take down several ISPs
    and prominent Web sites in recent years us-ing packet-flooding
    attacks. Router attacks aimed at ISPs are even more attractive to
    hackers, because routers control not merely Web site traffic, but all
    Internet traffic managed by an ISP--even pass-along traffic
    originating from other ISPs.
    Enterprises and carriers alike are ill-prepared to address the threat,
    said Carlos Recalde, a director of telecommunications at KPMG.
    "I'm concerned with attackers launching something specifically on my
    Cisco routers," Recalde said.
    The KPMG IT staff is resorting to internally developed scripts that
    map out router images periodically to track changes in configurations.  
    Although the use of such scripts can help reveal the path of
    destruction, it can't prevent the intrusion itself, Recalde said.
    "It doesn't protect against an outright attack, which would happen so
    fast that no one knows what happened," he said.Experts caution IT
    shops not to use default passwords to administer their routers, a
    practice that's far too common, said a spokesman for the CERT
    Coordination Center, a security watchdog. CERT advocates an added
    layer of authentication using public key infrastructure (PKI)  
    technology, which requires not only a password, but also a unique
    identifier like a smart card to access network administration tools.  
    This way, a hacker armed with only a password sniffer can't access
    routing tables.
    Cisco, the dominant vendor of Internet routers, didn't respond to
    inquiries about its plans to secure its routers.
    Everybody's Job
    Securing the routing infrastructure isn't only a job for router
    vendors and their customers, Recalde said. Carriers such as AT&T and
    WorldCom also must make sure their network traffic isn't hijacked, he
    Carriers and ISPs can implement stronger authentication, filters to
    direct traffic and tools to detect and trace attacks, but the bottom
    line is that protocols such as BGP need enhanced security, said Jim
    Lippard, director of computer network security at carrier Global
    To add some protection to routers, carriers and enterprises should
    make special peering arrangements with other ISPs and lock out traffic
    from all other networks, Lippard said. This way, messages can't be
    spoofed from just any carrier.
    To ensure that reliable routing information is sent to other carriers'
    routers, Global Crossing is using an authentication method called
    Message Digest (MD5), which supports BGP. When a router sends updates
    to another router, MD5 compresses a public key while it's being
    transmitted, preventing the key from being read until it reaches the
    neighboring router.
    Router vendors also have built-in filters that let carriers control
    the routes a customer's traffic can take. The filters help carriers
    set limits on which IP addresses can be used on other ISP networks.
    Tougher Measures
    But while these measures can prevent someone from impersonating a
    customer to view that individual's personal data, they won't protect
    against someone sending spoofed traffic claiming to be another
    customer and overwhelming the router with data, Lippard said.
    Within the past year, Arbor Networks, Asta Networks and Mazu Networks
    have developed technology that can warn of imminent router attacks
    through the use of agents that sit on the network and look for traffic
    anomalies. But there's nothing available to prevent these attacks from
    happening in the first place, Lippard said.
    Efforts are under way to incorporate digital certificates and other
    PKI technology to strengthen BGP security.
    The Secure BGP Project, led by BBN Technologies, a Verizon company,
    has developed with the Defense Department a test version of a protocol
    called S-BGP.
    S-BGP uses PKI to authenticate the ownership of an IP address block,
    Autonomous System numbers and the BGP router's identity. IPSec is also
    used to encrypt data and let BGP routers authenticate one another for
    traffic exchange.
    Whereas MD5 is a simple authentication method, S-BGP provides
    multilayer security, enabling ISPs to digitally sign and encrypt all
    kinds of configuration data, Lippard said.
    But a big stumbling block for S-BGP is that Internet registries,
    router vendors and ISPs all have to agree to implement the protocol
    for it to be effective.
    "For S-BGP to fly, you have to go through the IETF standards process,
    and then the vendors have to implement it," Lippard said.
    Meantime, IT shops should perform "periodic vulnerability assessment
    checks against their routers," said Todd Hudspeth, principal security
    architect at Espiria, a consultancy. Network administra-tors often
    make inadvertent changes to router parameters during maintenance,
    which could leave them exposed.
    In addition, companies should deploy technology that lets them at
    least detect abnormal traffic patterns and adjust to spikes in
    bandwidth use. Weather.com recently deployed Lancope Inc.'s
    StealthWatch security appliance, which analyzes data patterns in
    high-speed networks to determine whether traffic is legitimate, said
    Don Agronow, vice president of quality control and site operations.
    Earlier this year, the company was hit by a denial-of-service attack
    that shut down operations for several hours when the routers of its
    hosting facility, operated by Exodus, were clogged with bogus traffic.  
    Recently, Weather.com switched to WorldCom. "It's important to have an
    ISP as a partner," Agronow said, noting that WorldCom appears to be
    experienced in handling such attacks.
    Still, Agronow worries that a skilled malicious hacker could wreak
    havoc on any Web site by attacking the routing infrastructure.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 19 2001 - 12:15:22 PST