Gadi Evron wrote: > On Sun, 18 May 2008, Joel Jaeggli wrote: >> Dragos Ruiu wrote: >> >>> First of all about prevention, I'm not at all sure about this being >>> covered by existing router security planning / BCP. >>> I don't believe most operators reflash their routers periodically, nor >>> check existing images (particularly because the tools for this >>> integrity verification don't even exist). If I'm wrong about this I >>> would love to be corrected with pointers to the tools. >> >> I have 6 years worth of rancid logs for every time the reported number >> of blocks in use on my flash changes, I imagine others do as well. >> That's hardly the silver bullet however. >> >> We as I imagine others do expended a fair amount of cycles monitoring >> who it is that our routers are talking to and protecting the integrity >> of the communications channels that they use (bgp, ospf, ssh, tftp etc), >> If a router has a tcp connection to someplace it shouldn't we'll >> probably know about it. If it's announcing a prefix it shouldn't be, >> we'll probably know about it, those are the easy ones though. > > I am very happy to hear you do these... very useful and will catch quite > a bit. > >> There are some things one might consider adding in terms of auditing, >> comparing the running image more closely to the one in flash for >> example, peroidic checksum of the on onflash image, after downloading to >> another host would be another. I'm not sure that I'd trust the later >> given the rooted box can I suppose hand you an unmodified version of the >> subverted image. > > The result from your check can easily be modified, first thing I would > have changed is the checker.
That is a normal thing to do with rootkits (return bogus results). Which is part of the reason I suggested that method I did. Short of pulling the flash you're not going to get a fully unbiased view of what's it on it thusly the audit process has some limitations. A TCPA style boot process would be a better approach. It's certainly not a quick fix since it in general can't be retrofited to existing products. > Say you did this from a usb stick--I'd just > hide the rootkit in memory. > >> In the end if you subvert a router, presumably you're doing it for a >> purpose and given what the device does, that purpose is probably >> detectable in a well instrumented network. > > Subversion may not be the goal. A router is perfect for faking outgoing > traffic. This traffic can contain stolen sniffed or relayed data. If my device is now taking marching orders from a third party then by definition it is subverted, regardless of agency or activity. sub verte - turn from under _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog