"Supposedly"/"Allegedly"/"Theoretically", rumor mill has it that a worm
exploit of sorts has been published. My Russian is so so, not good enough
to make sense it a majority of what was posted. A translation made me want
to yank my hair out.
// CLIP
On September, 19th, 2005
19th September in ? the expert in the field of safety Andrey Vladimirovym
(? dr_nicodimus), known as the co-author of the book " Wi-Foo: The
Secrets of Wireless Hacking ", the information on the termination of "
brain storm ", directed on operation ? in the software of
products of company Cisco has been published.
As a result of research in Cisco IOS and methods of a writing exploit and
shellcode methods of introduction of a code have been developed for this
platform. Mechanisms of realization ................... a worm for IOS are
developed."
// END CLIP
Someone set us up the bomb! Translations are horrible. Further down the
road in this article, someone points to "Cisco Games" from an ezine. So
here is that copy with no silly little uploader javafoofoofoo scripting
bs.
On Sept 9, Andrey Vladimirov (aka dr_nicodimus), known as a co-author of the
book 'Wi-Foo: The Secrets of Wireless Hacking', published information about
the end [result] of a "brainstorm session" aimed at [developing ways of]
exploiting vulnerabilities in software running on Cisco products.
This research has led to the development of techniques which can be used to
inject executable code into Cisco IOS as well as to write exploits and
shellcode for this platform. Methods of implementing a cross-platform worm
targetting IOS have also been developed. A plethora of vulnerabilities have
been discovered in the "firmware" implementation of the routing protocol
EIGRP. As a demonstration, an attack from one Cisco aimed at another was
successful in launching an irc server on the target.
--- not translating the rest, since it's largely non-technical and contains
a derogatory reference to coders in a certain asian country. ---
I would say that means that enterprise networks
are in more immediate danger than ISPs, however...
This could be the first of many.
The article does say that this is based on cross
platform exploits but it isn't clear whether they
mean "across different Cisco platforms" or whether
there is some way for PCs to infect routers.
The article has the tone of something written by
a 3rd party therefore some of the facts may be a bit
twisted. They do use this opportunity to point out
that security through obscurity ain't all it's
cracked up to be.
Advice for reading Russian. When you get into difficulty,
run the Russian through a machine translator using the
PROMT engine like http://translation1.paralink.com
and then GO BACK AND RE-READ the original Russian.
Your brain will now be able to make a more accurate
translation on the second pass.
A while back I emailed the following text to a closed mailing list. I figure now that quite a few cats are out of the bag it is time to get more public attention to these issues, as the Bad Guys will very soon start doing just that.
Ciscogate by itself ALONE, and now even just a story about worms for Routers is enough for us to be CLEAR that worms will start coming out. We do learn from history.
So.. as much as people don't like to talk much on the issues involving the so-called "cooler" stuff that can be done with routers, now is the time to start.
Here is one possible and simple vector of attack that I see happening in the future. It goes down-hill from there.
I wrote this after the release of "the three vulnerabilities", a few months back. Now we know one wasn't even just a DDoS, and that changes the picture a bit.
Begin quoted text ----->>>
More on router worms - let's take down the Internet with three public
POCs and some open spybot source code.
I would really like to hear some thoughts from the NANOG community on
threats such as the one described above. Let us not get into an argument
about 0-days and consider how many routers are actually patched the
first... day.. week, month? after a vulnerability is released.
The bad guys obviously aren't interested in taking down the Internet.
I wouldn't worry too much.
I don't want the above to sound as FUD. My point is not to yell "death
of the Internet" but rather to get some people moving on what I believe
to be a threat, and considering it on a broader scale is LONG over-due.
I would ask some people who have experienced meltdowns on large-scale
networks, due to Slammer, Blaster or something else. Basically, what
do you do when you don't have management access to your network gear
anymore, and stuff like that.
To some extent, what you fear has already happened, and we could learn
from that.
> I would really like to hear some thoughts from the NANOG community on
> threats such as the one described above. Let us not get into an argument
> about 0-days and consider how many routers are actually patched the
> first... day.. week, month? after a vulnerability is released.
The bad guys obviously aren't interested in taking down the Internet.
I wouldn't worry too much.
> I don't want the above to sound as FUD. My point is not to yell "death
> of the Internet" but rather to get some people moving on what I believe
> to be a threat, and considering it on a broader scale is LONG over-due.
I'm curious as to why people think that the problem isn't being addressed?
I'm curious as to why people think that the problem isn't being
addressed?
Do you see a business case for ISPs to help mass-market customers to
clean up their infected PCs?
I still hear claims from the ISP folks that anything but prevention
isn't viable, and all available data suggests that prevention is an
utter and complete failure. (Okay, maybe I'm exaggerating a bit, but
you get the idea.)
I can, but my name isn't randy bush Actually what I was thinking was:
ISP's business depends upon their (and others actually) network working
properly, for them large scale 'internet killer' outages are not a good
thing. They employee (larger ISP's atleast) folks to think about this
problem and plan reaction to it.... even plan preventitive measures for it
Oh, and atleast the US and UK Gov'ts are interested in 'infrastructure',
though often their interest ends with the phrase: "Someone should make a
law..." at which point the ISP person(s) say: "And I'll move my <insert
bad thing that needs regulation now> off to the Cayman
Islands/Russia/China where your 'law' doesn't matter... so lets make this
solution not about the 'law' so much as making people realize it's the
best thing to do."
> I'm curious as to why people think that the problem isn't being
> addressed?
Do you see a business case for ISPs to help mass-market customers to
clean up their infected PCs?
Nope, but I see a business case for software vendors to fix their
problems, and for education of the people that are a problem. I'm not sure
it'll fix the problem either, but blocking ports hasn't been wholey
effective either, especially not when you consider RPC-over-http now
hurray!
I still hear claims from the ISP folks that anything but prevention
isn't viable, and all available data suggests that prevention is an
Mostly this is probably true. Consumer ISP's are in a rough battle of
idiots/users versus 'next exploit against the most common platform
deployed'. Sure there are stupidities committed by other than software
vendors (how many routers have login passwd: cisco and no vty acl? How
many cayman/dsl routers are out there with default userid/passwd and
remove management enabled? How many wireless AP's are there with default
admin setup? ... for fun, try the one at the Baron's Cove Inn in Sag
Harbor... poor folks )
The issue of 'are consumer users getting better/worse/owned/deleted' isn't
really the problem, the issue is "Is the Internet being treated as
'Critical Infrastructure' by some people in a position to make it
'better'?"
I'd say that yes, there are lots of folks that consider their little piece
of the Internet to be 'critical' and who are making steps where they can
to ensure it's protected to the best of their ability. Just because folks
aren't out beating drums daily doesn't mean the work isn't getting done.
So, what leads you to believe it's NOT getting
fixed/looked-at/worked/considered?
utter and complete failure. (Okay, maybe I'm exaggerating a bit, but
you get the idea.)
I think Sean Donelan has some numbers about this... or we could google
search the nanog archives
The idea of Critical Infrastructure gets addressed in many countries. Some of them do not include ISP's in the equation as they are a private business. Some day, but can't force ISP's to cooperate.
Whatever gets done and re-done is local, whether by ISP or country and there is almost nothing getting done to treat this as a global, macro problem, and actually put in measures to combat it.
Based on its deployment history, where providers just have to act locally,
I suspect that a requirement that providers act globally will result in either:
a) I'll be collecting a pension and not really caring before it happens.
b) We have a curious patchwork of laws foisted upon us, from various state,
province, and country governments.
In either case, I'm not going to hold my breath waiting for something workable
to show up - that's a long time to spend being an odd shade of blue....
And that's something I will drink to every day. What has happened with it since?
Based on its deployment history, where providers just have to act locally,
I suspect that a requirement that providers act globally will result in either:
a) I'll be collecting a pension and not really caring before it happens.
b) We have a curious patchwork of laws foisted upon us, from various state,
province, and country governments.
In either case, I'm not going to hold my breath waiting for something workable
to show up - that's a long time to spend being an odd shade of blue....
There are solutions that don't have to be based on legislation. I don't have all the answers but acknowledging the problems is something that should be done.
And that's something I will drink to every day. What has happened with
it since?
Exactly.
> a) I'll be collecting a pension and not really caring before it happens.
>
> b) We have a curious patchwork of laws foisted upon us, from various state,
> province, and country governments.
>
> In either case, I'm not going to hold my breath waiting for something workable
> to show up - that's a long time to spend being an odd shade of blue....
There are solutions that don't have to be based on legislation. I don't
have all the answers but acknowledging the problems is something that
should be done.
See likely outcome (a). Keep in mind that the problem isn't the providers that
already do altruistic things like BCP38, actually reading their abuse@ mailbox,
and dealing with zombied users.
Said solution will have to deal effectively with the problematic providers. And
quite frankly, if they haven't gotten the ROI message regarding cleaning house *yet*,
they're unlikely to do it unless "Do it or go to jail/other penalties" happens.
To stem the usual flood of tired suggestions, I'd recommend *not* following up
with "If we all did XYZ" unless you have in fact gotten at least one problem
provider (whom you were *not* employed by at the time) to implement XYZ.
Well.. it could be worse, according to the results in http://spoofer.csail.mit.edu/, at least by some metrics, about 2/3 or 3/4 of networks are unspoofable. That's already pretty good improvement..
FWIW, here in Finland the regulatory body is mandating certain amount of spoofing prevention and other things. Transit providers (to whatever definition of 'transit') could maybe also be a bit more strict on what they accept from downstream..
Btw. Juniper's Feasible Path uRPF (mentioned in RFC3704) is your friend, even on multihomed/asymmetric links.
