nanog mailing list archives
Re: huawei
From: Jimmy Hess <mysidia () gmail com>
Date: Thu, 13 Jun 2013 21:57:50 -0500
On 6/13/13, Scott Helms <khelms () zcorum com> wrote:
Targeted how without an active C&C system?
How have you determined that there is not one? Conceptually, the "simplest" backdoored router, could have a mechanism, where crafted packets that would ordinarily be forwarded on, contain some "magic bit pattern" in the source address or other parameter, that cause the packet to bypass ACLs and be punted directly to software. So the simplest conceivable C&C system, could be "one guy" checking if random IP addresses they have personally decided are interesting, are behind a backdoored router. By sending a crafted port 53 DNS request, with some encrypted material with a digitally signed hash based on a timestamp, the source IP, and the destination IP being probed. And waiting for the magicaly structured "ICMP Destination unreachable/Admin prohibited" error reply packet, containing some covert bit pattern confirming the presence and system identification of a backdoored unit on the path to the 'interesting' remote host. -- -JH
Current thread:
- Re: huawei, (continued)
- Re: huawei Eugen Leitl (Jun 15)
- Re: huawei Scott Helms (Jun 15)
- Re: huawei Jimmy Hess (Jun 15)
- Re: huawei Scott Helms (Jun 15)
- Re: huawei Phil Fagan (Jun 13)
- Re: huawei Nick Hilliard (Jun 13)
- Re: huawei Scott Helms (Jun 13)
- Re: huawei Jimmy Hess (Jun 13)
- Re: huawei Mark Seiden (Jun 13)