nanog mailing list archives
Re: Synful Knock questions...
From: "Roland Dobbins" <rdobbins () arbor net>
Date: Wed, 16 Sep 2015 21:45:12 +0700
On 16 Sep 2015, at 21:00, Michael Douglas wrote:
It's unlikely the routers that got exploited were the initial entry point of the attack.
I understand all that, thanks.
At this point when they start messing around with routers, you're going to see activity coming from the intended internal management range using legitcredentials.
It would still be quite difficult, and readily detected if accomplished, had BCPs such as AAA, per-command auth, per-command logging, and monitoring of same been implemented. Plus, iACLs would prevent C&C comms, and monitoring of all traffic to/from router interfaces would potentially pick that up, as well.
----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Re: Synful Knock questions..., (continued)
- Re: Synful Knock questions... Paul Ferguson (Sep 15)
- Re: Synful Knock questions... Roland Dobbins (Sep 15)
- Re: Synful Knock questions... Royce Williams (Sep 16)
- Re: Synful Knock questions... Stephen Fulton (Sep 16)
- Re: Synful Knock questions... Stephen Fulton (Sep 16)
- Re: Synful Knock questions... Jake Mertel (Sep 25)
- Message not available
- Re: Synful Knock questions... Hank Nussbacher (Sep 26)
- Re: Synful Knock questions... Blake Hudson (Sep 16)
- RE: Re: Synful Knock questions... Darden, Patrick (Sep 16)
- Re: Synful Knock questions... Michael Douglas (Sep 16)
- Re: Synful Knock questions... Roland Dobbins (Sep 16)