Latest Hacker Target: Routers

[InfoSec News <isn () c4i org>]

http://www.internetweek.com/story/INW20011217S0004

By Rutrell Yasin
December 17, 2001

Bored with initiating traffic-flooding attacks that take down Web
servers, hackers are focusing on router vulnerabilities that could let
them divert large amounts of traffic to Internet wastelands, security
experts warn.

The vulnerability lies in the Border Gateway Protocol, which
translates routing tables from different vendors' equipment. BGP has
been used in commercial routers since 1994, and the security problems
have been known for at least two years, but experts say they're seeing
more router break-in kits being shared on Internet Relay Chat networks
frequented by hackers.

Similar kits have helped hackers temporarily take down several ISPs
and prominent Web sites in recent years us-ing packet-flooding
attacks. Router attacks aimed at ISPs are even more attractive to
hackers, because routers control not merely Web site traffic, but all
Internet traffic managed by an ISP--even pass-along traffic
originating from other ISPs.

Enterprises and carriers alike are ill-prepared to address the threat,
said Carlos Recalde, a director of telecommunications at KPMG.

"I'm concerned with attackers launching something specifically on my
Cisco routers," Recalde said.

The KPMG IT staff is resorting to internally developed scripts that
map out router images periodically to track changes in configurations.  
Although the use of such scripts can help reveal the path of
destruction, it can't prevent the intrusion itself, Recalde said.

"It doesn't protect against an outright attack, which would happen so
fast that no one knows what happened," he said.Experts caution IT
shops not to use default passwords to administer their routers, a
practice that's far too common, said a spokesman for the CERT
Coordination Center, a security watchdog. CERT advocates an added
layer of authentication using public key infrastructure (PKI)  
technology, which requires not only a password, but also a unique
identifier like a smart card to access network administration tools.  
This way, a hacker armed with only a password sniffer can't access
routing tables.

Cisco, the dominant vendor of Internet routers, didn't respond to
inquiries about its plans to secure its routers.

Everybody's Job

Securing the routing infrastructure isn't only a job for router
vendors and their customers, Recalde said. Carriers such as AT&T and
WorldCom also must make sure their network traffic isn't hijacked, he
said.

Carriers and ISPs can implement stronger authentication, filters to
direct traffic and tools to detect and trace attacks, but the bottom
line is that protocols such as BGP need enhanced security, said Jim
Lippard, director of computer network security at carrier Global
Crossing.

To add some protection to routers, carriers and enterprises should
make special peering arrangements with other ISPs and lock out traffic
from all other networks, Lippard said. This way, messages can't be
spoofed from just any carrier.

To ensure that reliable routing information is sent to other carriers'
routers, Global Crossing is using an authentication method called
Message Digest (MD5), which supports BGP. When a router sends updates
to another router, MD5 compresses a public key while it's being
transmitted, preventing the key from being read until it reaches the
neighboring router.

Router vendors also have built-in filters that let carriers control
the routes a customer's traffic can take. The filters help carriers
set limits on which IP addresses can be used on other ISP networks.

Tougher Measures

But while these measures can prevent someone from impersonating a
customer to view that individual's personal data, they won't protect
against someone sending spoofed traffic claiming to be another
customer and overwhelming the router with data, Lippard said.

Within the past year, Arbor Networks, Asta Networks and Mazu Networks
have developed technology that can warn of imminent router attacks
through the use of agents that sit on the network and look for traffic
anomalies. But there's nothing available to prevent these attacks from
happening in the first place, Lippard said.

Efforts are under way to incorporate digital certificates and other
PKI technology to strengthen BGP security.

The Secure BGP Project, led by BBN Technologies, a Verizon company,
has developed with the Defense Department a test version of a protocol
called S-BGP.

S-BGP uses PKI to authenticate the ownership of an IP address block,
Autonomous System numbers and the BGP router's identity. IPSec is also
used to encrypt data and let BGP routers authenticate one another for
traffic exchange.

Whereas MD5 is a simple authentication method, S-BGP provides
multilayer security, enabling ISPs to digitally sign and encrypt all
kinds of configuration data, Lippard said.

But a big stumbling block for S-BGP is that Internet registries,
router vendors and ISPs all have to agree to implement the protocol
for it to be effective.

"For S-BGP to fly, you have to go through the IETF standards process,
and then the vendors have to implement it," Lippard said.

Meantime, IT shops should perform "periodic vulnerability assessment
checks against their routers," said Todd Hudspeth, principal security
architect at Espiria, a consultancy. Network administra-tors often
make inadvertent changes to router parameters during maintenance,
which could leave them exposed.

In addition, companies should deploy technology that lets them at
least detect abnormal traffic patterns and adjust to spikes in
bandwidth use. Weather.com recently deployed Lancope Inc.'s
StealthWatch security appliance, which analyzes data patterns in
high-speed networks to determine whether traffic is legitimate, said
Don Agronow, vice president of quality control and site operations.

Earlier this year, the company was hit by a denial-of-service attack
that shut down operations for several hours when the routers of its
hosting facility, operated by Exodus, were clogged with bogus traffic.  
Recently, Weather.com switched to WorldCom. "It's important to have an
ISP as a partner," Agronow said, noting that WorldCom appears to be
experienced in handling such attacks.

Still, Agronow worries that a skilled malicious hacker could wreak
havoc on any Web site by attacking the routing infrastructure.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.